T1036 — Masquerading

Technique

T1036

Tactics

Stealth

MISP citations

0

KEV CVEs mapped

2

Community rules

40

thrunt rules

0

Upstream

https://attack.mitre.org/techniques/T1036

MITRE description

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

• CVE-2022-26501
• CVE-2022-26500

Detection coverage

SigmaHQ community rules

• Suspicious Computer Account Name Change CVE-2021-42287 (emerging-threats)
• CodePage Modification Via MODE.COM (threat-hunting)
• Potentially Suspicious Execution From Tmp Folder (core)
• Interactive Bash Suspicious Children (core)
• New or Renamed User Account with '$' Character (core)
• Password Protected ZIP File Opened (Suspicious Filenames) (core)
• Windows Binaries Write Suspicious Extensions (core)
• Potential Homoglyph Attack Using Lookalike Characters in Filename (core)
• Suspicious Calculator Usage (core)
• Suspicious CodePage Switch Via CHCP (core)
• CreateDump Process Dump (core)
• DumpMinitool Execution (core)
• Suspicious DumpMinitool Execution (core)
• Explorer Process Tree Break (core)
• Findstr Launching .lnk File (core)
• Forfiles.EXE Child Process Masquerading (core)
• HackTool - XORDump Execution (core)
• Potential Fake Instance Of Hxtsr.EXE Executed (core)
• CodePage Modification Via MODE.COM To Russian Language (core)
• Suspicious MSDT Parent Process (core)
• PUA - Potential PE Metadata Tamper Using Rcedit (core)
• Renamed CreateDump Utility Execution (core)
• Renamed ZOHO Dctask64 Execution (core)
• Renamed Plink Execution (core)
• Process Memory Dump Via Comsvcs.DLL (core)

Showing 25 of 40 community rules — the full set is tagged attack.t1036 in SigmaHQ.

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.