T1036.005 Microsoft Sentinel · KQL

Detect Match Legitimate Resource Name or Location in Microsoft Sentinel

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.005 Match Legitimate Resource Name or Location
Canonical reference
https://attack.mitre.org/techniques/T1036/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let SystemProcessPaths = dynamic([
  @"C:\Windows\System32\svchost.exe",
  @"C:\Windows\System32\csrss.exe",
  @"C:\Windows\System32\lsass.exe",
  @"C:\Windows\System32\services.exe",
  @"C:\Windows\System32\smss.exe",
  @"C:\Windows\System32\wininit.exe",
  @"C:\Windows\System32\conhost.exe",
  @"C:\Windows\System32\dllhost.exe",
  @"C:\Windows\System32\RuntimeBroker.exe"
]);
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName in~ ("svchost.exe", "csrss.exe", "lsass.exe", "services.exe", "smss.exe", "wininit.exe", "conhost.exe", "dllhost.exe", "RuntimeBroker.exe", "taskhostw.exe", "spoolsv.exe", "msdtc.exe", "wuauclt.exe", "vmtoolsd.exe")
| where not(FolderPath in~ (SystemProcessPaths))
| where not(FolderPath startswith @"C:\Windows\System32\" or FolderPath startswith @"C:\Windows\SysWOW64\")
| extend ParentMismatch = case(
    FileName =~ "svchost.exe" and InitiatingProcessFileName !~ "services.exe", true,
    FileName =~ "csrss.exe" and InitiatingProcessFileName !in~ ("smss.exe", "csrss.exe"), true,
    FileName =~ "lsass.exe" and InitiatingProcessFileName !~ "wininit.exe", true,
    FileName =~ "services.exe" and InitiatingProcessFileName !~ "wininit.exe", true,
    false)
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ProcessCommandLine,
         InitiatingProcessFileName, ParentMismatch, SHA256
| sort by Timestamp desc
high severity high confidence

Detects processes using names of critical Windows system binaries executing from non-standard locations. Adds parent process validation — svchost.exe should be spawned by services.exe, csrss.exe by smss.exe, lsass.exe by wininit.exe. Used extensively by Volt Typhoon, Gamaredon, APT41, and many ransomware families.

Data Sources

Process: Process CreationProcess: Process MetadataMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • VMware Tools (vmtoolsd.exe) running from non-default install locations in virtualized environments
  • Application compatibility fixes that redirect binary execution paths
  • Windows Feature on Demand or Windows Sandbox creating system binary copies in temporary locations
  • Some endpoint protection tools that create copies of system binaries for analysis
Download portable Sigma rule (.yml)

Other platforms for T1036.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Execute svchost.exe from User Temp Directory

    Expected signal: Sysmon Event ID 1: Process Create with Image=%TEMP%\svchost.exe, ParentImage not services.exe. OriginalFileName=Cmd.Exe mismatch with current name svchost.exe.

  2. Test 2Masquerade as lsass.exe in AppData

    Expected signal: Sysmon Event ID 1: Process Create with Image=%APPDATA%\lsass.exe. Parent process will not be wininit.exe (ParentMismatch=TRUE).

  3. Test 3Masquerade Process Name on Linux

    Expected signal: Process creation event showing /tmp/kworker executing. On systems with auditd, SYSCALL execve event for /tmp/kworker. /proc/<PID>/exe will point to /tmp/kworker.

Last updated: 2026-04-16 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1036.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.006Space after FilenameT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1574.001DLLT1574.002DLL Side-LoadingT1055Process Injection

Same Tactic: Defense Evasion

Popular Detections