Masquerading `T1036`

Tactic: Stealth

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Events covered

30 catalog events are tagged with this technique by at least one rule.

Provider	Event	Title
Sysmon	Event ID 1	Process creation
Sysmon	Event ID 3	Network connection
Sysmon	Event ID 5	Process terminated
Sysmon	Event ID 6	Driver loaded
Sysmon	Event ID 7	Image loaded
Sysmon	Event ID 11	FileCreate
Sysmon	Event ID 13	RegistryEvent (Value Set)
Sysmon	Event ID 29	FileExecutableDetected
Security-Auditing	Event ID 4663	An attempt was made to access an object.
Security-Auditing	Event ID 4688	A new process has been created.
Security-Auditing	Event ID 4689	A process has exited.
Security-Auditing	Event ID 4720	A user account was created.
Security-Auditing	Event ID 4768	A Kerberos authentication ticket (TGT) was requested.
Security-Auditing	Event ID 4781	The name of an account was changed.
Security-Auditing	Event ID 4799	A security-enabled local group membership was enumerated.
Security-Auditing	Event ID 5058	Key file operation.
Security-Auditing	Event ID 5059	Key migration operation.
Security-Auditing	Event ID 5156	The Windows Filtering Platform has permitted a connection.
Security-Auditing	Event ID 5379	Credential Manager credentials were read.
Defender-DeviceProcessEvents	any	Process activity (any)
Defender-DeviceProcessEvents	ProcessCreated	Process created
ESF	exec	Process Execution (Notify)
ESF	rename	File Rename (NOTIFY)
ESF	write	File Write (NOTIFY)
PowerShell	Event ID 4103	Payload Context: ContextInfo User Data: UserData.
PowerShell	Event ID 4104	Creating Scriptblock text (MessageNumber of MessageTotal).
Windows-Defender	Event ID 1119	ProductName has encountered a critical error when taking action on malware or other potentially unwanted software.
PowerShell	Event ID 400	Event ID 400
Service-Control-Manager	Event ID 7045	A service was installed in the system.
Sysmon-for-Linux	Event ID 1	Process Create

Authoring guide

Patterns shared across the 261 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (128 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Field	Rules	How	Sample values
`Image`	94	`ends_with` 66, `contains` 12, `starts_with` 12, `wildcard` 8, `eq` 5, `is_not_null` 3, `match` 2, `ne` 2, `in` 1, `is_null` 1	`\cmd.exe`, `\bitsadmin.exe`, `/dev/shm/`, `\cscript.exe`, `\powershell.exe`
`CommandLine`	71	`contains` 48, `regex_match` 15, `ends_with` 7, `in` 6, `match` 3, `ne` 2, `eq` 1, `is_null` 1, `starts_with` 1, `wildcard` 1	`/create` , `/addfile` , `/transfer` , `cp` , `(?i)(copy-item\|copy\|xcopy\|cp\|cpi\|robocopy)\s+.+(\x5c(syst...`
`process_name`	61	`eq` 28, `in` 7, `match` 6, `regex_match` 6, `ne` 5, `starts_with` 5, `contains` 2, `ends_with` 2, `wildcard` 2, `is_not_null` 1	`kworker`, `bash`, `cmd.exe`, `cmstp.exe`, `powershell.exe`
`OriginalFileName`	51	`eq` 46, `contains` 2, `in` 1, `is_not_null` 1, `ne` 1, `wildcard` 1	`bitsadmin.exe`, `msbuild.exe`, `msdt.exe`, `schtasks.exe`, `xcopy.exe`
`event.type`	50	`eq` 49, `ne` 2	`start`, `creation`, `deletion`
`EventID`	36	`eq` 36	`4688`, `1`, `4103`, `4104`, `11`
`EventType`	24	`in` 12, `eq` 9, `ne` 2, `starts_with` 1	`exec`, `exec_event`, `ProcessRollup2`, `creation`, `load`
`parent_process_name`	22	`eq` 10, `is_not_null` 5, `match` 3, `in` 2, `regex_match` 2, `ne` 1	`(?i)\s+\x5c`, `(?i)lsass\.exe`, `cmd.exe`, `explorer.exe`, `(?i)^\w{1,2}\.exe`
`ParentImage`	21	`ends_with` 14, `eq` 4, `is_not_null` 3, `contains` 2, `is_null` 2, `in` 1, `ne` 1	`\msmpeng.exe`, `-`, `\mrt.exe`, `.doc.js`, `.doc.lnk`
`TargetFilename`	18	`contains` 12, `ends_with` 8, `starts_with` 5, `in` 2, `wildcard` 2, `match` 1	`.exe`, `.dll`, `.doc.`, `.docx.`, `$recycle.bin`
`host.os.type`	18	`eq` 16, `in` 2
