T1036.005 - Match Legitimate Resource Name or Location - MITRE ATT&CK

T1036.005 - Match Legitimate Resource Name or Location

Sub-technique

Tactics:
Defense Evasion

Platforms:
Containers ESXi Linux macOS +1

Detection:
Not specified

Description:

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

Used by Actors (20)

APT1
Nation-state

DarkHotel
Nation-state

Naikon
Nation-state

APT28
Nation-state

APT29
Nation-state

Turla
Nation-state

FIN7
Criminal

Lazarus Group
Nation-state

Poseidon Group
Unknown

OilRig
Nation-state

PROMETHIUM
Unknown

Gamaredon Group
Unknown

APT32
Nation-state

APT5
Unknown

Kimsuky
Nation-state

Sowbug
Nation-state

MuddyWater
Nation-state

MUSTANG PANDA
Nation-state

INDRIK SPIDER
Unknown

APT39
Unknown

Malware (20)

EKANS other BLINDINGCAN other Ninja other Bumblebee other NOKKI other RotaJakiro other Chinoxy other Misdat other Ursnif other ThreatNeedle other ZLib other Felismus other StrongPity other Nebulae other TONESHELL other RainyDay other AppleSeed other NETWIRE other TinyTurla other PyDCrypt other

Metadata

MITRE ID:	T1036.005
STIX ID:	attack-pattern--1c4e5d32-1fe9-...
Platforms:	Containers, ESXi, Linux, macOS, Windows
Created:	13/01/2026 17:48
Updated:	06/03/2026 16:00