Masquerading T1036
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Events covered
26 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 202 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (81 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (2632 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (606 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 89 rules
- CodePage Modification Via MODE.COM
- CodePage Modification Via MODE.COM To Russian Language
- Computer account renamed without a trailing $ (CVE-2021-42278/42287)
- CreateDump Process Dump
- DumpMinitool Execution
- Exploit for CVE-2015-1641
- Explorer Process Tree Break
- File Download Via Bitsadmin
- File Download Via Bitsadmin To A Suspicious Target Folder
- File With Suspicious Extension Downloaded Via Bitsadmin
- Files With System DLL Name In Unsuspected Locations
- Files With System Process Name In Unsuspected Locations
- Findstr Launching .lnk File
- Forfiles.EXE Child Process Masquerading
- Greenbug Espionage Group Indicators
- HackTool - XORDump Execution
- Lazarus System Binary Masquerading
- LOL-Binary Copied From System Directory
- MMC Executing Files with Reversed Extensions Using RTLO Abuse
- New or Renamed User Account with '$' Character
- New Process Created Via Taskmgr.EXE
- Operation Wocao Activity
- Operation Wocao Activity - Security
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential Binary Impersonating Sysinternals Tools
- Potential Command Line Path Traversal Evasion Attempt
- Potential Defense Evasion Via Binary Rename
- Potential Defense Evasion Via Rename Of Highly Relevant Binaries
- Potential Defense Evasion Via Right-to-Left Override
- Potential Fake Instance Of Hxtsr.EXE Executed
- Potential File Extension Spoofing Using Right-to-Left Override
- Potential Homoglyph Attack Using Lookalike Characters
- Potential Homoglyph Attack Using Lookalike Characters in Filename
- Potential LSASS Process Dump Via Procdump
- Potential MsiExec Masquerading
- Potential PendingFileRenameOperations Tampering
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potential SysInternals ProcDump Evasion
- Potential WerFault ReflectDebugger Registry Value Abuse
- Procdump Execution
- Process Execution From A Potentially Suspicious Folder
- Process Memory Dump Via Comsvcs.DLL
- Ps.exe Renamed SysInternals Tool
- PUA - Potential PE Metadata Tamper Using Rcedit
- RedSun - Conhost.exe Spawned by TieringEngineService.exe
- RedSun - TieringEngineService.exe Detected as EICAR Test File
- RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir
- Remote Access Tool - Renamed MeshAgent Execution - Windows
- Renamed BrowserCore.EXE Execution
- Renamed CreateDump Utility Execution
- Renamed Jusched.EXE Execution
- Renamed Msdt.EXE Execution
- Renamed Office Binary Execution
- Renamed Plink Execution
- Renamed Powershell Under Powershell Channel
- Renamed ProcDump Execution
- Renamed Schtasks Execution
- Renamed ZOHO Dctask64 Execution
- Scheduled Task Creation Masquerading as System Processes
- Sdiagnhost Calling Suspicious Child Process
- SearchIndexer suspicious process activity
- Small Sieve Malware File Indicator Creation
- Suspicious Calculator Usage
- Suspicious Child Process Of Wermgr.EXE
- Suspicious CodePage Switch Via CHCP
- Suspicious Computer Account Name Change CVE-2021-42287
- Suspicious Copy From or To System Directory
- Suspicious Double Extension Files
- Suspicious Download From Direct IP Via Bitsadmin
- Suspicious Download From File-Sharing Website Via Bitsadmin
- Suspicious DumpMinitool Execution
- Suspicious Files in Default GPO Folder
- Suspicious LNK Double Extension File Created
- Suspicious MSDT Parent Process
- Suspicious Parent Double Extension File Execution
- Suspicious Process Masquerading As SvcHost.EXE
- Suspicious Process Parents
- Suspicious Process Start Locations
- Suspicious Scheduled Task Creation via Masqueraded XML File
- Suspicious Start-Process PassThru
- Suspicious Windows Update Agent Empty Cmdline
- System File Execution Location Anomaly
- Taskmgr as LOCAL_SYSTEM
- Uncommon Svchost Command Line Parameter
- Uncommon Svchost Parent Process
- Unsigned .node File Loaded
- User account created by a computer account
- Windows Binaries Write Suspicious Extensions
- Windows Processes Suspicious Parent Directory
Elastic 44 rules
- Conhost Spawned By Suspicious Parent Process
- Executable File Creation with Multiple Extensions
- Execution from Unusual Directory - Command Line
- Execution via Windows Command Debugging Utility
- Expired or Revoked Driver Loaded
- File with Right-to-Left Override Character (RTLO) Created/Executed
- Image Loaded with Invalid Signature
- Memory Dump File with Unusual Extension
- Microsoft Build Engine Using an Alternate Name
- Potential Credential Access via Renamed COM+ Services DLL
- Potential CVE-2025-33053 Exploitation
