EXPLORE
Sign In
← Back to Explore
T1036

Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitor...

ContainersESXiLinuxmacOSWindows
525
Detections
4
Sources
20
Threat Actors

BY SOURCE

410sublime65elastic39sigma11splunk_escu

PROCEDURES (143)

General Monitoring37 detections

Auto-extracted: 37 detections for general monitoring

Attachment28 detections

Auto-extracted: 28 detections for attachment

Authentication Monitoring21 detections

Auto-extracted: 21 detections for authentication monitoring

Email Security21 detections

Auto-extracted: 21 detections for email security

Credential20 detections

Auto-extracted: 20 detections for credential

Email17 detections

Auto-extracted: 17 detections for email

Script Execution Monitoring13 detections

Auto-extracted: 13 detections for script execution monitoring

Process Creation Monitoring13 detections

Auto-extracted: 13 detections for process creation monitoring

Base6411 detections

Auto-extracted: 11 detections for base64

Impersonat11 detections

Auto-extracted: 11 detections for impersonat

Attachment11 detections

Auto-extracted: 11 detections for attachment

Bypass10 detections

Auto-extracted: 10 detections for bypass

Service10 detections

Auto-extracted: 10 detections for service

Credential9 detections

Auto-extracted: 9 detections for credential

Network Connection Monitoring9 detections

Auto-extracted: 9 detections for network connection monitoring

Dump8 detections

Auto-extracted: 8 detections for dump

Impersonat8 detections

Auto-extracted: 8 detections for impersonat

Phish7 detections

Auto-extracted: 7 detections for phish

Suspicious7 detections

Auto-extracted: 7 detections for suspicious

Obfuscat6 detections

Auto-extracted: 6 detections for obfuscat

Phish6 detections

Auto-extracted: 6 detections for phish

Email6 detections

Auto-extracted: 6 detections for email

Bypass6 detections

Auto-extracted: 6 detections for bypass

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Service5 detections

Auto-extracted: 5 detections for service

Suspicious5 detections

Auto-extracted: 5 detections for suspicious

Phish5 detections

Auto-extracted: 5 detections for phish

Base645 detections

Auto-extracted: 5 detections for base64

Ransomware5 detections

Auto-extracted: 5 detections for ransomware

Unusual4 detections

Auto-extracted: 4 detections for unusual

Credential4 detections

Auto-extracted: 4 detections for credential

Masquerad4 detections

Auto-extracted: 4 detections for masquerad

Service4 detections

Auto-extracted: 4 detections for service

Download4 detections

Auto-extracted: 4 detections for download

Masquerad4 detections

Auto-extracted: 4 detections for masquerad

Credential4 detections

Auto-extracted: 4 detections for credential

Download4 detections

Auto-extracted: 4 detections for download

Encrypt4 detections

Auto-extracted: 4 detections for encrypt

Credential4 detections

Auto-extracted: 4 detections for credential

Suspicious4 detections

Auto-extracted: 4 detections for suspicious

Attachment4 detections

Auto-extracted: 4 detections for attachment

Office4 detections

Auto-extracted: 4 detections for office

Evasion3 detections

Auto-extracted: 3 detections for evasion

Bypass3 detections

Auto-extracted: 3 detections for bypass

Kernel3 detections

Auto-extracted: 3 detections for kernel

Unusual3 detections

Auto-extracted: 3 detections for unusual

Anomal3 detections

Auto-extracted: 3 detections for anomal

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Service3 detections

Auto-extracted: 3 detections for service

Encrypt3 detections

Auto-extracted: 3 detections for encrypt

Obfuscat3 detections

Auto-extracted: 3 detections for obfuscat

Evasion3 detections

Auto-extracted: 3 detections for evasion

Child Process3 detections

Auto-extracted: 3 detections for child process

Cloud2 detections

Auto-extracted: 2 detections for cloud

Http2 detections

Auto-extracted: 2 detections for http

Driver2 detections

Auto-extracted: 2 detections for driver

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Phish2 detections

Auto-extracted: 2 detections for phish

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Inject2 detections

Auto-extracted: 2 detections for inject

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Office2 detections

Auto-extracted: 2 detections for office

Inject2 detections

Auto-extracted: 2 detections for inject

Child Process2 detections

Auto-extracted: 2 detections for child process

Privilege2 detections

