T1036.005 — Match Legitimate Resource Name or Location

Technique

T1036.005

Tactics

Stealth

MISP citations

0

KEV CVEs mapped

1

Community rules

21

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1036/005

MITRE description

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: `svchost.exe`). Alternatively, a Windows Registry key may be given a close approximation to a key used by a legitimate program. In containerized environments, a threat actor may create a resource in a trusted namespace or one that matches the naming convention of a container pod or cluster.(Citation: Aquasec Kubernetes Backdoor 2023)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2023-26360

Detection coverage

SigmaHQ community rules

• Exploit for CVE-2015-1641 (emerging-threats)
• Lazarus System Binary Masquerading (emerging-threats)
• Greenbug Espionage Group Indicators (emerging-threats)
• Small Sieve Malware File Indicator Creation (emerging-threats)
• RedSun - TieringEngineService.exe Staged in RS-Prefixed Temp Dir (emerging-threats)
• RedSun - Conhost.exe Spawned by TieringEngineService.exe (emerging-threats)
• RedSun - TieringEngineService.exe Detected as EICAR Test File (emerging-threats)
• Creation Of Pod In System Namespace (core)
• Flash Player Update from Suspicious Location (core)
• Files With System DLL Name In Unsuspected Locations (core)
• Files With System Process Name In Unsuspected Locations (core)
• Suspicious Files in Default GPO Folder (core)
• Unsigned .node File Loaded (core)
• Potential MsiExec Masquerading (core)
• Suspicious Scheduled Task Creation via Masqueraded XML File (core)
• Scheduled Task Creation Masquerading as System Processes (core)
• Windows Processes Suspicious Parent Directory (core)
• Suspicious Process Masquerading As SvcHost.EXE (core)
• Uncommon Svchost Command Line Parameter (core)
• Uncommon Svchost Parent Process (core)
• Potential Binary Impersonating Sysinternals Tools (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.