Masquerading: Masquerade Task or Service

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.[1][2] Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.[3][4]

ID: T1036.004
Sub-technique of:  T1036
Tactic: Defense Evasion
Platforms: Linux, Windows, macOS
Version: 1.2
Created: 10 February 2020
Last Modified: 29 September 2023

Procedure Examples

ID Name Description
C0034 2022 Ukraine Electric Power Attack

During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Systemd service units to masquerade GOGETTER malware as legitimate or seemingly legitimate services.[5]

G0099 APT-C-36

APT-C-36 has disguised its scheduled tasks as those used by Google.[6]

G0050 APT32

APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".[7]

G0096 APT41

APT41 has created services to appear as benign system tools.[8]

S0438 Attor

Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).[9]

G0135 BackdoorDiplomacy

BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[10]

S0534 Bazar

Bazar can create a task named to appear benign.[11]


BITTER has disguised malware as a Windows Security update service.[12]

S1070 Black Basta

Black Basta has established persistence by creating a new service named FAX after deleting the legitimate service by the same name.[13][14][15]

S0471 build_downer

build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.[16]

C0017 C0017

During C0017, APT41 used SCHTASKS /Change to modify legitimate scheduled tasks to run malicious code.[17]

G0008 Carbanak

Carbanak has copied legitimate service names to use for malicious services.[18]

S0261 Catchamas

Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.[19]

S0126 ComRAT

ComRAT has used a task name associated with Windows SQM Consolidator.[20]

S0538 Crutch

Crutch has established persistence with a scheduled task impersonating the Outlook item finder.[21]

S0527 CSPY Downloader

CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.[22]

S1033 DCSrv

DCSrv has masqueraded its service as a legitimate svchost.exe process.[23]


DEADEYE has used schtasks /change to modify scheduled tasks including \Microsoft\Windows\PLA\Server Manager Performance Monitor, \Microsoft\Windows\Ras\ManagerMobility, \Microsoft\Windows\WDI\SrvSetupResults, and \Microsoft\Windows\WDI\USOShared.[17]

S0554 Egregor

Egregor has masqueraded the svchost.exe process to exfiltrate data.[24]

S0367 Emotet

Emotet has installed itself as a new service with the service name Windows Defender System Service and display name WinDefService.[25]

S0343 Exaramel for Windows

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description "Windows Check AV" in an apparent attempt to masquerade as a legitimate service.[26]

G1016 FIN13

FIN13 has used scheduled tasks names such as acrotyr and AppServicesr to mimic the same names in a compromised network's C:\Windows directory.[27]

G0037 FIN6

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.[28]

G0046 FIN7

FIN7 has created a scheduled task named "AdobeFlashSync" to establish persistence.[29]

G0117 Fox Kitten

Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.[30]

C0001 Frankenstein

During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.[31]

S1044 FunnyDream

FunnyDream has used a service named WSearch for execution.[32]

S0410 Fysbis

Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[4]

S0588 GoldMax

GoldMax has impersonated systems management software to avoid detection.[33]

S0690 Green Lambert

Green Lambert has created a new executable named Software Update Check to appear legitimate.[34][35]

S1027 Heyoka Backdoor

Heyoka Backdoor has been named srvdll.dll to appear as a legitimate service.[36]

G0126 Higaisa

Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.[37][38]

S0601 Hildegard

Hildegard has disguised itself as a known Linux process.[39]

S0259 InnaputRAT

InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.[40]

S0260 InvisiMole

InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.[41]

S0581 IronNetInjector

IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.[42]

S0607 KillDisk

KillDisk registers as a service under the Plug-And-Play Support name.[43]

G0094 Kimsuky

Kimsuky has disguised services to appear as benign software or related to operating system functions.[44]


KONNI has pretended to be the xmlProv Network Provisioning service.[45]

S0236 Kwampirs

Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.[46]

G0032 Lazarus Group

Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious .dll.[47]

S0409 Machete

Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.[48]

G0059 Magic Hound

Magic Hound has named a malicious script CacheTask.bat to mimic a legitimate task.[49]

S0449 Maze

Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.[50]

S0688 Meteor

Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[51]

G0019 Naikon

Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.[52]

S0630 Nebulae

Nebulae has created a service named "Windows Update Agent1" to appear legitimate.[52]

S0118 Nidiran

Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.[53][54]

S1090 NightClub

NightClub has created a service named WmdmPmSp to spoof a Windows Media service.[55]

