title: Masquerading (T1036)
id: df00tech-t1036
status: experimental
description: "Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of Masquerading."
references:
  - https://attack.mitre.org/techniques/T1036/
  - https://df00tech.com/detections/T1036
author: df00tech
date: 2026/04/16
tags:
  - attack.t1036
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate software installers that temporarily extract executables with system-like names to temp directories
  - Windows Subsystem for Linux (WSL) and virtualization software that may run processes with similar names
  - Software testing and development environments where binaries are compiled with system-like names
  - Some third-party security tools that use helper processes named after system binaries
level: high