> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1036-masquerading/rename-system-utilities.md). # Rename System Utilities Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. **Example** This technique is very simple, will grab legitimate system utilities and just rename them, sometimes the logging or IDS are looking for specific strings that will prevent execution, but what if instead of calling runddl32 we call **"dllexecute"** this would be rundll32 but just renamed. The execution and functionality will still be the same but it would bypass defenses since the string is no longer rundll32. Two different syntax but same results. Since rundll32 has just been renamed but its functionality hasn't been changed. ![](/files/-MRhreii8wW2FkBgOQ98) ![](/files/-MRhrfw4OlRsVWOLFEdx) Sometimes renaming utilities is enough to bypass security, in a previous research, it seems that renaming your payload to **MSBuild** was enough to prevent Defender to scan your payload. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1036-masquerading/rename-system-utilities.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.