title: Rename Legitimate Utilities (T1036.003)
id: df00tech-t1036-003
status: experimental
description: "Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing, including PSExec, certutil, rundll32, and mshta. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization. An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths."
references:
  - https://attack.mitre.org/techniques/T1036/003/
  - https://df00tech.com/detections/T1036.003
author: df00tech
date: 2026/04/16
tags:
  - attack.t1036.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Software compatibility shims or wrappers that copy and rename system utilities as part of their normal operation
  - Some application installers that bundle renamed copies of certutil.exe or other utilities for certificate management
  - IT automation tools that copy system utilities to temporary directories with different names during deployment
  - Windows Feature on Demand installations that may temporarily rename binaries
level: high