Which SIEM platforms have a T1036 detection rule?

df00tech provides T1036 (Masquerading) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What severity and confidence is the T1036 detection?

The T1036 detection is rated high severity with medium confidence.

What are common false positives for T1036?

Common false positives for T1036 include: Legitimate software installers that temporarily extract executables with system-like names to temp directories; Windows Subsystem for Linux (WSL) and virtualization software that may run processes with similar names; Software testing and development environments where binaries are compiled with system-like names.

T1036

Masquerading

Q: What data sources are required to detect Masquerading (T1036)?

Detecting Masquerading requires the following data sources: Process: Process Creation, Process: Process Metadata, Microsoft Defender for Endpoint.

Defense Evasion Last updated: April 16, 2026

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.

What is T1036 Masquerading?

Masquerading (T1036) maps to the Defense Evasion tactic — the adversary is trying to avoid being detected in MITRE ATT&CK.

This page provides production-ready detection logic for Masquerading, covering the data sources and telemetry it touches: Process: Process Creation, Process: Process Metadata, Microsoft Defender for Endpoint. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic: Defense Evasion
Technique: T1036 Masquerading
Canonical reference: https://attack.mitre.org/techniques/T1036/

Microsoft Sentinel / Defender

kusto

let KnownSystemBinaries = dynamic(["svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe"]);
let TrustedPaths = dynamic(["C:\\Windows\\System32\\", "C:\\Windows\\SysWOW64\\", "C:\\Windows\\"]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ (KnownSystemBinaries)
| where not(FolderPath has_any (TrustedPaths))
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessFolderPath, InitiatingProcessCommandLine,
         ProcessId, InitiatingProcessId
| sort by Timestamp desc

Detects processes with names matching known Windows system binaries (svchost.exe, csrss.exe, lsass.exe, etc.) executing from non-standard locations outside System32/SysWOW64. This is a broad parent-level detection that catches various masquerading techniques where adversaries name their malware after legitimate system processes but run them from user-writable directories.

high severity medium confidence

Data Sources

Process: Process Creation Process: Process Metadata Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate software installers that temporarily extract executables with system-like names to temp directories
Windows Subsystem for Linux (WSL) and virtualization software that may run processes with similar names
Software testing and development environments where binaries are compiled with system-like names
Some third-party security tools that use helper processes named after system binaries

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS event_time,
       sourceip,
       username,
       "Process Name" AS process_name,
       "Process Path" AS process_path,
       "Parent Process Name" AS parent_process,
       "Command" AS command_line,
       LOGSOURCENAME(logsourceid) AS log_source,
       hostname
FROM events
WHERE LOGSOURCETYPEID = 12 /* Microsoft Windows Security Event Log */
  AND QIDNAME(qid) LIKE '%Process%'
  AND ("Process Name" ILIKE 'svchost.exe'
    OR "Process Name" ILIKE 'csrss.exe'
    OR "Process Name" ILIKE 'lsass.exe'
    OR "Process Name" ILIKE 'services.exe'
    OR "Process Name" ILIKE 'smss.exe'
    OR "Process Name" ILIKE 'wininit.exe'
    OR "Process Name" ILIKE 'winlogon.exe'
    OR "Process Name" ILIKE 'explorer.exe'
    OR "Process Name" ILIKE 'spoolsv.exe'
    OR "Process Name" ILIKE 'taskhost.exe'
    OR "Process Name" ILIKE 'taskhostw.exe'
    OR "Process Name" ILIKE 'conhost.exe'
    OR "Process Name" ILIKE 'dllhost.exe'
    OR "Process Name" ILIKE 'RuntimeBroker.exe')
  AND "Process Path" NOT ILIKE 'C:\Windows\System32\%'
  AND "Process Path" NOT ILIKE 'C:\Windows\SysWOW64\%'
  AND "Process Path" NOT ILIKE 'C:\Windows\explorer.exe'
  AND "Process Path" NOT ILIKE 'C:\Windows\winsxs\%'
LAST 24 HOURS

Detects Windows system binaries executing outside their expected directories using QRadar normalized process event fields, indicating potential masquerading via binary relocation.

high severity medium confidence

Data Sources

Microsoft Windows Security Event Log (DSM) Sysmon via Universal DSM

Required Tables

events

False Positives

Application packaging tools that extract and execute system utilities from temp directories as part of installation routines
Backup and recovery software that may stage system processes in alternate locations during bare-metal restore operations
Sandboxed application containers or browser-based isolation technologies that redirect system binary paths

