Live Active security incident? Get immediate response
MITRE ATT&CK® Technique

T1036.003: Rename Legitimate Utilities

Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.[1][2][3][4] It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).[5] An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.[6]

EnterpriseT1036.003Sub-techniqueObject v3.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Renaming trusted utilities matters because it turns normal administrative tools into a blind spot. If monitoring keys only on filenames such as rundll32.exe, PSExec, AutoHotKey, or scripting runtimes, an adversary may copy or rename the same legitimate utility and keep the behavior looking routine. For leaders, the issue is not the utility itself; it is whether controls can still recognize risky use when the name or path has been changed.

Executive priority

Prioritize this where business operations depend on high-trust administrator tooling across Windows, Linux, and macOS. The ATT&CK relationships show this behavior is used by multiple groups and malware families, so it should be treated as a repeatable evasion pattern rather than a niche indicator. Executives should ask whether SOC coverage, incident response playbooks, and audit evidence validate utility identity by metadata, path, permissions, and execution context—not filename alone.

Technical view

This is a Masquerading sub-technique under the stealth tactic. SOC and detection teams should validate coverage for legitimate utilities executed under unexpected names or from non-standard directories. The related detection strategy, DET0005, specifically points to renamed legitimate utility execution with metadata mismatch and suspicious path. On Windows, teams should test whether process telemetry preserves executable path, command line, parent process, hash, signature, and file metadata such as original filename where available. On Linux and macOS, validate path, ownership, permissions, hashes, package provenance, and parent-child process context. Treat related group and software usage as context for threat modeling, not attribution for a local alert.

Likely telemetry

  • Process creation events with executable name, full path, command line, parent process, user, and host
  • File creation, copy, move, and rename events involving system utilities or commonly abused tools
  • File metadata, hashes, code-signing information, ownership, and permissions
  • Endpoint detection and response alerts for suspicious path or metadata mismatch
  • Administrative tool execution history, especially PSExec, AutoHotKey, IronPython, scripting runtimes, and built-in binaries referenced by ATT&CK

Detection direction

  • Do not rely on executable filename alone; compare name, path, hash, signature, and metadata against known legitimate utility baselines.
  • Tune detections for legitimate utilities running from user-writable, temporary, unusual, or non-standard directories, while accounting for approved software deployment and admin workflows.
  • Use parent-child process context and command-line intent to reduce false positives from legitimate renamed internal tools or packaged applications.
  • Validate DET0005-style logic for metadata mismatch and suspicious path, especially for Windows utilities where original filename metadata may be available.
  • Investigate clusters of rename/copy events followed by execution, not just standalone execution events.

Mitigation priorities

  • Implement the related mitigation M1022 by restricting file and directory permissions so ordinary users and unnecessary processes cannot write to sensitive utility locations or plant renamed copies in trusted paths.
  • Review write and execute permissions on directories commonly abused for staging renamed tools, prioritizing least privilege and removal of unnecessary write access.
  • Maintain baselines of approved administrative utilities, expected locations, hashes, ownership, and permissions to support both prevention and investigation.
  • Include renamed-utility scenarios in incident response validation so responders can distinguish legitimate administration from masqueraded utility abuse.
Analyst notes and limits

The object has no official ATT&CK detection text, so defensive guidance is derived from the official description, the DET0005 relationship, the M1022 mitigation relationship, platform fields, and external-reference themes. This technique is most useful as a control-validation and hunting topic: can the organization still recognize a legitimate utility when its name and location are changed?

ATT&CK does not provide procedure-level details in the supplied fields for each related group or software item, and local environment baselines are required to determine what paths, names, and administrative executions are abnormal. The presence of related groups and software does not establish current exploitation, targeting, or attribution in any specific environment.

Official MITRE ATT&CK definition

Rename Legitimate Utilities

Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython.[1][2][3][4] It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe).[5] An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths.[6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1036 Masquerading This object subtechnique of Masquerading.
Associated objects

Groups, software, and campaigns

Group Enterprise

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

Group Enterprise

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

Group Enterprise

G1034: Daggerfly

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]

Group Enterprise

G0050: APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Group Enterprise

G0082: APT38

APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.