- Potential Data Exfiltration via Rclone
- Potential DLL Side-Loading via Trusted Microsoft Programs
- Potential Masquerading as Browser Process
- Potential Masquerading as Business App Installer
- Potential Masquerading as Communication Apps
- Potential Masquerading as System32 Executable
- Potential Masquerading as VLC DLL
- Potential Privilege Escalation via InstallerFileTakeOver
- Potential Privileged Escalation via SamAccountName Spoofing
- Potential Windows Error Manager Masquerading
- Process Execution from an Unusual Directory
- Program Files Directory Masquerading
- Renamed Automation Script Interpreter
- Renamed Utility Executed with Short Program Name
- Signed Proxy Execution via MS Work Folders
- Startup Folder Persistence via Unsigned Process
- Suspicious Communication App Child Process
- Suspicious DLL Loaded for Persistence or Privilege Escalation
- Suspicious Endpoint Security Parent Process
- Suspicious Microsoft Antimalware Service Execution
- Suspicious Microsoft Diagnostics Wizard Execution
- Suspicious Outlook Child Process
- Suspicious Process Execution via Renamed PsExec Executable
- Suspicious WerFault Child Process
- Suspicious Zoom Child Process
- UAC Bypass Attempt via Windows Directory Masquerading
- Unsigned DLL Loaded by Svchost
- Unsigned DLL Side-Loading from a Suspicious Folder
- Untrusted Driver Loaded
- Unusual Network Activity from a Windows System Binary
- Unusual Parent-Child Relationship
- Unusual Process Execution on WBEM Path
- Unusual Process Extension
Splunk 60 rules
- 1 or 2 Character Executable (Windows Event Log)
- Attacker Tools On Endpoint
- Detect RTLO In File Name
- Detect RTLO In Process
- DLL Concatenation (PowerShell)
- DLL Concatenation (Sysmon)
- DLL Concatenation (Windows Event Log)
- Executables Or Script Creation In Suspicious Path
- Executables Or Script Creation In Temp Path
- Execution of File with Multiple Extensions
- Mock System Directory - Windows (Sysmon)
- Mock System Directory - Windows (Windows Event Log)
- Output to File (PowerShell)
- Output to File (Windows Event Log)
- Potential Executable Masquerading as Document - Windows (Sysmon)
- Potential Executable Masquerading as Document - Windows (Windows Event Log)
- Process Execution From Suspicious Folder (Sysmon)
- Process Execution From Suspicious Folder (Windows Event Log)
- Rename System Utilities (Windows Event Log)
- Renamed Process (Sysmon)
- Suspicious Child Process for lsass.exe (Sysmon)
- Suspicious Child Process for lsass.exe (Windows Event Log)
- Suspicious Copy on System32
- Suspicious File Created in Public Folder (Sysmon)
- Suspicious microsoft workflow compiler rename
- Suspicious msbuild path
- Suspicious MSBuild Rename
- Suspicious Parent Process for lsass.exe or services.exe (Sysmon)
- Suspicious Parent Process for lsass.exe or services.exe (Windows Event Log)
- Suspicious Parent Process for spoolsv.exe (Sysmon)
- Suspicious Parent Process for spoolsv.exe (Windows Event Log)
- Suspicious Process Executed From Container File
- Suspicious writes to windows Recycle Bin
- System Processes Run From Unexpected Locations
- Unexpected Network Connection from System Process (Sysmon)
- Unexpected Network Connection from System Process (Windows Event Log)
- Windows Bluetooth Service Installed From Uncommon Location
- Windows Debugger Tool Execution
- Windows DotNet Binary in Non Standard Path
- Windows Executable Masquerading as Benign File Types
- Windows InstallUtil in Non Standard Path
- Windows LOLBAS Executed As Renamed File
- Windows LOLBAS Executed Outside Expected Path
- Windows Masquerading Msdtc Process
- Windows MSC EvilTwin Directory Path Manipulation
- Windows NetSupport RMM DLL Loaded By Uncommon Process
- Windows Process Copied from System Folder (PowerShell)
- Windows Process Copied from System Folder (Sysmon)
- Windows Process Copied from System Folder (Windows Event Log)
- Windows Process Execution From ProgramData
- Windows Process Execution in Temp Dir
- Windows Process Outside of System Folder (Sysmon)
- Windows Process Outside of System Folder (Windows Event Log)
- Windows Renamed Powershell Execution
- Windows SoftEther VPN Masquerading as Legitimate Binary
- Windows Suspicious Process File Path
- Windows Suspicious QEMU Execution
- Windows Svchost.exe Parent Process Anomaly
- Windows TinyCC Shellcode Execution
- Windows Unusual SysWOW64 Process Run System32 Executable
Kusto 9 rules
- Certified Pre-Owned - backup of CA private key - rule 1
- Certified Pre-Owned - backup of CA private key - rule 2
- Certified Pre-Owned - TGTs requested with certificate authentication
- Masquerading Renamed executables of interest
- Match Legitimate Name or Location - 2
- Potential re-named sdelete usage
- Potential re-named sdelete usage (ASIM Version)
- Rename System Utilities
- Unsigned Windows System Binary