`Type`	11	`eq` 11
`process.args`	10	`eq` 5, `wildcard` 3, `starts_with` 2, `ends_with` 1, `is_not_null` 1	`-c`, `&`, `--as `, `--as-group`, `--as-uid`
`event.category`	8	`eq` 7, `in` 1	`process`, `file`, `library`, `network`
`Description`	6	`eq` 4, `contains` 2, `starts_with` 1	`Edit resources of exe`, `Execute processes remotely`, `Java Update Scheduler`, `Java(TM) Update Scheduler`, `Microsoft Access`

Top indicator values (5560 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Field	Kind	Value	Rules (here)	Corpus reach
`event.type`	`eq`	`start` elasticBinary Executed from Shared Memory Directory elasticConhost Spawned By Suspicious Parent Process elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticExecution from Unusual Directory - Command Line elasticExecution of an Unsigned Service elasticExecution via Windows Command Debugging Utility elasticFile with Right-to-Left Override Character (RTLO) Created/Executed elasticMasquerading Space After Filename elasticMicrosoft Build Engine Using an Alternate Name elasticPotential Credential Access via Renamed COM+ Services DLL elasticPotential CVE-2025-33053 Exploitation elasticPotential Data Exfiltration via Rclone elasticPotential DLL Side-Loading via Trusted Microsoft Programs elasticPotential Kubectl Masquerading via Unexpected Process elasticPotential Masquerading as Browser Process elasticPotential Masquerading as Business App Installer elasticPotential Masquerading as Communication Apps elasticPotential Masquerading as Svchost elasticPotential Masquerading as System32 Executable elasticPotential Privilege Escalation via InstallerFileTakeOver elasticPotential Windows Error Manager Masquerading elasticProcess Backgrounded by Unusual Parent elasticProcess Execution from an Unusual Directory elasticProcess Started from Process ID (PID) File elasticProcesses with Trailing Spaces elasticProgram Files Directory Masquerading elasticRenamed Automation Script Interpreter elasticRenamed Utility Executed with Short Program Name elasticSigned Proxy Execution via MS Work Folders elasticStartup Folder Persistence via Unsigned Process elasticSuspicious Communication App Child Process elasticSuspicious Endpoint Security Parent Process elasticSuspicious Microsoft Antimalware Service Execution elasticSuspicious Microsoft Diagnostics Wizard Execution elasticSuspicious Outlook Child Process elasticSuspicious Process Execution via Renamed PsExec Executable elasticSuspicious WerFault Child Process elasticSuspicious Zoom Child Process elasticTampering with RUNNER_TRACKING_ID in GitHub Actions Runners elasticUAC Bypass Attempt via Windows Directory Masquerading elasticUnusual Execution from Kernel Thread (kthreadd) Parent elasticUnusual Network Activity from a Windows System Binary elasticUnusual Parent-Child Relationship elasticUnusual Process Execution on WBEM Path elasticUnusual Process Extension	46	606
`event.type`	`eq`	`creation` elasticExecutable File Creation with Multiple Extensions elasticFile with Right-to-Left Override Character (RTLO) Created/Executed elasticMemory Dump File with Unusual Extension elasticSystem Path File Creation and Execution Detected via Defend for Containers	4	45
`EventID`	`eq`	`4688` splunk1 or 2 Character Executable (Windows Event Log) splunkDLL Concatenation (Windows Event Log) splunkMock System Directory - Windows (Windows Event Log) splunkOutput to File (Windows Event Log) splunkPotential Executable Masquerading as Document - Windows (Windows Event Log) splunkProcess Execution From Suspicious Folder (Windows Event Log) splunkSuspicious Child Process for lsass.exe (Windows Event Log) splunkSuspicious Parent Process for lsass.exe or services.exe (Windows Event Log) splunkSuspicious Parent Process for spoolsv.exe (Windows Event Log) splunkWindows Process Copied from System Folder (Windows Event Log) splunkWindows Process Outside of System Folder (Windows Event Log) kustoPotential re-named sdelete usage	12	313