Group Enterprise

G0093: GALLIUM

GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]

Malware Enterprise

S9014: PHASEJAM

PHASEJAM is a dropper written as a bash shell script that modifies Ivanti Connect Secure appliance components. PHASEJAM was first reported in January 2025. PHASEJAM has previously been leveraged by People's Republic of China (PRC)- affiliated actors identified as UNC5221 and SYLVANITE.[1][2]

LinuxNetwork Devices
Malware Enterprise

S1183: StrelaStealer

StrelaStealer is an information stealer malware variant first identified in November 2022 and active through late 2024. StrelaStealer focuses on the automated identification, collection, and exfiltration of email credentials from email clients such as Outlook and Thunderbird.[1][2][3][4]

Windows
Malware Enterprise

S1111: DarkGate

DarkGate first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, DarkGate is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.[1] DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.[2]

Windows
Malware Enterprise

S0046: CozyCar

CozyCar is malware that was used by APT29 from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. [1]

Windows
Malware Enterprise

S1020: Kevin

Kevin is a backdoor implant written in C++ that has been used by HEXANE since at least June 2020, including in operations against organizations in Tunisia.[1]

Windows
Relationship explorer

All related ATT&CK context

subtechnique of · Technique T1036: Masquerading Enterprise detects · Detection Strategy DET0005: Renamed Legitimate Utility Execution with Metadata Mismatch and Suspicious Path Enterprise uses · Malware S9014: PHASEJAM Enterprise uses · Malware S1183: StrelaStealer Enterprise uses · Group G0045: menuPass Enterprise uses · Group G0032: Lazarus Group Enterprise uses · Malware S1111: DarkGate Enterprise uses · Group G1034: Daggerfly Enterprise uses · Group G0050: APT32 Enterprise uses · Group G0082: APT38 Enterprise uses · Malware S0046: CozyCar Enterprise uses · Malware S1020: Kevin Enterprise mitigates · Mitigation M1022: Restrict File and Directory Permissions Enterprise uses · Group G0093: GALLIUM Enterprise
Mitigations

Mitigation direction

Mitigation Enterprise

M1022: Restrict File and Directory Permissions

Restricting file and directory permissions involves setting access controls at the file system level to limit which users, groups, or processes can read, write, or execute files. By configuring permissions appropriately, organizations can reduce the attack surface for adversaries seeking to access sensitive data, plant malicious code, or tamper with system files.

Enforce Least Privilege Permissions:

- Remove unnecessary write permissions on sensitive files and directories. - Use file ownership and groups to control access for specific roles.

Example (Windows): Right-click the shared folder → Properties → Security tab → Adjust permissions for NTFS ACLs.

Harden File Shares:

- Disable anonymous access to shared folders. - Enforce NTFS permissions for shared folders on Windows.

Example: Set permissions to restrict write access to critical files, such as system executables (e.g., `/bin` or `/sbin` on Linux). Use tools like `chown` and `chmod` to assign file ownership and limit access.

On Linux, apply: `chmod 750 /etc/sensitive.conf` `chown root:admin /etc/sensitive.conf`

File Integrity Monitoring (FIM):

- Use tools like Tripwire, Wazuh, or OSSEC to monitor changes to critical file permissions.

Audit File System Access:

- Enable auditing to track permission changes or unauthorized access attempts. - Use auditd (Linux) or Event Viewer (Windows) to log activities.

Restrict Startup Directories:

- Configure permissions to prevent unauthorized writes to directories like `C:\ProgramData\Microsoft\Windows\Start Menu`.

Example: Restrict write access to critical directories like `/etc/`, `/usr/local/`, and Windows directories such as `C:\Windows\System32`.

- On Windows, use icacls to modify permissions: `icacls "C:\Windows\System32" /inheritance:r /grant:r SYSTEM:(OI)(CI)F` - On Linux, monitor permissions using tools like `lsattr` or `auditd`.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
3.0
Created
Modified
Raw hash
1be66ab0840fa04a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 3.0 Current bundle 1be66ab0840f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    LOLBAS Main Site

    LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.

    Open source URL
  2. [2]
    Huntress Python Malware 2025

    Matthew Brennan. (2024, July 5). Snakes on a Domain: An Analysis of a Python Malware Loader. Retrieved April 3, 2025.

    Open source URL
  3. [3]
    The DFIR Report AutoHotKey 2023

    The DFIR Report. (2023, February 6). Collect, Exfiltrate, Sleep, Repeat. Retrieved April 3, 2025.

    Open source URL
  4. [4]
    Splunk Detect Renamed PSExec

    Splunk. (2025, February 24). Detection: Detect Renamed PSExec. Retrieved April 3, 2025.

    Open source URL
  5. [5]
    Elastic Masquerade Ball

    Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.

    Open source URL
  6. [6]
    F-Secure CozyDuke

    F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.

    Open source URL
  7. [7]
    mitre-attack T1036.003
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use