A process is masquerading as a common Microsoft product

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-06-15

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: XDR Agent
Detection Modules
Detector Tags	EDR Windows Disguised Processes
ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Masquerading (T1036)
Severity	Informational

Description

An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

Investigate the executed process image and check if it is malicious.
Investigate the actor process that executed the process and check if it is malicious.

Variations

An unsigned actor executed masqueraded process which was downloaded from unexpected source

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Masquerading (T1036)
Severity	High

Description

An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

Investigate the executed process image and check if it is malicious.
Investigate the actor process that executed the process and check if it is malicious.

An unsigned and rare actor executing masqueraded process with uncommon characteristics

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Masquerading (T1036)
Severity	High

Description

An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

Investigate the executed process image and check if it is malicious.
Investigate the actor process that executed the process and check if it is malicious.

A process that was executed by remote causality actor is masquerading as a common Microsoft product

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Masquerading (T1036)
Severity	Medium

Description

An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

Investigate the executed process image and check if it is malicious.
Investigate the actor process that executed the process and check if it is malicious.

A process is masquerading as a common Microsoft Lolbin

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Masquerading (T1036)
Severity	Low

Description

An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

Investigate the executed process image and check if it is malicious.
Investigate the actor process that executed the process and check if it is malicious.

A process running from a commonly abused directory is masquerading as a common Microsoft product

Synopsis

ATT&CK Tactic	Defense Evasion (TA0005)
ATT&CK Technique	Masquerading (T1036)
Severity	Low

Description

An attacker might leverage common Microsoft software image names to run malicious processes without being caught.

Attacker's Goals

An attacker is attempting to masquerade as a Microsoft software image to execute malicious code.

Investigative actions

Investigate the executed process image and check if it is malicious.
Investigate the actor process that executed the process and check if it is malicious.