`EventID`	`eq`	`1` splunkDLL Concatenation (Sysmon) splunkMock System Directory - Windows (Sysmon) splunkPotential Executable Masquerading as Document - Windows (Sysmon) splunkProcess Execution From Suspicious Folder (Sysmon) splunkRenamed Process (Sysmon) splunkSuspicious Child Process for lsass.exe (Sysmon) splunkSuspicious Parent Process for lsass.exe or services.exe (Sysmon) splunkSuspicious Parent Process for spoolsv.exe (Sysmon) splunkWindows Process Outside of System Folder (Sysmon) splunkWindows SoftEther VPN Masquerading as Legitimate Binary splunkWindows Suspicious QEMU Execution	11	237
`CommandLine`	`contains`	`/create` sigmaFile Download Via Bitsadmin sigmaFile Download Via Bitsadmin To A Suspicious Target Folder sigmaFile With Suspicious Extension Downloaded Via Bitsadmin sigmaRenamed Schtasks Execution sigmaScheduled Task Creation Masquerading as System Processes sigmaSuspicious Download From Direct IP Via Bitsadmin sigmaSuspicious Download From File-Sharing Website Via Bitsadmin	7	15
`CommandLine`	`contains`	`/addfile` sigmaFile Download Via Bitsadmin sigmaFile Download Via Bitsadmin To A Suspicious Target Folder sigmaFile With Suspicious Extension Downloaded Via Bitsadmin sigmaSuspicious Download From Direct IP Via Bitsadmin sigmaSuspicious Download From File-Sharing Website Via Bitsadmin	5	5
`CommandLine`	`contains`	`/transfer` sigmaFile Download Via Bitsadmin sigmaFile Download Via Bitsadmin To A Suspicious Target Folder sigmaFile With Suspicious Extension Downloaded Via Bitsadmin sigmaSuspicious Download From Direct IP Via Bitsadmin sigmaSuspicious Download From File-Sharing Website Via Bitsadmin	5	5
`CommandLine`	`contains`	`cp` sigmaCodePage Modification Via MODE.COM sigmaCodePage Modification Via MODE.COM To Russian Language sigmaLOL-Binary Copied From System Directory sigmaSuspicious Copy From or To System Directory	4	8
`EventType`	`in`	`exec` elasticBinary Executed from Shared Memory Directory elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent elasticProcesses with Trailing Spaces elasticUnusual Execution from Kernel Thread (kthreadd) Parent	7	171
`EventType`	`in`	`exec_event` elasticBinary Executed from Shared Memory Directory elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent elasticProcesses with Trailing Spaces	6	139
`EventType`	`in`	`ProcessRollup2` elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticProcess Backgrounded by Unusual Parent elasticUnusual Execution from Kernel Thread (kthreadd) Parent	4	117
`EventType`	`in`	`start` elasticDirectory Creation in /bin directory elasticExecutable Masquerading as Kernel Process elasticPotential Kubectl Masquerading via Unexpected Process elasticProcess Backgrounded by Unusual Parent	4	134
`Image`	`ends_with`	`\cmd.exe` sigmaForfiles.EXE Child Process Masquerading sigmaLOL-Binary Copied From System Directory sigmaPotential Defense Evasion Via Binary Rename sigmaRedSun - Conhost.exe Spawned by TieringEngineService.exe sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSuspicious Copy From or To System Directory	7	130
`Image`	`ends_with`	`\powershell.exe` sigmaLOL-Binary Copied From System Directory sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaRedSun - Conhost.exe Spawned by TieringEngineService.exe sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSuspicious Copy From or To System Directory sigmaSystem File Execution Location Anomaly	7	182
