T1036 - Masquerading - MITRE ATT&CK - Cyber Threat Intelligence

T1036 - Masquerading

Tactics:
Defense Evasion

Platforms:
Containers ESXi Linux macOS +1

Detection:
Not specified

Description:

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)

Sub-techniques (12)

ID	ATT&CK	Actions
T1036.001	Invalid Code Signature
T1036.002	Right-to-Left Override
T1036.003	Rename Legitimate Utilities
T1036.004	Masquerade Task or Service
T1036.005	Match Legitimate Resource Name or Location
T1036.006	Space after Filename
T1036.007	Double File Extension
T1036.008	Masquerade File Type
T1036.009	Break Process Trees
T1036.010	Masquerade Account Name
T1036.011	Overwrite Process Arguments
T1036.012	Browser Fingerprint

Used by Actors (20)

APT28
Nation-state

OilRig
Nation-state

APT32
Nation-state

PLATINUM
Unknown

WindShift
Unknown

TeamTNT
Unknown

FIN13
Unknown

Aoqin Dragon
Unknown

Winter Vivern
Unknown

Sandworm Team
Unknown

Ember Bear
Unknown

BRONZE BUTLER
Unknown

Storm-1811
Unknown

menuPass
Unknown

Contagious Interview
Unknown

Agrius
Unknown

TA551
Unknown

Nomadic Octopus
Unknown

ZIRCONIUM
Unknown

LazyScripter
Unknown

Malware (20)

TrickBot other RCSession other WindTail other Pony other UPSTYLE other AppleSeed other EnvyScout other Dacls other SombRAT other WhisperGate other Raindrop other NotPetya other Flagpro other DarkTortilla other BeaverTail other DarkWatchman other Bisonal other DarkGate other FoggyWeb other Saint Bot other

Metadata

MITRE ID:	T1036
STIX ID:	attack-pattern--42e8de7b-37b2-...
Platforms:	Containers, ESXi, Linux, macOS, Windows
Created:	13/01/2026 17:48
Updated:	06/03/2026 16:00