Skip to content
Atomic Red Team
atomics
T1036.005

T1036.005 - Masquerading: Match Legitimate Name or Location

Description from ATT&CK (opens in a new tab)

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

Atomic Tests


Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory.

Create and execute a process from a directory masquerading as the current parent directory (... instead of normal ..)

Supported Platforms: macOS, Linux

auto_generated_guid: 812c3ab8-94b0-4698-a9bf-9420af23ce24

Inputs:

NameDescriptionTypeDefault Value
test_messageTest message to echo out to the screenstringHello from the Atomic Red Team test T1036.005#1

Attack Commands: Run with sh!

mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"

Cleanup Commands:

rm -f $HOME/.../sh
rmdir $HOME/.../


Atomic Test #2 - Masquerade as a built-in system executable

Launch an executable that attempts to masquerade as a legitimate executable.

Supported Platforms: Windows

auto_generated_guid: 35eb8d16-9820-4423-a2a1-90c4f5edd9ca

Inputs:

NameDescriptionTypeDefault Value
executable_filepathFile path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility.string$Env:windir\Temp\svchost.exe

Attack Commands: Run with powershell!

Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"
 
Start-Process -FilePath "#{executable_filepath}"

Cleanup Commands:

Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore

T1036.004T1036.006