`Image`	`ends_with`	`\pwsh.exe` sigmaLOL-Binary Copied From System Directory sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaRedSun - Conhost.exe Spawned by TieringEngineService.exe sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSuspicious Copy From or To System Directory sigmaSystem File Execution Location Anomaly	7	168
`Image`	`ends_with`	`\bitsadmin.exe` sigmaFile Download Via Bitsadmin sigmaFile Download Via Bitsadmin To A Suspicious Target Folder sigmaFile With Suspicious Extension Downloaded Via Bitsadmin sigmaSuspicious Download From Direct IP Via Bitsadmin sigmaSuspicious Download From File-Sharing Website Via Bitsadmin sigmaSystem File Execution Location Anomaly	6	29
`Image`	`ends_with`	`\rundll32.exe` sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaProcess Memory Dump Via Comsvcs.DLL sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSystem File Execution Location Anomaly sigmaWindows Binaries Write Suspicious Extensions	6	95
`Image`	`ends_with`	`\svchost.exe` sigmaSuspicious Process Masquerading As SvcHost.EXE sigmaSystem File Execution Location Anomaly sigmaUncommon Svchost Command Line Parameter sigmaUncommon Svchost Parent Process sigmaWindows Binaries Write Suspicious Extensions sigmaWindows Processes Suspicious Parent Directory	6	23
`Image`	`ends_with`	`\conhost.exe` sigmaPotential Defense Evasion Via Binary Rename sigmaRedSun - Conhost.exe Spawned by TieringEngineService.exe sigmaSuspicious Process Parents sigmaSystem File Execution Location Anomaly	4	4
`Image`	`ends_with`	`\cscript.exe` sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSystem File Execution Location Anomaly	4	73
`Image`	`ends_with`	`\powershell_ise.exe` sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaRedSun - Conhost.exe Spawned by TieringEngineService.exe sigmaSuspicious Child Process Of Wermgr.EXE sigmaSystem File Execution Location Anomaly	4	41
`Image`	`ends_with`	`\regsvr32.exe` sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSystem File Execution Location Anomaly	4	65
`Image`	`ends_with`	`\schtasks.exe` sigmaRenamed Schtasks Execution sigmaScheduled Task Creation Masquerading as System Processes sigmaSuspicious Scheduled Task Creation via Masqueraded XML File sigmaSystem File Execution Location Anomaly	4	56
`Image`	`ends_with`	`\wscript.exe` sigmaPotential Defense Evasion Via Rename Of Highly Relevant Binaries sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Child Process Of Wermgr.EXE sigmaSystem File Execution Location Anomaly	4	75
`EventSubType`	`ne`	`AttackAttempt` kustoCyberArkEPM - Process started from different locations kustoCyberArkEPM - Renamed Windows binary kustoCyberArkEPM - Uncommon Windows process started from System folder kustoCyberArkEPM - Unexpected executable extension kustoCyberArkEPM - Unexpected executable location	5	7
`OriginalFileName`	`eq`	`bitsadmin.exe` sigmaFile Download Via Bitsadmin sigmaFile Download Via Bitsadmin To A Suspicious Target Folder sigmaFile With Suspicious Extension Downloaded Via Bitsadmin sigmaSuspicious Download From Direct IP Via Bitsadmin sigmaSuspicious Download From File-Sharing Website Via Bitsadmin	5	12
`event.category`	`eq`	`process` elasticExecution of an Unsigned Service elasticPotential Masquerading as Svchost elasticProcess Backgrounded by Unusual Parent elasticSuspicious DLL Loaded for Persistence or Privilege Escalation elasticUnusual Execution from Kernel Thread (kthreadd) Parent	5	128
`Image`	`starts_with`	`/dev/shm/` elasticAbnormal Process ID or Lock File Created elasticBinary Executed from Shared Memory Directory elasticSystem Path File Creation and Execution Detected via Defend for Containers elasticUnusual Execution from Kernel Thread (kthreadd) Parent	4	23
