Match Legitimate Name or location

Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

Example:

Here I will mimic rundll32

For the untrained eye we see that they look quite similar in their name but the difference is that rundll32 is now typed with uppercase "i". This might look similar just typing it here rundll and rundII sometimes it also depends on the type of font it is being used.

PreviousMasquerade Task or Service NextT1202: Indirect Command Execution

Last updated 3 years ago