This site has been deprecated in favor of and will remain in place until 11/1/22.


From attackics
Jump to navigation Jump to search

To visit this technique’s new page please go to and update your links to

ID T0849
Tactic Evasion
Data Sources Command: Command Execution, File: File Metadata, File: File Modification, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Asset Human-Machine Interface, Control Server


Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions.

Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.

Procedure Examples

  • Sandworm Team transfers executable files as .txt. and then renames them to .exe, likely to avoid detection through extension tracking.1
  • EKANS masquerades itself as a valid executable with the filename "update.exe". Many valid programs use the process name "update.exe" to perform background software updates.2
  • Industroyer includes a launch component that loads DLLs and EXEs with filenames associated with common electric power sector protocols, including 101.dll, 104.dll, 61850.dll, OPCClientDemo.dll, OPC.exe, and 61850.exe.3
  • REvil searches for whether the Ahnlab “autoup.exe” service is running on the target system and injects its payload into this existing process.4
  • Stuxnet renames s7otbxdx.dll, a dll responsible for handling communications with a PLC. It replaces this dll file with its own version that allows it to intercept any calls that are made to access the PLC.5
  • Triton's injector, inject.bin, masquerades as a standard compiled PowerPC program for the Tricon.6
  • Triton was configured to masquerade as trilog.exe, which is the Triconex software for analyzing SIS logs.7


  • Execution Prevention - Use tools that restrict program execution via application control by attributes other than file name for common system and application utilities.