ATT&CK coverage › Technique
Masquerading T1036
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Events covered
13 catalog events are tagged with this technique by at least one rule.
Authoring guide
Patterns shared across the 49 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (30 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (479 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.
Common exclusions (10 distinct)
Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Sigma 36 rules
- CodePage Modification Via MODE.COM To Russian Language
- CreateDump Process Dump
- DumpMinitool Execution
- Explorer Process Tree Break
- Findstr Launching .lnk File
- Forfiles.EXE Child Process Masquerading
- HackTool - XORDump Execution
- New or Renamed User Account with '$' Character
- New Process Created Via Taskmgr.EXE
- Password Protected ZIP File Opened (Suspicious Filenames)
- Potential Command Line Path Traversal Evasion Attempt
- Potential Fake Instance Of Hxtsr.EXE Executed
- Potential Homoglyph Attack Using Lookalike Characters
- Potential Homoglyph Attack Using Lookalike Characters in Filename
- Potential LSASS Process Dump Via Procdump
- Potential ReflectDebugger Content Execution Via WerFault.EXE
- Potential SysInternals ProcDump Evasion
- Procdump Execution
- Process Execution From A Potentially Suspicious Folder
- Process Memory Dump Via Comsvcs.DLL
- PUA - Potential PE Metadata Tamper Using Rcedit
- Renamed CreateDump Utility Execution
- Renamed Plink Execution
- Renamed ZOHO Dctask64 Execution
- Sdiagnhost Calling Suspicious Child Process
- Suspicious Calculator Usage
- Suspicious Child Process Of Wermgr.EXE
- Suspicious CodePage Switch Via CHCP
- Suspicious DumpMinitool Execution
- Suspicious MSDT Parent Process
- Suspicious Process Parents
- Suspicious Process Start Locations
- Suspicious Windows Update Agent Empty Cmdline
- System File Execution Location Anomaly
- Taskmgr as LOCAL_SYSTEM
- Windows Binaries Write Suspicious Extensions
Elastic 2 rules
- Potential Credential Access via Renamed COM+ Services DLL
- Potential Privileged Escalation via SamAccountName Spoofing
Splunk 6 rules
- Executables Or Script Creation In Suspicious Path
- Executables Or Script Creation In Temp Path
- Suspicious writes to windows Recycle Bin
- Windows Bluetooth Service Installed From Uncommon Location
- Windows NetSupport RMM DLL Loaded By Uncommon Process
- Windows TinyCC Shellcode Execution