T1036.004: T1036.004

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/02/2020 21:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1036.004
Confidence: 100/100
Revoked: No
Published: 10/02/2020 21:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Masquerade Task or Service

Platforms

windows macos linux

Description

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

TechNet Schtasks
mitre-attack (T1036.004)
Fysbis Dr Web Analysis
Systemd Service Units
Palo Alto Shamoon Nov 2016

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (55)

RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Estries uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus threat actors uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Fox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda uses

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework uses Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EvilConwi uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Baxia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Dragon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 55

OSX_OCEANLOTUS.D uses
Supper uses

Family
Green Lambert uses
Qilin uses

Family
Chaos-C++ uses

Family
Catena loader uses

Family
WarzoneRAT uses
GammaPhish uses

Family
Rustonotto uses

Family
Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DEADEYE uses
Kaiji uses

Family

← Previous

Page / 6

1–12 of 72

From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps … related

19 MITREs 5 Malwares 1 Observable 1 APT
RemotePE: The Lazarus RAT that lives in memory related

20 MITREs 6 Malwares 10 Observables 1 APT
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns related

AlienVault Confidence 100 20 MITREs 4 Malwares 13 IOCs 13 Observables 1 APT
Honeypot reveals botnet exploiting scriptText to launch DDoS … related

1 CVE 18 MITREs 2 Malwares 8 Observables
Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned … related

15 MITREs 9 Observables
Komari Red: The Monitoring Tool with a Built-in … related

AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Analysis of Attack Activities Using SSH+TOR Tunnels to … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
Iranian APT Seedworm Targets Global Organizations via Microsoft … related

19 MITREs 2 Malwares 28 Observables 1 APT
Threat Actor Targets Arabian Gulf Region With PlugX related

17 MITREs 2 Malwares 13 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (27)

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2025-49704 KEV targets

8.8 High

Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2022-41328 KEV targets

6.7 Medium

Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …

Attack vector: Local
Published: 14/03/2023
Modified: 21/12/2025

CVE-2025-2783 KEV targets

8.3 High

Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …

Attack vector: Network
Published: 27/03/2025
Modified: 21/12/2025

Analyzed

CVE-2024-3721 targets

6.3 Medium

A vulnerability was found in TBK DVR-4104 and DVR-4216 up to 20240412 and classified as critical. This issue affects some unknown processing …

Attack vector: NETWORK
Published: 13/04/2024
Modified: 21/12/2025

CVE-2024-38213 KEV targets

6.5 Medium

Microsoft Windows SmartScreen contains a security feature bypass vulnerability that allows an attacker to bypass the SmartScreen user experience via a malicious …

Attack vector: Network
Published: 13/08/2024
Modified: 21/12/2025

Received

CVE-2025-53771 targets

6.5 Medium

Improper limitation of a pathname to a restricted directory ('path traversal') in Microsoft Office SharePoint allows an authorized attacker to perform spoofing …

Attack vector: NETWORK
Published: 21/07/2025
Modified: 21/12/2025

Received

CVE-2025-55183 targets

5.3 Medium

An information leak vulnerability exists in specific configurations of React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Analyzed

CVE-2025-55184 targets

7.5 High

A pre-authentication denial of service vulnerability exists in React Server Components versions 19.0.0, 19.0.1 19.1.0, 19.1.1, 19.1.2, 19.2.0 and 19.2.1, including the …

Attack vector: NETWORK
Published: 11/12/2025
Modified: 21/12/2025

Modified

CVE-2025-21590 KEV targets

4.4 Medium

An Improper Isolation or Compartmentalization vulnerability in the kernel of Juniper Networks Junos OS allows a local attacker with high privileges to …

Attack vector: Local
Published: 13/03/2025
Modified: 21/12/2025

Awaiting Analysis

CVE-2025-67779 targets

7.5 High

It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service …

Published: 12/12/2025
Modified: 12/12/2025

Modified

← Previous

Page / 3

1–12 of 27

T1036 subtechnique-of

Masquerading MITRE

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
IronNetInjector uses

The MITRE Corporation Confidence 100

[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit…

Campaign (1)

KV Botnet Activity uses

Contact About Legal notice Privacy policy Terms of use