title: Match Legitimate Resource Name or Location (T1036.005)
id: df00tech-t1036-005
status: experimental
description: "Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster."
references:
  - https://attack.mitre.org/techniques/T1036/005/
  - https://df00tech.com/detections/T1036.005
author: df00tech
date: 2026/04/16
tags:
  - attack.t1036.005
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - VMware Tools (vmtoolsd.exe) running from non-default install locations in virtualized environments
  - Application compatibility fixes that redirect binary execution paths
  - Windows Feature on Demand or Windows Sandbox creating system binary copies in temporary locations
  - Some endpoint protection tools that create copies of system binaries for analysis
level: high