Auto-extracted: 2 detections for privilege

Attachment2 detections

Auto-extracted: 2 detections for attachment

Evasion2 detections

Auto-extracted: 2 detections for evasion

Macro2 detections

Auto-extracted: 2 detections for macro

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Service2 detections

Auto-extracted: 2 detections for service

Evasion2 detections

Auto-extracted: 2 detections for evasion

Obfuscat2 detections

Auto-extracted: 2 detections for obfuscat

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Service1 detections

Auto-extracted: 1 detections for service

Unusual1 detections

Auto-extracted: 1 detections for unusual

Child Process1 detections

Auto-extracted: 1 detections for child process

Persist1 detections

Auto-extracted: 1 detections for persist

Remote1 detections

Auto-extracted: 1 detections for remote

Api1 detections

Auto-extracted: 1 detections for api

Cloud1 detections

Auto-extracted: 1 detections for cloud

Http1 detections

Auto-extracted: 1 detections for http

Token1 detections

Auto-extracted: 1 detections for token

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Api1 detections

Auto-extracted: 1 detections for api

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Token1 detections

Auto-extracted: 1 detections for token

Email1 detections

Auto-extracted: 1 detections for email

Base641 detections

Auto-extracted: 1 detections for base64

Download1 detections

Auto-extracted: 1 detections for download

Kernel1 detections

Auto-extracted: 1 detections for kernel

Bypass1 detections

Auto-extracted: 1 detections for bypass

Lsass1 detections

Auto-extracted: 1 detections for lsass

Ransomware1 detections

Auto-extracted: 1 detections for ransomware

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Shellcode1 detections

Auto-extracted: 1 detections for shellcode

Download1 detections

Auto-extracted: 1 detections for download

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Http1 detections

Auto-extracted: 1 detections for http

Inject1 detections

Auto-extracted: 1 detections for inject

Aws1 detections

Auto-extracted: 1 detections for aws

Macro1 detections

Auto-extracted: 1 detections for macro

Office1 detections

Auto-extracted: 1 detections for office

Office1 detections

Auto-extracted: 1 detections for office

Office1 detections

Auto-extracted: 1 detections for office

Attachment1 detections

Auto-extracted: 1 detections for attachment

Evasion1 detections

Auto-extracted: 1 detections for evasion

Unusual1 detections

Auto-extracted: 1 detections for unusual

Persist1 detections

Auto-extracted: 1 detections for persist

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Obfuscat1 detections

Auto-extracted: 1 detections for obfuscat

Lsass1 detections

Auto-extracted: 1 detections for lsass

Download1 detections

Auto-extracted: 1 detections for download

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Inject1 detections

Auto-extracted: 1 detections for inject

Impersonat1 detections

Auto-extracted: 1 detections for impersonat

Aws1 detections

Auto-extracted: 1 detections for aws

Cloud1 detections

Auto-extracted: 1 detections for cloud

Oauth1 detections

Auto-extracted: 1 detections for oauth

Oauth1 detections

Auto-extracted: 1 detections for oauth

Email1 detections

Auto-extracted: 1 detections for email

Anomal1 detections

Auto-extracted: 1 detections for anomal

Persist1 detections

Auto-extracted: 1 detections for persist

Bypass1 detections

Auto-extracted: 1 detections for bypass

Kernel1 detections

Auto-extracted: 1 detections for kernel

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Unusual1 detections

Auto-extracted: 1 detections for unusual

Child Process1 detections

Auto-extracted: 1 detections for child process

Persist1 detections

Auto-extracted: 1 detections for persist

Parent Process1 detections

Auto-extracted: 1 detections for parent process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Persist1 detections

Auto-extracted: 1 detections for persist

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Exfiltrat1 detections

Auto-extracted: 1 detections for exfiltrat

Api1 detections

Auto-extracted: 1 detections for api

Download1 detections

Auto-extracted: 1 detections for download

THREAT ACTORS (20)

AgriusAoqin DragonAPT28APT32BRONZE BUTLERContagious InterviewEmber BearFIN13LazyScriptermenuPassNomadic OctopusOilRigPLATINUMSandworm TeamStorm-1811TA551TeamTNTWindshiftWinter VivernZIRCONIUM

DETECTIONS (525)

Abnormal Process ID or Lock File Created
elasticmedium
Abuse: Cloudflare Workers Hosted EvilTokens Domain Structure
sublimehigh
Adobe branded PDF file linking to a password-protected file from untrusted sender
sublimehigh
Agent Spoofing - Multiple Hosts Using Same Agent
elastichigh
Attachment with encrypted zip (unsolicited)
sublimemedium
Attachment with macro calling executable
sublimehigh
Attachment with unscannable encrypted zip
sublimemedium
Attachment: .csproj with suspicious commands
sublimehigh
Attachment: 7z Archive Containing RAR File
sublimemedium
Attachment: Any .sap file (unsolicited)
sublimelow
Attachment: Any HTML file within archive (unsolicited)
sublimemedium
Attachment: Archive containing disallowed file type
sublimelow
Attachment: Archive containing HTML file with file scheme link
sublimehigh
Attachment: Archive with embedded CHM file
sublimemedium
Attachment: Archive with embedded EXE file
sublimehigh
Attachment: Archive with pdf, txt and wsf files
sublimemedium
Attachment: Base64 encoded bash command in filename
sublimehigh
Attachment: Calendar file with invisible Unicode characters
sublimehigh
Attachment: Calendar invite from recently registered domain
sublimehigh
Attachment: Callback phishing solicitation via image file
sublimehigh
Attachment: Callback phishing solicitation via pdf file
sublimehigh
Attachment: Callback phishing solicitation via text-based file
sublimemedium
Attachment: DocX embedded binary
sublimehigh
Attachment: DOCX with hyperlink targeting recipient address
sublimemedium
Attachment: Double base64-encoded zip file in HTML smuggling attachment
sublimehigh
Attachment: Embedded VBScript in MHT file
sublimemedium
Attachment: EML containing a base64 encoded script
sublimehigh
Attachment: EML file contains HTML attachment with login portal indicators
sublimehigh
Attachment: EML file with HTML attachment (unsolicited)
sublimemedium
Attachment: EML file with IPFS links
sublimemedium
Attachment: EML with embedded Javascript in SVG file
sublimehigh
Attachment: EML with Encrypted ZIP
sublimelow
Attachment: EML with link to credential phishing page
sublimehigh
Attachment: EML with QR code redirecting to Cloudflare challenges
sublimelow
Attachment: EML with SharePoint files shared from GoDaddy federated tenants
sublimelow
Attachment: EML with Sharepoint link likely unrelated to sender
sublimemedium
Attachment: EML with suspicious indicators
sublimemedium
Attachment: Emotet heavily padded doc in zip file
sublimehigh
Attachment: Employment contract update with suspicious file naming
sublimehigh
Attachment: Encrypted PDF with credential theft body
sublimemedium
Attachment: Encrypted ZIP containing VHDX file
sublimemedium
Attachment: Encrypted zip file with payment-related lure
sublimemedium
Attachment: Excel file with suspicious template identifier
sublimehigh
Attachment: Excel Web Query File (IQY)
sublimehigh
Attachment: Fake attachment image lure
sublimemedium
Attachment: Fake Slack installer
sublimehigh
Attachment: Fake Zoom installer
sublimehigh
Attachment: File execution via Javascript
sublimemedium
Attachment: Filename containing Unicode braille pattern blank character
sublimehigh
Attachment: Filename containing Unicode right-to-left override character
sublimehigh
Attachment: Finance themed PDF with observed phishing template
sublimemedium
Attachment: HTML attachment with Javascript location
sublimehigh
Attachment: HTML file contains exclusively Javascript
sublimemedium
Attachment: HTML file with excessive 'const' declarations and abnormally long timeouts
sublimehigh
Attachment: HTML file with excessive padding and suspicious patterns
sublimehigh
Attachment: HTML smuggling 'body onload' linking to suspicious destination
sublimehigh
Attachment: HTML smuggling 'body onload' with high entropy and suspicious text
sublimehigh
Attachment: HTML smuggling with atob and high entropy via calendar invite
sublimehigh
Attachment: HTML smuggling with base64 encoded ZIP file
sublimemedium
Attachment: HTML smuggling with concatenation obfuscation
sublimehigh
Attachment: HTML smuggling with decimal encoding
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded executable
sublimehigh
Attachment: HTML smuggling with embedded base64-encoded ISO
sublimehigh
Attachment: HTML smuggling with eval and atob
sublimehigh
Attachment: HTML smuggling with eval and atob via calendar invite
sublimehigh
Attachment: HTML smuggling with excessive line break obfuscation
sublimehigh
Attachment: HTML smuggling with excessive string concatenation and suspicious patterns
sublimemedium
Attachment: HTML smuggling with fromCharCode and other signals
sublimehigh
Attachment: HTML smuggling with hex strings
sublimemedium
Attachment: HTML smuggling with high entropy and other signals
sublimehigh
Attachment: HTML smuggling with raw array buffer
sublimehigh
Attachment: HTML smuggling with RC4 decryption
sublimehigh
Attachment: HTML smuggling with ROT13
sublimehigh
Attachment: HTML smuggling with setTimeout
sublimehigh
Attachment: HTML smuggling with unescape
sublimehigh
Attachment: HTML with emoji-to-character map
sublimehigh
Attachment: HTML with hidden body
sublimehigh
Attachment: HTML with JavaScript functions for HTTP requests
sublimehigh
Attachment: ICS calendar file with base64 encoded recipient address in URL parameters
sublimehigh
Attachment: ICS calendar file with QR code containing recipient email address
sublimehigh
Attachment: ICS calendar file with suspicious product identifier
sublimemedium
Attachment: ICS calendar with embedded file from internal sender with SPF failure
sublimehigh
Attachment: ICS file with AWS Lambda URL
sublimemedium
Attachment: ICS file with excessive custom properties
sublimemedium
Attachment: ICS file with non-Gregorian calendar scale
sublimemedium
Attachment: ICS with embedded document
sublimelow
Attachment: ICS with embedded Javascript in SVG file
sublimehigh
Attachment: ICS with employee policy review lure
sublimehigh
Attachment: JavaScript file with suspicious base64-encoded executable
sublimehigh
Attachment: Legal themed message or PDF with suspicious indicators
sublimemedium
Attachment: Link file with UNC path
sublimemedium
Attachment: Link to Doubleclick.net open redirect
sublimemedium
Attachment: Macro files containing MHT content
sublimemedium
Attachment: Malformed OLE file
sublimehigh
Attachment: MS Office or RTF file with Shell.Explorer.1 com object with embedded LNK
sublimemedium
Attachment: MSI installer file
sublimemedium
Attachment: Office file contains OLE relationship to credential phishing page
sublimehigh
Attachment: Office file with credential phishing URLs
sublimemedium
Attachment: Office file with document sharing and browser instruction lures
sublimehigh
Attachment: Office file with suspicious function calls or downloaded file path
sublimehigh
Attachment: OLE external relationship containing file scheme link to executable filetype
sublimehigh
Attachment: OLE external relationship containing file scheme link to IP address
sublimehigh
Attachment: Password-protected PDF with fake document indicators
sublimemedium
Attachment: PDF file with low reputation link to ZIP file (unsolicited)
sublimemedium
Attachment: PDF file with low reputation links to suspicious filetypes (unsolicited)
sublimemedium
Attachment: PDF generated with wkhtmltopdf tool and default title
sublimelow
Attachment: PDF Object Hash - Encrypted PDFs with fake payment notification
sublimemedium
Attachment: PDF proposal with credential theft indicators
sublimehigh
Attachment: PDF with a suspicious string and single URL
sublimehigh
Attachment: PDF with embedded Javascript
sublimemedium
Attachment: PDF with JSFck obfuscation
sublimehigh
Attachment: PDF with link to DMG file download
sublimemedium
Attachment: PDF with link to zip containing a wsf file
sublimehigh
Attachment: PDF with multistage landing - ClickUp abuse
sublimehigh
Attachment: PDF with password in filename matching body text
sublimemedium
Attachment: PDF with ReportLab library and default metadata
sublimelow
Attachment: PDF with split QR code
sublimemedium
Attachment: PDF with suspicious HeadlessChrome metadata
sublimemedium
Attachment: PDF with suspicious language and redirect to suspicious file type
sublimehigh
Attachment: PDF with suspicious link and action-oriented language
sublimehigh
Attachment: PDF with suspicious view document characteristics
sublimemedium
Attachment: Potential sandbox evasion in Office file
sublimehigh
Attachment: PowerPoint with suspicious hyperlink
sublimehigh
Attachment: Python generated PDF with link
sublimemedium
Attachment: QR code link with base64-encoded recipient address
sublimehigh
Attachment: QR code with encoded recipient targeting and redirect indicators
sublimehigh
Attachment: QR code with recipient targeting and special characters
sublimehigh
Attachment: QR code with suspicious URL patterns in EML file
sublimehigh
Attachment: QR code with userinfo portion
sublimehigh
Attachment: RFC822 containing suspicious file sharing language with links from untrusted sender
sublimemedium
Attachment: RTF file with suspicious link
sublimemedium
Attachment: RTF with embedded content
sublimemedium
Attachment: Self-sender PDF with minimal content and view prompt
sublimehigh
Attachment: SFX archive containing commands
sublimemedium
Attachment: Small text file with link containing recipient email address
sublimemedium
Attachment: Suspicious employee policy update document lure
sublimemedium
Attachment: Suspicious PDF created with headless browser
sublimehigh
Attachment: SVG file with HTML entity encoded href attributes
sublimemedium
Attachment: SVG file with hyperlinks and cursor styling
sublimemedium
Attachment: SVG files with evasion elements
sublimehigh
Attachment: TAR file with RAR type
sublimehigh
Attachment: Web files with suspicious comments
sublimehigh
Attachment: WinRAR CVE-2025-8088 exploitation
sublimehigh
Attachment: XLSX file with suspicious print titles metadata
sublimehigh
Attachment: ZIP file with CVE-2026-0866 exploit
sublimemedium
BEC with unusual reply-to or return-path mismatch
sublimehigh
BEC/Fraud: Reply-chain manipulation with urgent keywords and self-reply
sublimemedium
Benefits enrollment impersonation
sublimehigh
Binary Executed from Shared Memory Directory
elastichigh
Body HTML: Comment with 24-character hex token
sublimelow
Body HTML: Recipient SLD in HTML class
sublimemedium
Body: Embedded email headers indicative of thread hijacking/abuse
sublimemedium
Body: HTML whitespace stuffing with short initial message
sublimemedium
Body: Suspicious date format
sublimemedium
Brand impersonation: Coinbase with suspicious links
sublimemedium
Brand impersonation: DocuSign with embedded QR code
sublimehigh
Brand impersonation: File sharing notification with template artifacts
sublimelow
Brand impersonation: Microsoft logo in HTML with fake quarantine release notification
sublimehigh
Brand impersonation: Microsoft Planner with suspicious link
sublimemedium
Brand impersonation: QuickBooks notification from Intuit themed company name
sublimemedium
Brand Impersonation: ShareFile
sublimemedium
Brand impersonation: SharePoint PDF attachment with credential theft language
sublimemedium
Brand impersonation: Stripe notification
sublimemedium
Brand impersonation: Zoom
sublimemedium
Business Email Compromise (BEC) attempt with masked recipients and reply-to mismatch (unsolicited)
sublimemedium
Callback phishing via Adobe Sign comment
sublimehigh
Callback phishing via calendar invite
sublimemedium
Callback phishing via DocuSign comment
sublimehigh
Callback phishing via Intuit service abuse
sublimemedium
Callback phishing via Zelle Service Abuse
sublimemedium
Callback phishing via Zoho service abuse
sublimemedium
Callback phishing: Social Security Administration fraud
sublimemedium
Callback phishing: SumUp infrastructure abuse
sublimehigh
Canva design with suspicious embedded link
sublimehigh
Cisco NVM - Non-Network Binary Making Network Connection
splunk_escu
CodePage Modification Via MODE.COM
sigmalow
CodePage Modification Via MODE.COM To Russian Language
sigmamedium
Conhost Spawned By Suspicious Parent Process
elastichigh
CreateDump Process Dump
sigmahigh
Credential Phishing via Dropbox comment abuse
sublimemedium
Credential phishing: Generic document share template
sublimelow
Credential phishing: Generic document sharing
sublimemedium
Credential phishing: Hyper-linked image leading to free file host
sublimemedium
Credential phishing: Image as content, short or no body contents
sublimemedium
Credential Phishing: Suspicious language, link, recipients and other indicators
sublimemedium
Credential Phishing: W-2 lure with inline SVG Windows logo
sublimehigh
Credential theft with 'safe content' deception and social engineering topics
sublimemedium
Credential theft: Gophish abuse with hidden tracking image
sublimehigh
CVE-2023-5631 - Roundcube Webmail XSS via crafted SVG
sublimecritical
Cyrillic vowel substitution in subject or display name from unknown sender
sublimemedium
Cyrillic vowel substitutions with suspicious subject from unknown sender
sublimemedium
Directory Creation in /bin directory
elasticlow
Display Name Emoji with Financial Symbols
sublimelow
DumpMinitool Execution
sigmamedium
EML attachment with credential theft language (unknown sender)
sublimehigh
Encrypted Microsoft Office files from untrusted sender
sublimemedium
Executable File Creation with Multiple Extensions
elasticmedium
Executable Masquerading as Kernel Process
elastichigh
Executables Or Script Creation In Suspicious Path
splunk_escu
Executables Or Script Creation In Temp Path
splunk_escu