Esc
Rename Legitimate Utilities - T1036.003
(ATT&CK® Technique)
Definition
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1036003["Rename Legitimate Utilities"] --> |may-create| ExecutableFile["Executable File"]; class T1036003 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "../../../dao/artifact/d3f:ExecutableFile";
click T1036003 href "../../../offensive-technique/attack/T1036.003/"; click ExecutableFile href "../../../dao/artifact/d3f:ExecutableFile"; T1036003["Rename Legitimate Utilities"] --> |may-modify| OperatingSystemExecutableFile["Operating System Executable File"]; class T1036003 OffensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode; click OperatingSystemExecutableFile href "../../../dao/artifact/d3f:OperatingSystemExecutableFile";
click T1036003 href "../../../offensive-technique/attack/T1036.003/"; click OperatingSystemExecutableFile href "../../../dao/artifact/d3f:OperatingSystemExecutableFile"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1036003["Rename Legitimate Utilities"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEviction href "../../../technique/d3f:FileEviction"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1036003["Rename Legitimate Utilities"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "../../../technique/d3f:DynamicAnalysis"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemExecutableFile["Operating System Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1036003["Rename Legitimate Utilities"] ;
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "../../../technique/d3f:DecoyFile"; ContentModification["Content Modification"] -->
| modifies | OperatingSystemExecutableFile["Operating System Executable File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class ContentModification DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; ContentModification["Content Modification"] -->
| modifies | ExecutableFile["Executable File"];
class ContentModification DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentModification href "../../../technique/d3f:ContentModification"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1036003["Rename Legitimate Utilities"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "../../../technique/d3f:FileIntegrityMonitoring"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1036003["Rename Legitimate Utilities"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "../../../technique/d3f:EmulatedFileAnalysis"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableFile["Executable File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ContentQuarantine["Content Quarantine"] -->
| quarantines | OperatingSystemExecutableFile["Operating System Executable File"];
class ContentQuarantine DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click ContentQuarantine href "../../../technique/d3f:ContentQuarantine"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "../../../technique/d3f:ExecutableDenylisting"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemExecutableFile["Operating System Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click LocalFilePermissions href "../../../technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "../../../technique/d3f:ExecutableAllowlisting"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1036003["Rename Legitimate Utilities"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click SystemFileAnalysis href "../../../technique/d3f:SystemFileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1036003["Rename Legitimate Utilities"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "../../../technique/d3f:FileAnalysis"; RestoreFile["Restore File"] -->
| restores | OperatingSystemExecutableFile["Operating System Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1036003["Rename Legitimate Utilities"] ;
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "../../../technique/d3f:RestoreFile"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1036003["Rename Legitimate Utilities"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEncryption href "../../../technique/d3f:FileEncryption"; ContentFiltering["Content Filtering"] -->
| filters | OperatingSystemExecutableFile["Operating System Executable File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class ContentFiltering DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableFile["Executable File"];
class ContentFiltering DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentFiltering href "../../../technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1036003["Rename Legitimate Utilities"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemExecutableFile["Operating System Executable File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "../../../technique/d3f:RemoteFileAccessMediation";