MITRE ATT&CK Technique
Defense Evasion
T1036.004
Description
Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)
Supported Platforms
Linux
macOS
Windows
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-02-10T20:30:07.426Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may attempt to manipulate the name of a task or '
'service to make it appear legitimate or benign. '
'Tasks/services executed by the Task Scheduler or systemd will '
'typically be given a name and/or description.(Citation: '
'TechNet Schtasks)(Citation: Systemd Service Units) Windows '
'services will have a service name as well as a display name. '
'Many benign tasks and services exist that have commonly '
'associated names. Adversaries may give tasks or services '
'names that are similar or identical to those of legitimate '
'ones.\n'
'\n'
'Tasks or services contain other fields, such as a '
'description, that adversaries may attempt to make appear '
'legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: '
'Fysbis Dr Web Analysis)',
'external_references': [{'external_id': 'T1036.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1036/004'},
{'description': 'Doctor Web. (2014, November 21). '
'Linux.BackDoor.Fysbis.1. Retrieved '
'December 7, 2017.',
'source_name': 'Fysbis Dr Web Analysis',
'url': 'https://vms.drweb.com/virus/?i=4276269'},
{'description': 'Falcone, R.. (2016, November 30). '
'Shamoon 2: Return of the Disttrack '
'Wiper. Retrieved January 11, 2017.',
'source_name': 'Palo Alto Shamoon Nov 2016',
'url': 'http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/'},
{'description': 'Freedesktop.org. (n.d.). '
'systemd.service — Service unit '
'configuration. Retrieved March 16, '
'2020.',
'source_name': 'Systemd Service Units',
'url': 'https://www.freedesktop.org/software/systemd/man/systemd.service.html'},
{'description': 'Microsoft. (n.d.). Schtasks. '
'Retrieved April 28, 2016.',
'source_name': 'TechNet Schtasks',
'url': 'https://technet.microsoft.com/en-us/library/bb490996.aspx'}],
'id': 'attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'defense-evasion'}],
'modified': '2025-10-24T17:49:00.215Z',
'name': 'Masquerade Task or Service',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Linux', 'macOS', 'Windows'],
'x_mitre_version': '1.2'}