Sumo Logic CSE

sql

_sourceCategory=*windows* OR _sourceCategory=*sysmon*
| where EventID = "1" OR EventCode = "1"
| parse field=Message "Image: *\n" as process_path nodrop
| parse field=Message "OriginalFileName: *\n" as original_filename nodrop
| parse field=Message "CommandLine: *\n" as command_line nodrop
| parse field=Message "ParentImage: *\n" as parent_image nodrop
| parse field=Message "User: *\n" as user nodrop
| parse field=Message "ProcessId: *\n" as process_id nodrop
| if(isBlank(process_path), Image, process_path) as process_path
| toUpperCase(process_path) as path_upper
| parse regex field=path_upper "(?<process_name>[^\\\\]+)$" nodrop
| toLowercase(process_name) as process_name_lower
| where process_name_lower in ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "winlogon.exe", "explorer.exe", "spoolsv.exe", "taskhost.exe", "taskhostw.exe", "conhost.exe", "dllhost.exe", "runtimebroker.exe")
| where !(path_upper matches /^C:\\WINDOWS\\SYSTEM32\\/) 
| where !(path_upper matches /^C:\\WINDOWS\\SYSWOW64\\/)
| where !(path_upper = "C:\\WINDOWS\\EXPLORER.EXE")
| where !(path_upper matches /^C:\\WINDOWS\\WINSXS\\/)
| fields _messageTime, _sourceHost, user, process_path, original_filename, command_line, parent_image, process_id
| sort by _messageTime desc

Detects masqueraded system binaries running from non-standard paths by parsing Sysmon process creation events and filtering known trusted binary locations.

high severity medium confidence

Data Sources

Sumo Logic Installed Collector (Windows) Sysmon Event Log via Sumo Logic

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Enterprise software management platforms (e.g., SCCM, Tanium) that copy system utilities to staging directories before execution
Developer workstations running build systems or CI/CD agents that invoke system binaries from project-relative paths
System recovery or forensic tools that execute system binaries from alternate root partitions or recovery media

Google Chronicle / SecOps

yaral

rule t1036_masquerading_system_binary_wrong_path {
  meta:
    author = "df00tech"
    description = "Detects known Windows system binaries executing from non-standard file paths, indicative of masquerading (T1036)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    $e.principal.process.file.full_path != ""
    (
      re.regex($e.target.process.file.full_path, `(?i)\\svchost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\csrss\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\lsass\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\services\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\smss\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\wininit\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\winlogon\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\explorer\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\spoolsv\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\taskhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\taskhostw\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\conhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\dllhost\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)\\RuntimeBroker\.exe$`)
    )
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ss]ystem32\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ss]ys[Ww][Oo][Ww]64\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ww]in[Ss][Xx][Ss]\\`)
    not re.regex($e.target.process.file.full_path, `(?i)^[Cc]:\\[Ww]indows\\[Ee]xplorer\.exe$`)

  condition:
    $e
}

Chronicle YARA-L 2.0 rule detecting Windows system process masquerading by identifying known system binary names executing from paths outside trusted Windows system directories.

high severity high confidence

Data Sources

Google Chronicle SIEM Windows Endpoint (via Chronicle Forwarder or EDR integration)

Required Tables

PROCESS_LAUNCH UDM events

False Positives

Windows Subsystem for Linux (WSL) environments where Windows binaries may appear at non-standard Unix-style paths in normalized UDM logs
Endpoint detection and response tools that fork monitored processes and may log them with their own staging paths
Custom enterprise gold images where system binaries are pre-staged to alternative drive letters before sysprep completes

Sigma rule & cross-platform mapping

The detection logic for Masquerading (T1036) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  category: process_creation
  product: windows

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1036 Sigma rules on detection.fyi

Platform-specific guides for T1036

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)

Last updated: 2026-04-16 Research depth: deep

References (5)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1Masquerade as svchost.exe from Temp Directory
Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, OriginalFileName=Cmd.Exe. Security Event ID 4688 with NewProcessName containing svchost.exe in a temp directory. Sysmon Event ID 11: FileCreate for svchost.exe in temp.
Test 2Masquerade as lsass.exe from User Profile
Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe, OriginalFileName=NOTEPAD.EXE. The OriginalFileName mismatch is a key indicator.
Test 3Masquerade as explorer.exe from Downloads
Expected signal: Sysmon Event ID 1: Process Create with Image in Downloads folder, OriginalFileName mismatch. File creation event for explorer.exe in Downloads.

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1036 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub

TA0005Defense Evasion

Sub-techniques (12)

Related Techniques

T1036.001Invalid Code Signature T1036.003Rename Legitimate Utilities T1036.005Match Legitimate Resource Name or Location T1036.007Double File Extension T1036.008Masquerade File Type T1574.001DLL T1218.011Rundll32 T1027Obfuscated Files or Information

Masquerading

What is T1036 Masquerading?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1036

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

What is T1036 Masquerading?

MITRE ATT&CK

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Sigma rule & cross-platform mapping

Platform-specific guides for T1036

Testing Methodology

Unlock Pro Content

Related Detections

Tactic Hub

Sub-techniques (12)

Related Techniques

Same Tactic: Defense Evasion

Popular Detections

Get new detections in your inbox