Esc
Match Legitimate Name or Location - T1036.005
(ATT&CK® Technique)
Definition
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1036005["Match Legitimate Name or Location"] --> |may-create| File["File"]; class T1036005 OffensiveTechniqueNode;
class File ArtifactNode; click File href "/dao/artifact/d3f:File";
click T1036005 href "/offensive-technique/attack/T1036.005/"; click File href "/dao/artifact/d3f:File"; T1036005["Match Legitimate Name or Location"] --> |invokes| MoveFile["Move File"]; class T1036005 OffensiveTechniqueNode;
class MoveFile ArtifactNode; click MoveFile href "/dao/artifact/d3f:MoveFile";
click T1036005 href "/offensive-technique/attack/T1036.005/"; click MoveFile href "/dao/artifact/d3f:MoveFile"; FileIntegrityMonitoring["File Integrity Monitoring"] -->
| analyzes | File["File"];
FileIntegrityMonitoring["File Integrity Monitoring"] -.->
| may-detect | T1036005["Match Legitimate Name or Location"] ;
class FileIntegrityMonitoring DefensiveTechniqueNode;
class File ArtifactNode;
click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
| deletes | File["File"];
FileEviction["File Eviction"] -.->
| may-evict | T1036005["Match Legitimate Name or Location"] ;
class FileEviction DefensiveTechniqueNode;
class File ArtifactNode;
click FileEviction href "/technique/d3f:FileEviction"; DecoyFile["Decoy File"] -->
| spoofs | File["File"];
DecoyFile["Decoy File"] -.->
| may-deceive | T1036005["Match Legitimate Name or Location"] ;
class DecoyFile DefensiveTechniqueNode;
class File ArtifactNode;
click DecoyFile href "/technique/d3f:DecoyFile"; ContentModification["Content Modification"] -->
| modifies | File["File"];
ContentModification["Content Modification"] -.->
| may-isolate | T1036005["Match Legitimate Name or Location"] ;
class ContentModification DefensiveTechniqueNode;
class File ArtifactNode;
click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] -->
| quarantines | File["File"];
ContentQuarantine["Content Quarantine"] -.->
| may-isolate | T1036005["Match Legitimate Name or Location"] ;
class ContentQuarantine DefensiveTechniqueNode;
class File ArtifactNode;
click ContentQuarantine href "/technique/d3f:ContentQuarantine"; FileEncryption["File Encryption"] -->
| encrypts | File["File"];
FileEncryption["File Encryption"] -.->
| may-harden | T1036005["Match Legitimate Name or Location"] ;
class FileEncryption DefensiveTechniqueNode;
class File ArtifactNode;
click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
| restricts | File["File"];
LocalFilePermissions["Local File Permissions"] -.->
| may-isolate | T1036005["Match Legitimate Name or Location"] ;
class LocalFilePermissions DefensiveTechniqueNode;
class File ArtifactNode;
click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallAnalysis["System Call Analysis"] -->
| analyzes | MoveFile["Move File"];
SystemCallAnalysis["System Call Analysis"] -.->
| may-detect | T1036005["Match Legitimate Name or Location"] ;
class SystemCallAnalysis DefensiveTechniqueNode;
class MoveFile ArtifactNode;
click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallFiltering["System Call Filtering"] -->
| filters | MoveFile["Move File"];
SystemCallFiltering["System Call Filtering"] -.->
| may-isolate | T1036005["Match Legitimate Name or Location"] ;
class SystemCallFiltering DefensiveTechniqueNode;
class MoveFile ArtifactNode;
click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; FileAnalysis["File Analysis"] -->
| analyzes | File["File"];
FileAnalysis["File Analysis"] -.->
| may-detect | T1036005["Match Legitimate Name or Location"] ;
class FileAnalysis DefensiveTechniqueNode;
class File ArtifactNode;
click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] -->
| filters | File["File"];
ContentFiltering["Content Filtering"] -.->
| may-isolate | T1036005["Match Legitimate Name or Location"] ;
class ContentFiltering DefensiveTechniqueNode;
class File ArtifactNode;
click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] -->
| isolates | File["File"];
RemoteFileAccessMediation["Remote File Access Mediation"] -.->
| may-isolate | T1036005["Match Legitimate Name or Location"] ;
class RemoteFileAccessMediation DefensiveTechniqueNode;
class File ArtifactNode;
click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RestoreFile["Restore File"] -->
| restores | File["File"];
RestoreFile["Restore File"] -.->
| may-restore | T1036005["Match Legitimate Name or Location"] ;
class RestoreFile DefensiveTechniqueNode;
class File ArtifactNode;
click RestoreFile href "/technique/d3f:RestoreFile";