> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1036-masquerading/match-legitimate-name-or-location.md).

# Match Legitimate Name or location

Adversaries may match or approximate the name or location of legitimate files when naming/placing their files. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). Alternatively, the filename given may be a close approximation of legitimate programs or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

**Example:**

Here I will mimic rundll32

![](/files/-MRhrtiPNLVFcJ3q7sk-)

For the untrained eye we see that they look quite similar in their name but the difference is that rundll32 is now typed with uppercase "**i**". This might look similar just typing it here **rundll and rundII**  sometimes it also depends on the type of font it is being used.
