Esc

Match Legitimate Name or Location - T1036.005

(ATT&CK® Technique)

Definition

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

D3FEND Inferred Relationships

Browse the D3FEND knowledge graph by clicking on the nodes below.

        graph LR;

     T1036005["Match Legitimate Name or Location"] --> |invokes| MoveFile["Move File"]; class T1036005 OffensiveTechniqueNode;
        class MoveFile ArtifactNode; click MoveFile href "/dao/artifact/d3f:MoveFile";
        click T1036005 href "/offensive-technique/attack/T1036.005/"; click MoveFile href "/dao/artifact/d3f:MoveFile"; T1036005["Match Legitimate Name or Location"] --> |may-create| File["File"]; class T1036005 OffensiveTechniqueNode;
        class File ArtifactNode; click File href "/dao/artifact/d3f:File";
        click T1036005 href "/offensive-technique/attack/T1036.005/"; click File href "/dao/artifact/d3f:File";                          FileEncryption["File Encryption"] -->
          | encrypts | File["File"];

          FileEncryption["File Encryption"] -.->
            | may-harden | T1036005["Match Legitimate Name or Location"] ;
          class FileEncryption DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEncryption href "/technique/d3f:FileEncryption"; LocalFilePermissions["Local File Permissions"] -->
          | restricts | File["File"];

          LocalFilePermissions["Local File Permissions"] -.->
            | may-isolate | T1036005["Match Legitimate Name or Location"] ;
          class LocalFilePermissions DefensiveTechniqueNode;
          class File ArtifactNode;
          click LocalFilePermissions href "/technique/d3f:LocalFilePermissions";                           FileIntegrityMonitoring["File Integrity Monitoring"] -->
          | analyzes | File["File"];

          FileIntegrityMonitoring["File Integrity Monitoring"] -.->
            | may-detect | T1036005["Match Legitimate Name or Location"] ;
          class FileIntegrityMonitoring DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileIntegrityMonitoring href "/technique/d3f:FileIntegrityMonitoring"; FileEviction["File Eviction"] -->
          | deletes | File["File"];

          FileEviction["File Eviction"] -.->
            | may-evict | T1036005["Match Legitimate Name or Location"] ;
          class FileEviction DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileEviction href "/technique/d3f:FileEviction";                           RestoreFile["Restore File"] -->
          | restores | File["File"];

          RestoreFile["Restore File"] -.->
            | may-restore | T1036005["Match Legitimate Name or Location"] ;
          class RestoreFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click RestoreFile href "/technique/d3f:RestoreFile"; DecoyFile["Decoy File"] -->
          | spoofs | File["File"];

          DecoyFile["Decoy File"] -.->
            | may-deceive | T1036005["Match Legitimate Name or Location"] ;
          class DecoyFile DefensiveTechniqueNode;
          class File ArtifactNode;
          click DecoyFile href "/technique/d3f:DecoyFile";               SystemCallFiltering["System Call Filtering"] -->
          | filters | MoveFile["Move File"];

          SystemCallFiltering["System Call Filtering"] -.->
            | may-isolate | T1036005["Match Legitimate Name or Location"] ;
          class SystemCallFiltering DefensiveTechniqueNode;
          class MoveFile ArtifactNode;
          click SystemCallFiltering href "/technique/d3f:SystemCallFiltering";                        RemoteFileAccessMediation["Remote File Access Mediation"] -->
          | isolates | File["File"];

          RemoteFileAccessMediation["Remote File Access Mediation"] -.->
            | may-isolate | T1036005["Match Legitimate Name or Location"] ;
          class RemoteFileAccessMediation DefensiveTechniqueNode;
          class File ArtifactNode;
          click RemoteFileAccessMediation href "/technique/d3f:RemoteFileAccessMediation"; FileAnalysis["File Analysis"] -->
          | analyzes | File["File"];

          FileAnalysis["File Analysis"] -.->
            | may-detect | T1036005["Match Legitimate Name or Location"] ;
          class FileAnalysis DefensiveTechniqueNode;
          class File ArtifactNode;
          click FileAnalysis href "/technique/d3f:FileAnalysis";                           SystemCallAnalysis["System Call Analysis"] -->
          | analyzes | MoveFile["Move File"];

          SystemCallAnalysis["System Call Analysis"] -.->
            | may-detect | T1036005["Match Legitimate Name or Location"] ;
          class SystemCallAnalysis DefensiveTechniqueNode;
          class MoveFile ArtifactNode;
          click SystemCallAnalysis href "/technique/d3f:SystemCallAnalysis";

json