Esc
Masquerading - T1036
(ATT&CK® Technique)
Definition
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1036["Masquerading"] --> |modifies| JobSchedule["Job Schedule"]; class T1036 OffensiveTechniqueNode;
class JobSchedule ArtifactNode; click JobSchedule href "/dao/artifact/d3f:JobSchedule";
click T1036 href "/offensive-technique/attack/T1036/"; click JobSchedule href "/dao/artifact/d3f:JobSchedule"; T1036["Masquerading"] --> |creates| File["File"]; class T1036 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1036 href "/offensive-technique/attack/T1036/"; click File href "/dao/artifact/d3f:File"; T1036["Masquerading"] --> |invokes| MoveFile["Move File"]; class T1036 OffensiveTechniqueNode;
class MoveFile ArtifactNode; click MoveFile href "/dao/artifact/d3f:MoveFile";
click T1036 href "/offensive-technique/attack/T1036/"; click MoveFile href "/dao/artifact/d3f:MoveFile"; T1036["Masquerading"] --> |may-create| File["File"]; class T1036 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1036 href "/offensive-technique/attack/T1036/"; click File href "/dao/artifact/d3f:File"; T1036["Masquerading"] --> |modifies| FileSystemMetadata["File System Metadata"]; class T1036 OffensiveTechniqueNode;
class FileSystemMetadata ArtifactNode; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata";
click T1036 href "/offensive-technique/attack/T1036/"; click FileSystemMetadata href "/dao/artifact/d3f:FileSystemMetadata"; T1036["Masquerading"] --> |may-create| ExecutableFile["Executable File"]; class T1036 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1036 href "/offensive-technique/attack/T1036/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1036["Masquerading"] --> |creates| ExecutableBinary["Executable Binary"]; class T1036 OffensiveTechniqueNode;
class ExecutableBinary ArtifactNode; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary";
click T1036 href "/offensive-technique/attack/T1036/"; click ExecutableBinary href "/dao/artifact/d3f:ExecutableBinary"; T1036["Masquerading"] --> |may-modify| OperatingSystemExecutableFile["Operating System Executable File"]; class T1036 OffensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode; click OperatingSystemExecutableFile href "/dao/artifact/d3f:OperatingSystemExecutableFile";
click T1036 href "/offensive-technique/attack/T1036/"; click OperatingSystemExecutableFile href "/dao/artifact/d3f:OperatingSystemExecutableFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableBinary["Executable Binary"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1036["Masquerading"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemExecutableFile["Operating System Executable File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1036["Masquerading"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1036["Masquerading"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1036["Masquerading"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1036["Masquerading"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1036["Masquerading"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableBinary["Executable Binary"];
class FileEncryption DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEviction["File Eviction"] -->
| deletes | ExecutableBinary["Executable Binary"];
class FileEviction DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | MoveFile["Move File"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1036["Masquerading"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class MoveFile ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1036["Masquerading"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1036["Masquerading"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableBinary["Executable Binary"];
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1036["Masquerading"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableBinary["Executable Binary"];
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemExecutableFile["Operating System Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallFiltering["System Call Filtering"] -->
| filters | MoveFile["Move File"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1036["Masquerading"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class MoveFile ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1036["Masquerading"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableBinary["Executable Binary"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemExecutableFile["Operating System Executable File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | File["File"];
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1036["Masquerading"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableBinary["Executable Binary"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ScheduledJobAnalysis["Scheduled Job Analysis"] -->
| analyzes | JobSchedule["Job Schedule"];
ScheduledJobAnalysis["Scheduled Job Analysis"] -.->
| may-detect | T1036["Masquerading"] ;
class ScheduledJobAnalysis DefensiveTechniqueNode;
class JobSchedule ArtifactNode;
click ScheduledJobAnalysis href "/technique/d3f:ScheduledJobAnalysis"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1036["Masquerading"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemExecutableFile["Operating System Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1036["Masquerading"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableBinary["Executable Binary"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableBinary ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";