T1036.004: T1036.004

Search IOCs, vulnerabilities, APT…

216.73.216.233

← Back to attack patterns

View on MITRE ATT&CK The MITRE Corporation · Published 10/02/2020 21:30 · Modified 27/03/2026 01:10

Essential information

MITRE technique ID: T1036.004
Confidence: 100/100
Revoked: No
Published: 10/02/2020 21:30
Modified: 27/03/2026 01:10
Author / Source: The MITRE Corporation

Aliases

Masquerade Task or Service

Platforms

windows macos linux

Description

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

Kill chain phases

Kill chain	Phase
mitre-attack	defense-evasion

Marking (TLP)

External references

TechNet Schtasks
mitre-attack (T1036.004)
Fysbis Dr Web Analysis
Systemd Service Units
Palo Alto Shamoon Nov 2016

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (55)

RansomHub uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Estries uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
China-nexus threat actors uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Fox uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Aquatic Panda uses

The MITRE Corporation Confidence 100

[Aquatic Panda](https://attack.mitre.org/groups/G0143) is a suspected China-based threat group with a dual mission of intelligence collection and industrial espionage. Active since at least May 2020, [Aquatic Panda](https://attack.mitre.org/groups/G0143) has primarily…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Inception Framework uses Cloud AtlasInception

The MITRE Corporation Confidence 100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active…

First seen 01/01/1970 · Last seen 16/11/5138 ·
EvilConwi uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Wizard Spider uses TEMP.MixMasterGrim Spider

The MITRE Corporation Confidence 100

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Earth Baxia uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Turla uses IRON HUNTERGroup 88

The MITRE Corporation Confidence 100

[Turla](https://attack.mitre.org/groups/G0010) is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Silver Dragon uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Kimsuky uses Black BansheeVelvet Chollima

The MITRE Corporation Confidence 100

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter…

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 5

1–12 of 55

OSX_OCEANLOTUS.D uses
Supper uses

Family
Green Lambert uses
Qilin uses

Family
Chaos-C++ uses

Family
Catena loader uses

Family
WarzoneRAT uses
GammaPhish uses

Family
Rustonotto uses

Family
Lynx uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
DEADEYE uses
Kaiji uses

Family

← Previous

Page / 6

1–12 of 72

From Fake Amazon Security Alert to HarborWatch Agent: … related

20 MITREs 1 Malware 6 Observables
PCPJack Hijacked 230 AWS, GCP, and Azure Servers … related

1 CVE 12 MITREs 2 Malwares 2 Observables 1 APT
FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps … related

19 MITREs 5 Malwares 1 Observable 1 APT
RemotePE: The Lazarus RAT that lives in memory related

20 MITREs 6 Malwares 10 Observables 1 APT
Tracking Iranian APT Screening Serpens’ 2026 Espionage Campaigns related

AlienVault Confidence 100 20 MITREs 4 Malwares 13 IOCs 13 Observables 1 APT
Honeypot reveals botnet exploiting scriptText to launch DDoS … related

1 CVE 18 MITREs 2 Malwares 8 Observables
Operation Silent Rotor: Rust-Based Malware Targets Eurasian Unmanned … related

15 MITREs 9 Observables
Komari Red: The Monitoring Tool with a Built-in … related

AlienVault Confidence 100 19 MITREs 1 Malware 2 IOCs 2 Observables
Analysis of Attack Activities Using SSH+TOR Tunnels to … related

AlienVault Confidence 100 20 MITREs 7 IOCs 7 Observables 1 APT
The Gentlemen & SystemBC: A Sneak Peek Behind … related

46 MITREs 6 Malwares 27 Observables 1 APT
Iranian APT Seedworm Targets Global Organizations via Microsoft … related

19 MITREs 2 Malwares 28 Observables 1 APT
Threat Actor Targets Arabian Gulf Region With PlugX related

17 MITREs 2 Malwares 13 Observables 1 APT

← Previous

Page / 5

1–12 of 50

Vulnerabilities (CVE) (27)

CVE-2024-1708 KEV targets

8.4 High

ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and …

Attack vector: Network
Complexity: Low
Published: 21/02/2024
Modified: 29/04/2026

CWE-22

CVE-2025-30406 targets

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, which enables threat …

Published: 03/04/2025
Modified: 03/04/2025

Received

CVE-2025-66478 targets

Rejected reason: This CVE is a duplicate of CVE-2025-55182.

Published: 20/12/2025
Modified: 21/12/2025

Rejected

CVE-2025-49706 KEV targets

6.5 Medium

Microsoft SharePoint contains an improper authentication vulnerability that allows an authorized attacker to perform spoofing over a network. Successfully exploitation could allow …

Attack vector: Network
Published: 22/07/2025
Modified: 21/12/2025

CVE-2025-7775 KEV targets

9.2 Critical

Memory overflow vulnerability leading to Remote Code Execution and/or Denial of Service in NetScaler ADC and NetScaler Gateway when NetScaler is configured …

Attack vector: Network
Published: 26/08/2025
Modified: 27/05/2026

Analyzed

CVE-2025-32975 targets

10.0 Critical

Quest KACE Systems Management Appliance (SMA) 13.0.x before 13.0.385, 13.1.x before 13.1.81, 13.2.x before 13.2.183, 14.0.x before 14.0.341 (Patch 5), and 14.1.x …

Published: 24/06/2025
Modified: 24/06/2025

Received

CVE-2024-1709 KEV targets

10.0 Critical

ConnectWise ScreenConnect contains an authentication bypass vulnerability that allows an attacker with network access to the management interface to create a new, …

Attack vector: Network
Published: 22/02/2024
Modified: 28/02/2026

CVE-2025-55182 KEV targets

10.0 Critical

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, …

Attack vector: Network
Published: 05/12/2025
Modified: 29/05/2026

Analyzed

CVE-2024-36401 KEV targets

9.8 Critical

OSGeo GeoServer GeoTools contains an improper neutralization of directives in dynamically evaluated code vulnerability due to unsafely evaluating property names as XPath …

Attack vector: Network
Published: 15/07/2024
Modified: 21/12/2025

CVE-2018-0802 KEV targets

Microsoft Office contains a memory corruption vulnerability due to the way objects are handled in memory. Successful exploitation allows for remote code …

Published: 03/11/2021
Modified: 20/12/2025

CVE-2026-0628 targets

8.8 High

Insufficient policy enforcement in WebView tag in Google Chrome prior to 143.0.7499.192 allowed an attacker who convinced a user to install a …

Attack vector: NETWORK
Published: 07/01/2026
Modified: 09/03/2026

Undergoing Analysis

CVE-2025-20265 targets

10.0 Critical

A vulnerability in the RADIUS subsystem implementation of Cisco Secure Firewall Management Center (FMC) Software could allow an unauthenticated, remote attacker to …

Attack vector: Network
Published: 14/08/2025
Modified: 27/05/2026

Awaiting Analysis

← Previous

Page / 3

13–24 of 27

T1036 subtechnique-of

Masquerading MITRE

Tool (2)

CSPY Downloader uses

The MITRE Corporation Confidence 100

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)
IronNetInjector uses

The MITRE Corporation Confidence 100

[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit…

Campaign (1)

KV Botnet Activity uses

Contact About Legal notice Privacy policy Terms of use