MITRE ATT&CK Technique
Defense Evasion
T1036
Description
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names. Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)
Supported Platforms
Containers
ESXi
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2017-05-31T21:30:38.511Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to manipulate features of their '
'artifacts to make them appear legitimate or benign to users '
'and/or security tools. Masquerading occurs when the name or '
'location of an object, legitimate or malicious, is '
'manipulated or abused for the sake of evading defenses and '
'observation. This may include manipulating file metadata, '
'tricking users into misidentifying the file type, and giving '
'legitimate task or service names.\n'
'\n'
'Renaming abusable system utilities to evade security '
'monitoring is also a form of '
'[Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: '
'LOLBAS Main Site)',
'external_references': [{'external_id': 'T1036',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1036'},
{'description': 'Carr, N.. (2018, October 25). Nick '
'Carr Status Update Masquerading. '
'Retrieved September 12, 2024.',
'source_name': 'Twitter ItsReallyNick Masquerading '
'Update',
'url': 'https://x.com/ItsReallyNick/status/1055321652777619457'},
{'description': 'Ewing, P. (2016, October 31). How to '
'Hunt: The Masquerade Ball. Retrieved '
'October 31, 2016.',
'source_name': 'Elastic Masquerade Ball',
'url': 'https://www.elastic.co/blog/how-hunt-masquerade-ball'},
{'description': 'LOLBAS. (n.d.). Living Off The Land '
'Binaries and Scripts (and also '
'Libraries). Retrieved February 10, '
'2020.',
'source_name': 'LOLBAS Main Site',
'url': 'https://lolbas-project.github.io/'}],
'id': 'attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:48:42.609Z',
'name': 'Masquerading',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.3.0',
'x_mitre_contributors': ['Oleg Kolesnikov, Securonix',
'Nick Carr, Mandiant',
'David Lu, Tripwire',
'Felipe Espósito, @Pr0teus',
'Elastic',
'Bartosz Jerzman',
'Menachem Goldstein'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': False,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Containers', 'ESXi', 'Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.8'}