Esc
Rename System Utilities - T1036.003
(ATT&CK® Technique)
Definition
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1036003["Rename System Utilities"] --> |may-create| ExecutableFile["Executable File"]; class T1036003 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1036003 href "/offensive-technique/attack/T1036.003/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1036003["Rename System Utilities"] --> |may-modify| OperatingSystemExecutableFile["Operating System Executable File"]; class T1036003 OffensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode; click OperatingSystemExecutableFile href "/dao/artifact/d3f:OperatingSystemExecutableFile";
click T1036003 href "/offensive-technique/attack/T1036.003/"; click OperatingSystemExecutableFile href "/dao/artifact/d3f:OperatingSystemExecutableFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1036003["Rename System Utilities"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemExecutableFile["Operating System Executable File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1036003["Rename System Utilities"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemExecutableFile["Operating System Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemExecutableFile["Operating System Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1036003["Rename System Utilities"] ;
class FileEviction DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1036003["Rename System Utilities"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemExecutableFile["Operating System Executable File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemExecutableFile["Operating System Executable File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis";