EXPLORE
Sign In
← Back to Explore
T1036.005

Match Legitimate Resource Name or Location

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containeri...

ContainersESXiLinuxmacOSWindows
44
Detections
3
Sources
59
Threat Actors

BY SOURCE

24elastic14sigma6splunk_escu

PROCEDURES (32)

Process Creation Monitoring5 detections

Auto-extracted: 5 detections for process creation monitoring

Privilege3 detections

Auto-extracted: 3 detections for privilege

General Monitoring3 detections

Auto-extracted: 3 detections for general monitoring

Service2 detections

Auto-extracted: 2 detections for service

Network Connection Monitoring2 detections

Auto-extracted: 2 detections for network connection monitoring

Bypass2 detections

Auto-extracted: 2 detections for bypass

Parent Process2 detections

Auto-extracted: 2 detections for parent process

Persist1 detections

Auto-extracted: 1 detections for persist

Child Process1 detections

Auto-extracted: 1 detections for child process

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Evasion1 detections

Auto-extracted: 1 detections for evasion

Privilege1 detections

Auto-extracted: 1 detections for privilege

Child Process1 detections

Auto-extracted: 1 detections for child process

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Scheduled Task1 detections

Auto-extracted: 1 detections for scheduled task

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Child Process1 detections

Auto-extracted: 1 detections for child process

Inject1 detections

Auto-extracted: 1 detections for inject

Kernel1 detections

Auto-extracted: 1 detections for kernel

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Masquerad1 detections

Auto-extracted: 1 detections for masquerad

Evasion1 detections

Auto-extracted: 1 detections for evasion

Container1 detections

Auto-extracted: 1 detections for container

Inject1 detections

Auto-extracted: 1 detections for inject

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Dll Side1 detections

Auto-extracted: 1 detections for dll side

Kernel1 detections

Auto-extracted: 1 detections for kernel

Container1 detections

Auto-extracted: 1 detections for container

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

File Monitoring1 detections

Auto-extracted: 1 detections for file monitoring

THREAT ACTORS (59)

admin@338AkiraAPT1APT28APT29APT32APT39APT41APT42APT5Aquatic PandaBackdoorDiplomacyBlue MockingbirdBRONZE BUTLERCarbanakChimeraDarkhotelEarth LuscaEmber BearFerocious KittenFIN13FIN7Fox KittenGamaredon GroupINC RansomIndrik SpiderKe3changKimsukyLazarus GroupLuminousMothMacheteMagic HoundmenuPassMuddyWaterMustang PandaMustard TempestNaikonOilRigPatchworkPoseidon GroupPROMETHIUMRedCurlRockeSandworm TeamSideCopySidewinderSilenceSowbugStorm-1811TA2541TeamTNTToddyCatTransparent TribeTropic TrooperTurlaVelvet AntVolt TyphoonWhiteflyWIRTE

DETECTIONS (44)

Abnormal Process ID or Lock File Created
elasticmedium
Attacker Tools On Endpoint
splunk_escu
Creation Of Pod In System Namespace
sigmamedium
Directory Creation in /bin directory
elasticlow
Executable Masquerading as Kernel Process
elastichigh
Execution from Unusual Directory - Command Line
elasticmedium
Execution via Windows Command Debugging Utility
elasticmedium
Files With System DLL Name In Unsuspected Locations
sigmamedium
Files With System Process Name In Unsuspected Locations
sigmamedium
Flash Player Update from Suspicious Location
sigmahigh
Potential Binary Impersonating Sysinternals Tools
sigmamedium
Potential CVE-2025-33053 Exploitation
elastichigh
Potential Masquerading as Business App Installer
elasticlow
Potential Masquerading as Communication Apps
elasticmedium
Potential Masquerading as Svchost
elastichigh
Potential Microsoft Office Sandbox Evasion
elastichigh
Potential MsiExec Masquerading
sigmahigh
Potential Privilege Escalation via InstallerFileTakeOver
elastichigh
Potential Process Name Stomping with Prctl
elastichigh
Potential Windows Error Manager Masquerading
elasticmedium
Process Execution from an Unusual Directory
elasticmedium
Process Started from Process ID (PID) File
elastichigh
Program Files Directory Masquerading
elasticmedium
Scheduled Task Creation Masquerading as System Processes
sigmahigh
Signed Proxy Execution via MS Work Folders
elasticmedium
Suspicious Communication App Child Process
elasticmedium
Suspicious Endpoint Security Parent Process
elasticmedium
Suspicious File Creation via Kworker
elasticmedium
Suspicious Files in Default GPO Folder
sigmamedium
Suspicious Microsoft Antimalware Service Execution
elastichigh
Suspicious Process Masquerading As SvcHost.EXE
sigmahigh
Suspicious Scheduled Task Creation via Masqueraded XML File
sigmamedium
System Path File Creation and Execution Detected via Defend for Containers
elasticmedium
UAC Bypass Attempt via Windows Directory Masquerading
elastichigh
Uncommon Svchost Command Line Parameter
sigmahigh
Uncommon Svchost Parent Process
sigmamedium
Unsigned .node File Loaded
sigmamedium
Unusual Network Activity from a Windows System Binary
elasticmedium
Windows LOLBAS Executed Outside Expected Path
splunk_escu
Windows MSC EvilTwin Directory Path Manipulation
splunk_escu
Windows Process Execution From ProgramData
splunk_escu
Windows Process Execution in Temp Dir
splunk_escu
Windows Processes Suspicious Parent Directory
sigmalow
Windows Suspicious Process File Path
splunk_escu