Show in Graph
Common Information
Type Value
Value 
Masquerading - T1036
Category Attack-Pattern
Type Mitre-Enterprise-Attack-Attack-Pattern
Misp Type Cluster
Description Masquerading occurs when the name or location of an executable, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. Several different variations of this technique have been observed. One variant is for an executable to be placed in a commonly trusted directory or given the name of a legitimate, trusted program. Alternatively, the filename given may be a close approximation of legitimate programs. This is done to bypass tools that trust executables by relying on file name or path, as well as to deceive defenders and system administrators into thinking a file is benign by associating the name with something that is thought to be legitimate. ===Windows=== In another variation of this technique, an adversary may use a renamed copy of a legitimate utility, such as rundll32.exe. (Citation: Endgame Masquerade Ball) An alternative case occurs when a legitimate utility is moved to a different directory and also renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke) An example of abuse of trusted locations in Windows would be the <code>C:\Windows\System32</code> directory. Examples of trusted binary names that can be given to malicious binares include "explorer.exe" and "svchost.exe". ===Linux=== Another variation of this technique includes malicious binaries changing the name of their running process to that of a trusted or benign process, after they have been launched as opposed to before. (Citation: Remaiten) An example of abuse of trusted locations in Linux would be the <code>/bin</code> directory. Examples of trusted binary names that can be given to malicious binares include "rsyncd" and "dbus-inotifier". (Citation: Fysbis Palo Alto Analysis) (Citation: Fysbis Dr Web Analysis) Detection: Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect. If file names are mismatched between the binary name on disk and the binary's resource section, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries could provide useful leads, but may not always be indicative of malicious activity. (Citation: Endgame Masquerade Ball) Platforms: Linux, macOS, Windows Data Sources: File monitoring, Process monitoring, Binary file metadata Defense Bypassed: Whitelisting by file name or path Contributors: ENDGAME, Bartosz Jerzman
Details Published Attributes CTI Title
Details Website 2030-03-02 20 APT QUARTERLY HIGHLIGHTS - Q3 : 2023 - CYFIRMA
Details Website 2025-05-23 71 Weekly Intelligence Report - 23 May 2025 | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware - National Cyber Security Consulting
Details Website 2025-05-22 16 Disrupting Lumma Stealer Malware – Microsoft Leads Global Action
Details Website 2025-05-22 0 Legitimate tools spoofed by infostealing Chrome extensions
Details Website 2025-05-22 101 NSIS Abuse and sRDI Shellcode: Anatomy of the Winos 4.0 Campaign | Rapid7 Blog
Details Website 2025-05-22 1 Ransomware gang dumps 3.3 million files on dark web following West Lothian schools hack | #ransomware | #cybercrime - National Cyber Security Consulting
Details Website 2025-05-22 0 Why Healthcare Has Become the Top Target for Cyberattacks in India – and What we Can Do about it
Details Website 2025-05-22 0 India Cyber Threat Report Insights for Healthcare Industry
Details Website 2025-05-21 0 Kettering Health faces a ransomware attack and confirms a scam targeting its patients | #ransomware | #cybercrime - National Cyber Security Consulting
Details Website 2025-05-21 31 Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer
Details Website 2025-05-21 6 Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication
Details Website 2025-05-21 37 Cato CTRL™ Threat Research: Suspected Russian Threat Actors Leverage Tigris, Oracle Cloud Infrastructure, and Scaleway to Target Privileged Users with Lumma Stealer 
Details Website 2025-05-21 6 Dero miner zombies biting through Docker APIs to build a cryptojacking horde
Details Website 2025-05-21 0 Over 100 Malicious Chrome Extensions Exploiting Users to Steal Login Credentials and Execute Remote Code
Details Website 2025-05-21 33 Lumma Stealer: Breaking down the delivery techniques and capabilities of a prolific infostealer | Microsoft Security Blog
Details Website 2025-05-20 8 MaksStealer Malware: Minecraft Trojan – Gridinsoft Blogs
Details Website 2025-05-20 9 More_Eggs Malware Uses Job Application Emails to Distribute Malicious Payloads
Details Website 2025-05-20 41 Dark Web Profile: Aquatic Panda
Details Website 2025-05-20 40 PupkinStealer .NET Infostealer Using Telegram for Data Theft
Details Website 2025-05-20 11 Hackers Use Weaponized RAR Archives to Deliver Pure Malware in Targeted Attacks
Details Website 2025-05-20 61 The Sting of Fake Kling: Facebook Malvertising Lures Victims to Fake AI Generation Website
Details Website 2025-05-20 61 Impersonated GenAI Site Lures Victims to Infostealer Download - Check Point Research
Details Website 2025-05-20 2 Malicious npm Package in Koishi Chatbots Steals Sensitive Data in Real Time
Details Website 2025-05-20 4 Malicious npm Package in Koishi Chatbots Steals Sensitive Data in Real Time
Details Website 2025-05-20 13 Microsoft 365 Users Targeted by Tycoon2FA Linked Phishing Attack to Steal Credentials