Esc
Rename System Utilities - T1036.003
(ATT&CK® Technique)
Definition
Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1036003["Rename System Utilities"] --> |may-create| ExecutableFile["Executable File"]; class T1036003 OffensiveTechniqueNode;
class ExecutableFile ArtifactNode; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile";
click T1036003 href "/offensive-technique/attack/T1036.003/"; click ExecutableFile href "/dao/artifact/d3f:ExecutableFile"; T1036003["Rename System Utilities"] --> |may-modify| OperatingSystemExecutableFile["Operating System Executable File"]; class T1036003 OffensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode; click OperatingSystemExecutableFile href "/dao/artifact/d3f:OperatingSystemExecutableFile";
click T1036003 href "/offensive-technique/attack/T1036.003/"; click OperatingSystemExecutableFile href "/dao/artifact/d3f:OperatingSystemExecutableFile"; EmulatedFileAnalysis["Emulated File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
EmulatedFileAnalysis["Emulated File Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class EmulatedFileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click EmulatedFileAnalysis href "/technique/d3f:EmulatedFileAnalysis"; DynamicAnalysis["Dynamic Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
DynamicAnalysis["Dynamic Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class DynamicAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DynamicAnalysis href "/technique/d3f:DynamicAnalysis"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | ExecutableFile["Executable File"];
class FileIntegrityMonitoring DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | ExecutableFile["Executable File"];
FileEviction["File Eviction"] -.->
| may-evict | T1036003["Rename System Utilities"] ;
class FileEviction DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; FileEviction["File Eviction"] -->
| deletes | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEviction DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; DecoyFile["Decoy File"] -->
| spoofs | ExecutableFile["Executable File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1036003["Rename System Utilities"] ;
class DecoyFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; DecoyFile["Decoy File"] -->
| spoofs | OperatingSystemExecutableFile["Operating System Executable File"];
class DecoyFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ContentModification["Content Modification"] -->
| modifies | ExecutableFile["Executable File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ContentModification DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | ExecutableFile["Executable File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ContentQuarantine DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; ContentModification["Content Modification"] -->
| modifies | OperatingSystemExecutableFile["Operating System Executable File"];
class ContentModification DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | OperatingSystemExecutableFile["Operating System Executable File"];
class ContentQuarantine DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; LocalFilePermissions["Local File Permissions"] -->
| restricts | ExecutableFile["Executable File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; LocalFilePermissions["Local File Permissions"] -->
| restricts | OperatingSystemExecutableFile["Operating System Executable File"];
class LocalFilePermissions DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; ExecutableAllowlisting["Executable Allowlisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableAllowlisting["Executable Allowlisting"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ExecutableAllowlisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableAllowlisting href "/technique/d3f:ExecutableAllowlisting"; ExecutableDenylisting["Executable Denylisting"] -->
| blocks | ExecutableFile["Executable File"];
ExecutableDenylisting["Executable Denylisting"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ExecutableDenylisting DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ExecutableDenylisting href "/technique/d3f:ExecutableDenylisting"; RestoreFile["Restore File"] -->
| restores | ExecutableFile["Executable File"];
RestoreFile["Restore File"] -.->
| may-restore | T1036003["Rename System Utilities"] ;
class RestoreFile DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; RestoreFile["Restore File"] -->
| restores | OperatingSystemExecutableFile["Operating System Executable File"];
class RestoreFile DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile"; FileAnalysis["File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class FileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; FileAnalysis["File Analysis"] -->
| analyzes | ExecutableFile["Executable File"];
class FileAnalysis DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | ExecutableFile["Executable File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class ContentFiltering DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; ContentFiltering["Content Filtering"] -->
| filters | OperatingSystemExecutableFile["Operating System Executable File"];
class ContentFiltering DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; FileEncryption["File Encryption"] -->
| encrypts | ExecutableFile["Executable File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1036003["Rename System Utilities"] ;
class FileEncryption DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; FileEncryption["File Encryption"] -->
| encrypts | OperatingSystemExecutableFile["Operating System Executable File"];
class FileEncryption DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; SystemFileAnalysis["System File Analysis"] -->
| analyzes | OperatingSystemExecutableFile["Operating System Executable File"];
SystemFileAnalysis["System File Analysis"] -.->
| may-detect | T1036003["Rename System Utilities"] ;
class SystemFileAnalysis DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click SystemFileAnalysis href "/technique/d3f:SystemFileAnalysis"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | OperatingSystemExecutableFile["Operating System Executable File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1036003["Rename System Utilities"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class OperatingSystemExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | ExecutableFile["Executable File"];
class RemoteFileAccessMediation DefensiveTechniqueNode;
class ExecutableFile ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation";