Skip to content

T1036.003 Rename System Utilities

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. 4 It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename rundll32.exe). 2 An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. 3

Item Value
ID T1036.003
Sub-techniques T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008
Tactics TA0005
Platforms Linux, Windows, macOS
Version 1.1
Created 10 February 2020
Last Modified 07 April 2023

Procedure Examples

ID Name Description
G0050 APT32 APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.9
S0046 CozyCar The CozyCar dropper has masqueraded a copy of the infected system’s rundll32.exe executable that was moved to the malware’s install directory and renamed according to a predefined configuration file.3
G0093 GALLIUM GALLIUM used a renamed cmd.exe file to evade detection.6
S1020 Kevin Kevin has renamed an image of cmd.exe with a random name followed by a .tmpl extension.5
G0032 Lazarus Group Lazarus Group has renamed system utilities such as wscript.exe and mshta.exe.7
G0045 menuPass menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.8


ID Mitigation Description
M1022 Restrict File and Directory Permissions Use file system access controls to protect folders such as C:\Windows\System32.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0009 Process Process Metadata