S0439 Okrum

Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.[56]


OSX_OCEANLOTUS.D uses file naming conventions with associated executable locations to blend in with the macOS TimeMachine and OpenSSL services. Such as, naming a LaunchAgent plist file which executes OSX_OCEANLOTUS.D from the user's ~/Library/OpenSSL/ folder upon user login.[57]

S1031 PingPull

PingPull can mimic the names and descriptions of legitimate services such as iphlpsvc, IP Helper, and Onedrive to evade detection.[58]

S0013 PlugX

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."[59]


POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.[60]


PROMETHIUM has named services to appear legitimate.[61][62]

S0629 RainyDay

RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."[52]

S0169 RawPOS

New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".[63][64][65]

S0495 RDAT

RDAT has used Windows Video Service as a name for malicious services.[66]

S0148 RTM

RTM has named the scheduled task it creates "Windows Update".[67]

S0345 Seasalt

Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.[68]

S0140 Shamoon

Shamoon creates a new service named "ntssrv" that attempts to appear legitimate; the service's display name is "Microsoft Network Realtime Inspection Service" and its description is "Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols." Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."[3][69]

S0444 ShimRat

ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.[70]


SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.[71]

C0024 SolarWinds Compromise

During the SolarWinds Compromise, APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.[72]

S0491 StrongPity

StrongPity has named services to appear legitimate.[61][62]


SUGARDUMP's scheduled task has been named MicrosoftInternetExplorerCrashRepoeterTaskMachineUA or MicrosoftEdgeCrashRepoeterTaskMachineUA, depending on the Windows OS version.[73]

S1064 SVCReady

SVCReady has named a task RecoveryExTask as part of its persistence activity.[74]

S0663 SysUpdate

SysUpdate has named their unit configuration file similarly to other unit files residing in the same directory, /usr/lib/systemd/system/, to appear benign.[75]

S1011 Tarrask

Tarrask creates a scheduled task called "WinUpdate" to re-establish any dropped C2 connections.[76]

S0668 TinyTurla

TinyTurla has mimicked an existing Windows service by being installed as Windows Time Service.[77]

S0178 Truvasys

To establish persistence, Truvasys adds a Registry Run key with a value "TaskMgr" in an attempt to masquerade as the legitimate Windows Task Manager.[78]

S0647 Turian

Turian can disguise as a legitimate service to blend into normal operations.[10]

S0022 Uroburos

Uroburos has registered a service named WerFaultSvc, likely to spoof the legitimate Windows error reporting service.[79]

S0180 Volgmer

Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[80][81]

G0102 Wizard Spider

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[82] It has also used common document file names for other malware binaries.[83]


ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.[84]

S1013 ZxxZ

ZxxZ has been disguised as a Windows security update service.[12]


This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features.


ID Data Source Data Component Detects
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to manipulate the name of a task or service to make it appear legitimate or benign.

DS0003 Scheduled Job Scheduled Job Metadata

Monitor for contextual data about a scheduled job, which may include information such as name, timing, command(s), etc.

Scheduled Job Modification

Monitor for changes made to scheduled jobs for unexpected modifications to execution launch

DS0019 Service Service Creation

Monitor for newly constructed services/daemons. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Service Metadata

Monitor for changes made to services for unexpected modifications to names, descriptions, and/or start types


  1. Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
  2. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.
  3. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  4. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  5. Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024.
  6. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  7. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  8. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  10. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  11. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  12. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  13. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  14. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  15. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  16. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  17. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  18. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  19. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  20. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  21. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  22. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  23. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  24. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  25. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  26. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  27. Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
  28. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  29. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  30. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  31. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  32. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  33. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  34. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  35. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  36. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  37. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  38. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  39. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  40. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  41. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  42. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  1. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  2. CISA, FBI, CNMF. (2020, October 27). Retrieved November 4, 2020.
  3. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  4. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  5. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.
  6. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  7. DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
  8. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  9. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  10. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  11. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  12. Microsoft. (2006, October 30). How to use the SysKey utility to secure the Windows Security Accounts Manager database. Retrieved August 3, 2016.
  13. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  14. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  15. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  16. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  17. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  18. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  19. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  20. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  21. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  22. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  23. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  24. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  25. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  26. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  27. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  28. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  29. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  30. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  31. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  32. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  33. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  34. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  35. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  36. Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.
  37. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  38. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  39. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  40. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  41. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  42. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.