T1036.003 · threatengine.sh

Home/ATT&CK Technique/Rename Legitimate Utilities

ATT&CK Technique

Rename Legitimate Utilities

T1036.003 · stealth

Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).

An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.

LinuxmacOSWindows

◆

Actors Using This

north_koreaLazarus Group

▸

Atomic Tests

Executable Atomic Red Team test cases for exercising this technique in a lab. Copy a command, run it on the listed platform, confirm your detections fire.

command_promptwindowsMasquerading as Windows LSASS process

Copies cmd.exe, renames it, and launches it to masquerade as an instance of lsass.exe. Upon execution, cmd will be launched by powershell. If using Invoke-AtomicTest, The test will hang until the 120 second timeout cancels the session

copy %SystemRoot%\System32\cmd.exe %SystemRoot%\Temp\lsass.exe
%SystemRoot%\Temp\lsass.exe /B

shlinuxMasquerading as FreeBSD or Linux crond process.

Copies sh process, renames it as crond, and executes it to masquerade as the cron daemon. Upon successful execution, sh is renamed to `crond` and executed.

cp /bin/sh /tmp/crond;
echo 'sleep 5' | /tmp/crond

command_promptwindowsMasquerading - cscript.exe running as notepad.exe

Copies cscript.exe, renames it, and launches it to masquerade as an instance of notepad.exe. Upon successful execution, cscript.exe is renamed as notepad.exe and executed from non-standard path.

copy %SystemRoot%\System32\cscript.exe %APPDATA%\notepad.exe /Y
cmd.exe /c %APPDATA%\notepad.exe /B

command_promptwindowsMasquerading - wscript.exe running as svchost.exe

Copies wscript.exe, renames it, and launches it to masquerade as an instance of svchost.exe. Upon execution, no windows will remain open but wscript will have been renamed to svchost and ran out of the temp folder

copy %SystemRoot%\System32\wscript.exe %APPDATA%\svchost.exe /Y
cmd.exe /c %APPDATA%\svchost.exe "PathToAtomicsFolder\..\ExternalPayloads\T1036.003\src\T1036.003_masquerading.vbs"

command_promptwindowsMasquerading - powershell.exe running as taskhostw.exe

Copies powershell.exe, renames it, and launches it to masquerade as an instance of taskhostw.exe. Upon successful execution, powershell.exe is renamed as taskhostw.exe and executed from non-standard path.

copy %windir%\System32\windowspowershell\v1.0\powershell.exe %APPDATA%\taskhostw.exe /Y
cmd.exe /K %APPDATA%\taskhostw.exe

powershellwindowsMasquerading - non-windows exe running as windows exe

Copies an exe, renames it as a windows exe, and launches it to masquerade as a real windows exe Upon successful execution, powershell will execute T1036.003.exe as svchost.exe from on a non-standard path.

copy "#{inputfile}" #{outputfile}
try { $myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id }
catch { $_; exit $_.Exception.HResult}
Stop-Process -ID $myT1036_003

powershellwindowsMasquerading - windows exe running as different windows exe

Copies a windows exe, renames it as another windows exe, and launches it to masquerade as second windows exe

copy "#{inputfile}" #{outputfile}
$myT1036_003 = (Start-Process -PassThru -FilePath #{outputfile}).Id
Stop-Process -ID $myT1036_003

command_promptelevatedwindowsMalicious process Masquerading as LSM.exe

Detect LSM running from an incorrect directory and an incorrect service account This works by copying cmd.exe to a file, naming it lsm.exe, then copying a file to the C:\ folder. Upon successful execution, cmd.exe will be renamed as lsm.exe and executed from non-standard path.

copy C:\Windows\System32\cmd.exe C:\lsm.exe
C:\lsm.exe /c echo T1036.003 > C:\T1036.003.txt

▣

Mitigations

MITRE ATT&CK mitigations - vendor-agnostic guidance for reducing exposure to this technique.

M1022Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions

Remove unnecessary write permissions on sensitive files and directories.
Use file ownership and groups to control access for specific roles. Example (Windows): Right-click the shared folder.
Properties.
Security tab.
Adjust permissions for NTFS ACLs.

Harden File Shares

Disable anonymous access to shared folders.
Enforce NTFS permissions for shared folders on Windows. Example: Set permissions to restrict write access to critical files, such as system executables (e.g., /bin or /sbin on Linux). Use tools like chown and chmod to assign file ownership and limit access. On Linux, apply: chmod 750 /etc/sensitive.conf `chown root:admin /etc/sensitive.

conf` File Integrity Monitoring (FIM)

Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access

Enable auditing to track permission changes or unauthorized access attempts.
Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories

Configure permissions to prevent unauthorized writes to directories like C:\ProgramData\Microsoft\Windows\Start Menu. Example: Restrict write access to critical directories like /etc/, /usr/local/, and Windows directories such as C:\Windows\System32.
On Windows, use icacls to modify permissions: icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F.
On Linux, monitor permissions using tools like lsattr or auditd.

◈

Detection Coverage

2/6 layers

Coverage across standard detection surfaces. Rows marked none have no rule of that type mapped. Some are real blind spots worth closing; others are simply not applicable to this technique (e.g. YARA matches malware files, not network behaviour).

Behavioral / log (Sigma) 26

Analytics (MITRE CAR) 1

Runtime / container (Falco) none

File / malware (YARA) none

Network (Suricata/Snort) none

Vuln scan (Nuclei) none

◈

CAR Analytics

MITRE Cyber Analytics Repository - field-tested detection logic for this technique, written as pseudocode/queries you adapt to your own SIEM (Splunk, Sentinel, EQL). Each is a ready starting point for a detection rule, not just a description.

CAR-2013-05-009Moderate coverageRunning executables with same hash and different names

Executables are generally not renamed, thus a given hash of an executable should only have ever one name. Identifying instances where multiple process names share the same hash may find cases where tools are copied by attackers to different folders or hosts to avoid detection. Although this analytic was initially based on MD5 hashes, it is equally applicable to any hashing convention. ### Output Description A list of hashes and the different executables associated with each one.

splunk - Basic Query

index=__your_sysmon_index__ EventCode=1|stats dc(Hashes) as Num_Hashes values(Hashes) as "Hashes" by Image|where Num_Hashes > 1

DNIF

_fetch * from event where $LogName=WINDOWS-SYSMON AND $EventID=1 group count_unique $App, $HashMD5 limit 100
>>_agg count_unique $HashMD5
>>_checkif int_compare count_unique > 1 include

LogPoint

norm_id=WindowsSysmon event_id=1
| chart distinct_count(hash) as cnt by image
| search cnt > 1

▣

Comply & Defend

NIST 800-53AC-02, AC-03, AC-06, CA-07, CM-02, CM-06, SI-03, SI-04

D3FEND12 defensive techniques

Intelligence Graph · click any node to traverse

CVETechnique ActorTool Family

drag to reposition · click any node to traverse · button top-right enlarges

External lookups - second-class, for what we don’t hold ourselves

MITRE ATT&CK Atomic Red Team car (MITRE)

Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities

Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs

Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures

Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1

About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service

threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin