T1036: Masquerading

T1036 falls under the Defense Evasion tactic. Unlike techniques that exploit software vulnerabilities or steal credentials, masquerading exploits the trust assumptions baked into how humans and tools process information. An analyst scanning a process list for anomalies may skip over svchost.exe without checking its file path. An EDR rule may allow a signed binary to execute because the signature metadata was cloned from a legitimate Microsoft tool. A user may double-click invoice.pdf.exe because Windows helpfully hides the real extension.

The technique works across every platform — Windows, Linux, macOS, containers, and ESXi — and at every stage of the attack lifecycle. Adversaries use masquerading during initial access (disguising phishing payloads), persistence (naming malicious services after legitimate ones), defense evasion (renaming tools to avoid detection rules), and even exfiltration (renaming stolen data files to blend with normal file operations).

How Masquerading Works

Masquerading is a broad technique that encompasses any manipulation of artifact characteristics to appear benign. The attack chain typically follows a pattern: the adversary creates or modifies a malicious artifact, alters one or more of its identifying features to match something the target environment trusts, and then relies on that appearance of legitimacy to avoid scrutiny from both human analysts and automated detection tools.

File name and location manipulation. The simplest and most common form of masquerading. The adversary renames a malicious executable to match a known Windows system binary — svchost.exe, lsass.exe, csrss.exe, explorer.exe — and places it in a directory that looks plausible but is not the legitimate system path. A genuine svchost.exe lives in C:\Windows\System32\. A masquerading copy might run from C:\Users\Public\ or C:\ProgramData\. If a defender only checks the process name without verifying the full path, the malware hides in the noise of hundreds of legitimate svchost instances.

Metadata and code signature cloning. More sophisticated adversaries go beyond file names. Tools like MetaTwin allow attackers to copy the full metadata block — file description, product name, company name, version information — from a legitimate signed binary onto a malicious one. The resulting executable looks identical to the legitimate tool in file properties dialogs and many security consoles. The code signature itself is invalid (it was copied, not properly signed), but many security tools check only for the presence of signature metadata, not its validity.

Extension and icon deception. Adversaries abuse the fact that Windows hides known file extensions by default. A file named quarterly_report.pdf.exe displays as quarterly_report.pdf to the average user. Pair that with a PDF icon embedded in the executable's resources, and the user sees what appears to be a harmless document. The right-to-left override (RLO) Unicode character takes this further: inserting it into a filename can reverse the display order of characters, making invoice[RLO]fdp.exe appear as invoiceexe.pdf in file managers.

Process tree manipulation. Advanced malware breaks the parent-child process relationship that analysts and detection tools rely on for behavioral analysis. Techniques like double-forking on Linux, or using the CreateProcess API with specific flags on Windows, allow a malicious process to detach from its original parent — making it appear as though it was launched by a trusted system process instead of the malware dropper that spawned it.

Sub-Techniques (12)

MITRE ATT&CK defines twelve sub-techniques under T1036, reflecting the breadth of ways adversaries can disguise their artifacts. This is one of the largest sub-technique trees in the entire framework.

T1036.001 — Invalid Code Signature

Adversaries copy code signing metadata from legitimate, signed binaries onto their malware. The resulting signature is invalid (it will fail cryptographic validation), but many tools and analysts check only for the presence of a signature, not its validity. Tools like sigthief and MetaTwin automate this process. The cloned metadata makes the malware appear in process listings and file property dialogs as though it were published by Microsoft, Adobe, or another trusted vendor.

T1036.002 — Right-to-Left Override

The Unicode right-to-left override character (U+202E) reverses the visual rendering of text that follows it. An adversary can craft a filename like document[U+202E]fdp.exe that renders as documentexe.pdf in file browsers. This exploits the way operating systems display bidirectional text, making a user believe they are opening a document when they are executing a binary.

T1036.003 — Rename Legitimate Utilities

Instead of bringing their own tools, adversaries rename built-in system utilities to evade detection rules that trigger on specific binary names. For example, copying cmd.exe to helpdesk.exe or renaming PsExec.exe to winupdate.exe. The renamed utility functions identically — it is the same binary, just with a different name — but detection rules that look for cmd.exe or PsExec.exe will miss it entirely. Splunk maintains a specific detection analytic for renamed PsExec based on original filename metadata preserved in the PE header.

T1036.004 — Masquerade Task or Service

Adversaries name malicious scheduled tasks, Windows services, or Linux systemd units after legitimate system services. A persistence mechanism registered as Windows Update Service or syslogd can survive indefinitely because administrators see the service name and assume it is legitimate. The Tarrask malware, attributed to the Chinese APT HAFNIUM, used this technique with an added twist: it deleted the Security Descriptor registry value from its scheduled task, hiding the task from both schtasks and Task Scheduler while keeping it functional.

T1036.005 — Match Legitimate Resource Name or Location

The most commonly observed sub-technique. Adversaries place malicious executables in trusted directories like C:\Windows\System32\, C:\Program Files\, or /usr/bin/ and name them after legitimate programs. This exploits the trust that both humans and security tools place in well-known system paths. The CRASHOVERRIDE malware used to attack Ukraine's power grid placed its components in the Windows System32 directory with names mimicking legitimate services. Kimsuky's AppleSeed backdoor matched legitimate Korean software naming conventions to blend in on South Korean government systems.

T1036.006 — Space After Filename

Adding trailing spaces to a filename can cause certain security tools to fail to match the file against their detection rules. A file named malware.exe (with a trailing space) may not match a rule that looks for exact matches on malware.exe. This is a simple but effective bypass for tools that do not normalize filenames before comparison.

T1036.007 — Double File Extension

Similar to extension hiding, but uses a double extension like .pdf.exe or .docx.scr. When Windows is configured to hide known extensions (the default), only the first extension is visible to the user. Mustang Panda APT has used this technique extensively, delivering PlugX malware through files with names like meeting_notes.docx.exe. The RedLine and Vidar infostealers have also distributed payloads using double extensions combined with stolen EV code-signing certificates.

T1036.008 — Masquerade File Type

Adversaries alter a file's magic bytes (the header signature that identifies the file type) to masquerade as a different format. A malicious DLL can have its header bytes changed to match a JPEG or PNG, allowing it to pass file-type validation checks during upload or transfer. Volt Typhoon appended copies of stolen ntds.dit Active Directory databases with a .gif extension to blend exfiltrated data with normal image traffic. The BlackByte ransomware group disguised encryption key configuration files as PNG images.

T1036.009 — Break Process Trees

Malware severs the parent-child process relationship to evade behavioral detection rules that rely on process lineage. The XorDdos Linux trojan exemplifies this: at startup, it copies itself to /lib/libudev.so, performs a double fork() to detach from the original parent, then deletes the original binary. The result is a persistent process with no visible connection to the malware that spawned it. On Windows, adversaries can use the PROC_THREAD_ATTRIBUTE_PARENT_PROCESS flag in CreateProcess to spoof the parent process ID entirely.

T1036.010 — Masquerade Account Name

Adversaries create or rename user accounts to resemble service accounts, administrative accounts, or other expected system identities. An account named svc_backup, admin_temp, or MSSQL$INSTANCE may go unquestioned in environments where these naming conventions are standard. This technique is particularly effective in Active Directory environments where hundreds or thousands of service accounts exist and auditing is inconsistent.

T1036.011 — Overwrite Process Arguments

After a process has started with its true command-line arguments, the malware overwrites the process's PEB (Process Environment Block) to replace the visible arguments with benign-looking ones. Tools that inspect the PEB — including Task Manager, Process Explorer, and even Sysmon in certain configurations — will see the spoofed arguments rather than the real ones. This means a PowerShell instance launched with -EncodedCommand [base64_payload] could appear to be running -Version 5.1 instead.

T1036.012 — Browser Fingerprint

The newest addition to the masquerading sub-technique tree (added October 2025). Adversaries spoof browser and system attributes in their C2 traffic — user-agent strings, operating system identifiers, screen resolution, time zone, and language settings — to make command-and-control communications appear as normal web browsing. APT29 (Cozy Bear) has used this technique to make their C2 beaconing traffic appear as legitimate browser sessions, making it indistinguishable from normal employee web activity in network logs.

Real-World Case Studies

APT29 / NOBELIUM — SolarWinds SUNBURST Campaign (T1036.004, T1036.005, T1036.012)

The SolarWinds compromise remains one of the most sophisticated masquerading operations ever documented. APT29, attributed to Russia's Foreign Intelligence Service (SVR), injected the SUNBURST backdoor into the SolarWinds Orion build process. The backdoor was digitally signed with SolarWinds' legitimate code-signing certificate, distributed through normal software update channels, and installed by approximately 18,000 organizations worldwide.

The masquerading was multi-layered. SUNBURST's network traffic mimicked the Orion Improvement Program (OIP) protocol, making C2 communications appear as routine SolarWinds telemetry. Reconnaissance data was stored inside legitimate plugin configuration files. Subsequent-stage tools like GoldMax, GoldFinder, and Raindrop were renamed and placed in directories to match legitimate applications — Raindrop included modified 7-Zip source code with matching export names to pass static analysis. The backdoor went undetected for approximately 14 months before FireEye discovered it in December 2020.

Contagious Interview / DPRK — BeaverTail Masquerading as Legitimate Applications (T1036.005, T1036.007)

North Korean state-sponsored actors behind the Contagious Interview campaign have been masquerading malware as legitimate video conferencing and development applications since at least 2023, with significant escalation throughout 2025. The BeaverTail malware has been distributed as fake versions of MiroTalk, FreeConference, Zoom, and other conferencing tools, targeting software developers through fabricated job interview processes.

In 2025 alone, GitLab identified and banned 131 accounts distributing malicious code projects that contained BeaverTail. The FBI seized the domain of BlockNovas LLC, one of three front companies the group established to distribute the malware. The campaign has expanded to abuse VS Code automation features, with malicious repositories designed to execute BeaverTail automatically when opened in the editor. The group has also been observed using AI tools to develop custom obfuscators for their malware, specifically testing whether AI models could de-obfuscate their code to refine evasion capabilities.

HAFNIUM / Tarrask — Hidden Scheduled Task Masquerading (T1036.004)

Microsoft discovered the Tarrask malware in April 2022, attributed to the Chinese state-sponsored group HAFNIUM. Tarrask created scheduled tasks to maintain persistence, but went further than typical task masquerading: after creating the task, it deleted the task's Security Descriptor (SD) registry value. This caused the task to disappear from Task Scheduler and schtasks.exe output entirely, while remaining fully functional. The task would execute on schedule, but no standard administrative tool could see it. Only direct registry examination could reveal its presence. The tasks were named to resemble legitimate Windows maintenance operations.

NotPetya — Masquerading as Ransomware (T1036.005, T1036.004)

The NotPetya attack of June 2017, attributed to the Russian military intelligence agency GRU, masqueraded on multiple levels simultaneously. The malware itself was disguised as the legitimate Petya ransomware, but was designed purely for destruction — the encryption was irreversible regardless of payment. On infected systems, NotPetya masqueraded its components as Windows system files, placed binaries in trusted directories, and created scheduled tasks with legitimate-sounding names. The initial infection vector came through a legitimate Ukrainian tax accounting software (M.E.Doc) whose update mechanism was compromised — masquerading the malware delivery as a routine software update.

MedusaLocker Ransomware — svchost.exe Masquerading (T1036.005)

The MedusaLocker ransomware family, which has generated hundreds of new variants since 2025, places its payload in the %AppData%\Roaming\ directory with the name svchostt.exe — a single extra character that is easy for a human to overlook when scanning process lists. The subtle misspelling is designed to slip past both manual review and detection rules that match only the exact string svchost.exe. This technique is particularly effective because legitimate svchost instances are among the most numerous processes on any Windows system, and analysts routinely filter them from investigation.

Detection Strategies

Detecting masquerading requires shifting from name-based trust to behavior-based verification. The core principle: legitimate system binaries have expected file paths, parent processes, user contexts, and execution patterns. Anything that deviates from those expectations — even if the name looks right — warrants investigation.

Key Monitoring Points

Data Source	What to Monitor	Detection Logic
Sysmon Event ID 1 (Process Creation)	Process name vs. image path mismatches	Flag any svchost.exe, lsass.exe, csrss.exe, services.exe, winlogon.exe, smss.exe, or explorer.exe executing from outside their expected System32 paths
Sysmon Event ID 1 (Process Creation)	Original filename in PE header vs. actual filename	The PE header's OriginalFileName field is set at compile time and persists even after renaming. Flag processes where the executing filename differs from the original filename in the binary header
Sysmon Event ID 7 (Image Loaded)	Unsigned DLLs in trusted paths	Flag DLLs loaded from System32, AppData, Temp, or Public that lack valid digital signatures
Sysmon Event ID 11 (File Created)	Executables created in trusted system directories	Alert on new .exe, .dll, or .scr files written to C:\Windows\System32\ or C:\Windows\ outside of expected update processes
Sysmon Event ID 13 (Registry)	Service and scheduled task registration	Monitor HKLM\SYSTEM\CurrentControlSet\Services\ and scheduled task registry keys for new entries. Cross-reference service names against a known-good baseline
File Integrity Monitoring	Changes to system binaries	Hash all binaries in System32 and SysWOW64 and alert on modifications, additions, or replacements outside of patch cycles
EDR / Process Telemetry	Parent process anomalies	Validate that critical processes have their expected parents: svchost.exe should be spawned by services.exe, lsass.exe by wininit.exe, csrss.exe by smss.exe

Splunk Detection Queries

Query 1: Windows Process Masquerading by Path Mismatch

Detects critical Windows processes running from unexpected file paths. This is the single highest-value detection for T1036.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
(process_name=svchost.exe NOT (process_path="C:\\Windows\\System32\\svchost.exe"
  OR process_path="C:\\Windows\\SysWow64\\svchost.exe"))
OR (process_name=lsass.exe NOT process_path="C:\\Windows\\System32\\lsass.exe")
OR (process_name=csrss.exe NOT process_path="C:\\Windows\\System32\\csrss.exe")
OR (process_name=services.exe NOT process_path="C:\\Windows\\System32\\services.exe")
OR (process_name=winlogon.exe NOT process_path="C:\\Windows\\System32\\winlogon.exe")
OR (process_name=smss.exe NOT process_path="C:\\Windows\\System32\\smss.exe")
OR (process_name=explorer.exe NOT process_path="C:\\Windows\\explorer.exe")
| table _time host process_name process_path parent_process_name user
| sort -_time

Query 2: Renamed System Utilities via PE Header OriginalFileName

Detects binaries whose executing filename does not match the original filename compiled into their PE header. Catches renamed PsExec, cmd.exe, PowerShell, and other commonly abused utilities.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
| where isnotnull(OriginalFileName) AND OriginalFileName!="?" AND OriginalFileName!=process_name
| eval mismatch=process_name." (original: ".OriginalFileName.")"
| search OriginalFileName IN ("cmd.exe","powershell.exe","psexec.exe","psexec64.exe",
  "PsExec.c","rundll32.exe","regsvr32.exe","mshta.exe","wscript.exe","cscript.exe")
| table _time host mismatch process_path parent_process_name CommandLine user
| sort -_time

Query 3: Executables with Double File Extensions

Detects files with suspicious double extensions commonly used to trick users into executing malicious payloads.

index=windows source="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| rex field=TargetFilename "(?<double_ext>\.\w{2,4}\.(exe|scr|bat|cmd|com|pif|vbs|js|wsf|hta))$"
| where isnotnull(double_ext)
| table _time host TargetFilename Image User
| sort -_time

Known Threat Actors

T1036 has one of the largest documented threat actor lists in the MITRE ATT&CK framework, with 51 known groups employing the technique. The following are among the most prominent:

Threat Actor	Affiliation	Masquerading Technique Used
APT29 / Midnight Blizzard	Russia (SVR)	C2 traffic mimicking legitimate protocols, renamed post-exploitation tools, Raindrop embedding 7-Zip source code (T1036.005, T1036.012)
Contagious Interview	DPRK	BeaverTail masquerading as MiroTalk, FreeConference, Zoom; malicious npm packages with legitimate names (T1036.005, T1036.007)
HAFNIUM	China	Tarrask hidden scheduled tasks named after legitimate Windows services (T1036.004)
Volt Typhoon	China	Exfiltrated ntds.dit with .gif extension, living-off-the-land with renamed utilities (T1036.003, T1036.008)
Mustang Panda	China	PlugX delivery via double file extensions, masqueraded executables as European Commission documents (T1036.007, T1036.008)
APT32 / OceanLotus	Vietnam	Cobalt Strike beacon disguised as Flash Installer (T1036.005)
Scattered Spider	Cybercriminal	Social engineering combined with masqueraded tooling for enterprise compromise (T1036.005)
Sandworm	Russia (GRU)	NotPetya disguised as Petya ransomware; destructive wiper masquerading as encryption malware (T1036.004, T1036.005)
OilRig / APT34	Iran	Malicious executables using .doc extensions to evade analysis (T1036.005)
TrickBot / Anchor	Cybercriminal	Payloads placed in trusted directories with legitimate-sounding names (T1036.005)

Defensive Recommendations

1. Enforce file extension visibility

Deploy a Group Policy to disable the "Hide extensions for known file types" setting across all endpoints. This single change defeats both double-extension and RLO-based masquerading by ensuring users see the true file type. Apply via Computer Configuration > Administrative Templates > Windows Components > File Explorer > Turn off hiding of known file extensions.

