T1036.004: T1036.004
Essential information
- MITRE technique ID
T1036.004- Confidence
- 100/100
- Revoked
- No
- Published
- 10/02/2020 21:30
- Modified
- 27/03/2026 01:10
- Author / Source
- The MITRE Corporation
Aliases
Masquerade Task or Service
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | defense-evasion |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (54)
-
Screening Serpens relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Silver Fox APT relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
SilverFox relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Socgholish relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Storm-0501 relatedThe MITRE Corporation Confidence 100
[Storm-0501](https://attack.mitre.org/groups/G1053) is a financially motivated cyber criminal group that uses commodity and open-source tools to conduct ransomware operations. [Storm-0501](https://attack.mitre.org/groups/G1053) has been active since 2021 and has previously been…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Storm-2603 relatedAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (74)
-
OSX_OCEANLOTUS.D usesFamily The MITRE Corporation Confidence 100
[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a macOS backdoor used by [APT32](https://attack.mitre.org/groups/G0050). First discovered in 2015, [APT32](https://attack.mitre.org/groups/G0050) has continued to make improvements using a plugin architecture to extend capabilities, specifically using `.dylib`…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Supper usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Green Lambert usesFamily The MITRE Corporation Confidence 100
[Green Lambert](https://attack.mitre.org/software/S0690) is a modular backdoor that security researchers assess has been used by an advanced threat group referred to as Longhorn and The Lamberts. First reported in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Qilin usesThe MITRE Corporation Confidence 100
[Qilin](https://attack.mitre.org/software/S1242) ransomware is a Ransomware-as-a-Service (RaaS) that has been active since at least 2022 with versions written in Golang and Rust that are capable of targeting Windows or…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Chaos-C++ usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Catena loader usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
WarzoneRAT usesFamily The MITRE Corporation Confidence 100
[WarzoneRAT](https://attack.mitre.org/software/S0670) is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.(Citation: Check Point Warzone Feb 2020)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
GammaPhish usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Rustonotto usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Lynx usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
DEADEYE usesFamily The MITRE Corporation Confidence 100
[DEADEYE](https://attack.mitre.org/software/S1052) is a malware launcher that has been used by [APT41](https://attack.mitre.org/groups/G0096) since at least May 2021. [DEADEYE](https://attack.mitre.org/software/S1052) has variants that can either embed a payload inside a compiled…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Kaiji usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Reports (50)
-
AlienVault Confidence 100 19 MITREs 2 Malwares 13 IOCs 4 Observables 1 APT
-
AlienVault Confidence 100 25 CVEs 21 MITREs 7 Malwares 30 IOCs 10 Observables
-
AlienVault Confidence 100 13 CVEs 20 MITREs 4 Malwares 6 IOCs 5 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 1 Malware 3 IOCs 1 APT
-
20 MITREs 1 Malware 6 Observables
-
1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
-
19 MITREs 5 Malwares 1 Observable 1 APT
-
20 MITREs 6 Malwares 10 Observables 1 APT
-
AlienVault Confidence 100 20 MITREs 4 Malwares 13 IOCs 13 Observables 1 APT
-
1 CVE 18 MITREs 2 Malwares 8 Observables
-
15 MITREs 9 Observables
-
AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Vulnerabilities (CVE) (65)
The Ninja Forms - File Uploads plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in …
- Attack vector
- NETWORK
- Complexity
- LOW
- Published
- 07/04/2026
- Modified
- 13/07/2026
The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.
- Published
- 27/06/2022
- Modified
- 20/12/2025
Microsoft SharePoint contains a code injection vulnerability that could allow an authorized attacker to execute code over a network. This vulnerability could …
- Attack vector
- Network
- Published
- 22/07/2025
- Modified
- 21/12/2025
- EPSS
- 0.5836 (P99.0%)
- Published
- 15/07/2026
A critical pre-authentication vulnerability exists in the authentication subsystem of BeyondTrust Remote Support and Privileged Remote Access. Improper validation of authentication data …
- Attack vector
- NETWORK
- Complexity
- HIGH
- Published
- 06/07/2026
Dasan GPON Routers contain an authentication bypass vulnerability. When combined with CVE-2018-10561, exploitation can allow an attacker to perform remote code execution.
- Published
- 31/03/2022
- Modified
- 20/12/2025
- EPSS
- 0.2292 (P97.5%)
- Published
- 15/07/2026
Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 12/04/2017
- Modified
- 22/04/2026
SEOWON INTECH SLC-130 And SLR-120S devices allow Remote Code Execution via the ipAddr parameter to the system_log.cgi page.
- Attack vector
- NETWORK
- Published
- 20/08/2020
- Modified
- 20/12/2025
An issue was discovered on Wireless IP Camera (P2P) WIFICAM cameras. There is Command Injection in the set_ftp.cgi script via shell metacharacters …
- Attack vector
- NETWORK
- Published
- 11/06/2019
- Modified
- 15/07/2026
Fortinet FortiOS contains a path traversal vulnerability that may allow a local privileged attacker to read and write files via crafted CLI …
- Attack vector
- Local
- Published
- 14/03/2023
- Modified
- 21/12/2025
Google Chromium Mojo on Windows contains a sandbox escape vulnerability caused by a logic error, which results from an incorrect handle being …
- Attack vector
- Network
- Published
- 27/03/2025
- Modified
- 21/12/2025
Tool (2)
-
CSPY Downloader usesThe MITRE Corporation Confidence 100
[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
-
IronNetInjector usesThe MITRE Corporation Confidence 100
[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit…
Campaign (1)
-
KV Botnet Activity uses