Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.

ID: T0849
Sub-techniques:  No sub-techniques
Tactic: Evasion
Platforms: Control Server, Human-Machine Interface
Version: 1.0
Created: 21 May 2020
Last Modified: 06 May 2022

Procedure Examples

ID Name Description

EKANS masquerades itself as a valid executable with the filename \update.exe. Many valid programs use the process name \update.exe\ to perform background software updates. [1]

S0496 REvil

REvil searches for whether the Ahnlab autoup.exe service is running on the target system and injects its payload into this existing process. [2]

G0034 Sandworm Team

Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking. [3]

S0603 Stuxnet

Stuxnet renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC. [4]

S1009 Triton

Triton's injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon. [5]

S1009 Triton

Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs. [6]


ID Mitigation Description
M0945 Code Signing

Require signed binaries.

M0938 Execution Prevention

Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.

M0922 Restrict File and Directory Permissions

Use file system access controls to protect system and application folders.


ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
File Modification
DS0009 Process Process Metadata
DS0003 Scheduled Job Scheduled Job Metadata
Scheduled Job Modification
DS0019 Service Service Creation
Service Metadata