title: Masquerade Task or Service (T1036.004)
id: df00tech-t1036-004
status: experimental
description: "Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description. Windows services will have a service name as well as a display name. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones, such as 'Windows Update Security', 'Google Chrome Security Update', or 'Microsoft Network Realtime Inspection Service'."
references:
  - https://attack.mitre.org/techniques/T1036/004/
  - https://df00tech.com/detections/T1036.004
author: df00tech
date: 2026/04/17
tags:
  - attack.t1036.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate Windows Update-related services installed during OS or feature updates
  - "Third-party security software that creates services with names containing 'Security' or 'Update'"
  - "Enterprise software deployment tools (SCCM, Intune) creating services during application installation"
  - "Google Chrome, Adobe, and other software creating legitimate update services"
level: high