2. Validate code signatures, not just their presence

Configure application control policies (AppLocker, WDAC) to verify that code signatures are cryptographically valid, not merely present. A cloned signature from MetaTwin or sigthief will fail validation even though it appears authentic in file property dialogs. This closes the T1036.001 sub-technique entirely for environments with enforced application control.

3. Implement process path baselines

Establish and enforce baselines for critical Windows processes. Monitor for any execution of svchost.exe, lsass.exe, csrss.exe, services.exe, winlogon.exe, and smss.exe from outside their expected System32 paths. This should be a high-fidelity, zero-tolerance alert — there is no legitimate reason for these binaries to execute from user-writable directories.

4. Deploy file integrity monitoring on system directories

Monitor C:\Windows\System32\, C:\Windows\SysWOW64\, and C:\Windows\ for any new executable files created outside of patching windows. Hash every binary in these directories against a known-good baseline and alert immediately on deviations. This catches both placement-based masquerading and binary replacement attacks.

5. Leverage OriginalFileName PE header validation

The OriginalFileName field in a Windows PE binary header is set at compile time and persists through renaming. Configure Sysmon or your EDR to compare the executing filename against the OriginalFileName metadata. Any mismatch should trigger investigation, as it indicates either a renamed legitimate utility (T1036.003) or a malware binary compiled with misleading metadata.

6. Harden scheduled task and service monitoring

Audit scheduled tasks and Windows services against a known-good inventory on a regular cadence. Directly query the registry at HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\ rather than relying solely on schtasks output, which can be manipulated by techniques like Tarrask. Any task or service not in the baseline warrants immediate investigation.

7. Restrict user-writable paths from executing code

Use application control policies to prevent execution of binaries from %TEMP%, %AppData%, C:\Users\Public\, Downloads, and other user-writable directories. This dramatically reduces the attack surface for masquerading because adversaries can no longer simply drop a renamed payload in a user-accessible location and execute it.

8. Implement parent process validation rules

Build detection rules that validate expected parent-child process relationships. If svchost.exe has a parent other than services.exe, or lsass.exe has a parent other than wininit.exe, that is a strong indicator of either process tree manipulation (T1036.009) or masquerading. These rules have an extremely low false-positive rate in production environments.

MITRE ATT&CK Mapping

Field	Value
Technique ID	T1036
Technique Name	Masquerading
Tactics	Defense Evasion
Platforms	Windows, Linux, macOS, Containers, ESXi
Sub-Techniques	T1036.001 Invalid Code Signature, T1036.002 Right-to-Left Override, T1036.003 Rename Legitimate Utilities, T1036.004 Masquerade Task or Service, T1036.005 Match Legitimate Resource Name or Location, T1036.006 Space After Filename, T1036.007 Double File Extension, T1036.008 Masquerade File Type, T1036.009 Break Process Trees, T1036.010 Masquerade Account Name, T1036.011 Overwrite Process Arguments, T1036.012 Browser Fingerprint
Data Sources	Process (Creation, Metadata), File (Creation, Metadata, Modification), Scheduled Job (Creation, Modification), Service (Creation, Modification), Command (Execution), Network Traffic (Content)
Defenses Bypassed	Application Control, Antivirus, Log Analysis, Host Forensic Analysis, Process Whitelisting
MITRE Reference	attack.mitre.org/techniques/T1036

Sources and References

• MITRE ATT&CK — T1036 Masquerading: attack.mitre.org
• Picus Security — Red Report 2026 and T1036 Masquerading Explained: picussecurity.com
• Red Canary — Catch Me If You Code: How to Detect Process Masquerading: redcanary.com
• MITRE Cyber Analytics Repository — CAR-2021-04-001 Common Windows Process Masquerading: car.mitre.org
• Microsoft Threat Intelligence — Tarrask Hidden Scheduled Tasks: microsoft.com
• Unit 42 — Contagious Interview: BeaverTail and InvisibleFerret: unit42.paloaltonetworks.com
• GitLab Threat Intelligence — North Korean Tradecraft and Contagious Interview (2025): gitlab.com