Esc
Match Legitimate Name or Location - T1036.005
(ATT&CK® Technique)
Definition
Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR; T1036005["Match Legitimate Name or Location"] --> |may-create| File["File"]; class T1036005 OffensiveTechniqueNode; class File ArtifactNode; click File href "/dao/artifact/d3f:File"; click T1036005 href "/offensive-technique/attack/T1036.005/"; click File href "/dao/artifact/d3f:File"; T1036005["Match Legitimate Name or Location"] --> |invokes| MoveFile["Move File"]; class T1036005 OffensiveTechniqueNode; class MoveFile ArtifactNode; click MoveFile href "/dao/artifact/d3f:MoveFile"; click T1036005 href "/offensive-technique/attack/T1036.005/"; click MoveFile href "/dao/artifact/d3f:MoveFile"; FileIntegrityMonitoring["File Integrity Monitoring"] --> | analyzes | File["File"]; FileIntegrityMonitoring["File Integrity Monitoring"] -.-> | may-detect | T1036005["Match Legitimate Name or Location"] ; class FileIntegrityMonitoring DefensiveTechniqueNode; class File ArtifactNode; click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] --> | deletes | File["File"]; FileEviction["File Eviction"] -.-> | may-evict | T1036005["Match Legitimate Name or Location"] ; class FileEviction DefensiveTechniqueNode; class File ArtifactNode; click FileEviction href "/technique/d3f:FileEviction"; DecoyFile["Decoy File"] --> | spoofs | File["File"]; DecoyFile["Decoy File"] -.-> | may-deceive | T1036005["Match Legitimate Name or Location"] ; class DecoyFile DefensiveTechniqueNode; class File ArtifactNode; click DecoyFile href "/technique/d3f:DecoyFile"; ContentModification["Content Modification"] --> | modifies | File["File"]; ContentModification["Content Modification"] -.-> | may-isolate | T1036005["Match Legitimate Name or Location"] ; class ContentModification DefensiveTechniqueNode; class File ArtifactNode; click ContentModification href "/technique/d3f:ContentModification"; ContentQuarantine["Content Quarantine"] --> | quarantines | File["File"]; ContentQuarantine["Content Quarantine"] -.-> | may-isolate | T1036005["Match Legitimate Name or Location"] ; class ContentQuarantine DefensiveTechniqueNode; class File ArtifactNode; click ContentQuarantine href "/technique/d3f:ContentQuarantine"; FileEncryption["File Encryption"] --> | encrypts | File["File"]; FileEncryption["File Encryption"] -.-> | may-harden | T1036005["Match Legitimate Name or Location"] ; class FileEncryption DefensiveTechniqueNode; class File ArtifactNode; click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] --> | restricts | File["File"]; LocalFilePermissions["Local File Permissions"] -.-> | may-isolate | T1036005["Match Legitimate Name or Location"] ; class LocalFilePermissions DefensiveTechniqueNode; class File ArtifactNode; click LocalFilePermissions href "/technique/d3f:LocalFilePermissions"; SystemCallAnalysis["System Call Analysis"] --> | analyzes | MoveFile["Move File"]; SystemCallAnalysis["System Call Analysis"] -.-> | may-detect | T1036005["Match Legitimate Name or Location"] ; class SystemCallAnalysis DefensiveTechniqueNode; class MoveFile ArtifactNode; click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis"; SystemCallFiltering["System Call Filtering"] --> | filters | MoveFile["Move File"]; SystemCallFiltering["System Call Filtering"] -.-> | may-isolate | T1036005["Match Legitimate Name or Location"] ; class SystemCallFiltering DefensiveTechniqueNode; class MoveFile ArtifactNode; click SystemCallFiltering href "/technique/d3f:SystemCallFiltering"; FileAnalysis["File Analysis"] --> | analyzes | File["File"]; FileAnalysis["File Analysis"] -.-> | may-detect | T1036005["Match Legitimate Name or Location"] ; class FileAnalysis DefensiveTechniqueNode; class File ArtifactNode; click FileAnalysis href "/technique/d3f:FileAnalysis"; ContentFiltering["Content Filtering"] --> | filters | File["File"]; ContentFiltering["Content Filtering"] -.-> | may-isolate | T1036005["Match Legitimate Name or Location"] ; class ContentFiltering DefensiveTechniqueNode; class File ArtifactNode; click ContentFiltering href "/technique/d3f:ContentFiltering"; RemoteFileAccessMediation["Remote File Access Mediation"] --> | isolates | File["File"]; RemoteFileAccessMediation["Remote File Access Mediation"] -.-> | may-isolate | T1036005["Match Legitimate Name or Location"] ; class RemoteFileAccessMediation DefensiveTechniqueNode; class File ArtifactNode; click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; RestoreFile["Restore File"] --> | restores | File["File"]; RestoreFile["Restore File"] -.-> | may-restore | T1036005["Match Legitimate Name or Location"] ; class RestoreFile DefensiveTechniqueNode; class File ArtifactNode; click RestoreFile href "/technique/d3f:RestoreFile";