`Image`	`starts_with`	`/tmp/` sigmaPotentially Suspicious Execution From Tmp Folder elasticAbnormal Process ID or Lock File Created elasticSystem Path File Creation and Execution Detected via Defend for Containers elasticUnusual Execution from Kernel Thread (kthreadd) Parent	4	25
`process_name`	`eq`	`cmd.exe` elasticExecution from Unusual Directory - Command Line elasticPotential Masquerading as System32 Executable elasticPotential Privilege Escalation via InstallerFileTakeOver elasticSuspicious Zoom Child Process	4	77

Exclusions (979 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Field	Kind	Value	Rules excluding
`process.code_signature.trusted`	`eq`	`true` elasticMemory Dump File with Unusual Extension elasticPotential Masquerading as System32 Executable elasticPotential Privilege Escalation via InstallerFileTakeOver elasticSuspicious Communication App Child Process elasticSuspicious Outlook Child Process	5
`Image`	`ends_with`	`\cmd.exe` sigmaForfiles.EXE Child Process Masquerading sigmaPotential Defense Evasion Via Binary Rename sigmaSdiagnhost Calling Suspicious Child Process sigmaSuspicious Copy From or To System Directory	4
`Image`	`in`	`:\\windows\\system32\\` splunkSystem Processes Run From Unexpected Locations splunkWindows DotNet Binary in Non Standard Path splunkWindows LOLBAS Executed Outside Expected Path splunkWindows TinyCC Shellcode Execution	4
`Image`	`in`	`:\\windows\\syswow64\\` splunkSystem Processes Run From Unexpected Locations splunkWindows DotNet Binary in Non Standard Path splunkWindows LOLBAS Executed Outside Expected Path splunkWindows TinyCC Shellcode Execution	4
`Image`	`in`	`:\\windows\\winsxs\\` splunkSystem Processes Run From Unexpected Locations splunkWindows DotNet Binary in Non Standard Path splunkWindows LOLBAS Executed Outside Expected Path	3
`Image`	`starts_with`	`/tmp/newroot/` elasticAbnormal Process ID or Lock File Created elasticPotential Kubectl Masquerading via Unexpected Process elasticSystem Binary Moved or Copied elasticUnusual Execution from Kernel Thread (kthreadd) Parent	4
`Image`	`starts_with`	`c:\windows\system32\` sigmaLazarus System Binary Masquerading sigmaPotential MsiExec Masquerading sigmaSystem File Execution Location Anomaly	3
`Image`	`starts_with`	`c:\windows\syswow64\` sigmaLazarus System Binary Masquerading sigmaPotential MsiExec Masquerading sigmaSystem File Execution Location Anomaly	3
`parent_process_name`	`match`	`^-$` splunkSuspicious Parent Process for lsass.exe or services.exe (Sysmon) splunkSuspicious Parent Process for lsass.exe or services.exe (Windows Event Log) splunkSuspicious Parent Process for spoolsv.exe (Sysmon) splunkSuspicious Parent Process for spoolsv.exe (Windows Event Log)	4
`process_name`	`eq`	`rundll32.exe` elasticExecution from Unusual Directory - Command Line elasticMachine Learning Detected a Suspicious Windows Event with a High Malicious Probability Score elasticMachine Learning Detected a Suspicious Windows Event with a Low Malicious Probability Score elasticSuspicious Outlook Child Process	4
`ParentImage`	`ends_with`	`\msmpeng.exe` sigmaUncommon Svchost Command Line Parameter sigmaUncommon Svchost Parent Process sigmaWindows Processes Suspicious Parent Directory	3
`dll.code_signature.status`	`wildcard`	`errorCode_endpoint*` elasticPotential Masquerading as System32 DLL elasticUnsigned DLL Loaded by Svchost elasticUnsigned DLL Side-Loading from a Suspicious Folder	3
`dll.code_signature.status`	`wildcard`	`errorExpired` elasticUnsigned DLL Loaded by Svchost elasticUnsigned DLL Side-Loading from a Suspicious Folder elasticUntrusted Driver Loaded	3
`process.code_signature.status`	`wildcard`	`errorCode_endpoint*` elasticPotential Masquerading as Business App Installer elasticPotential Masquerading as System32 Executable elasticUnsigned BITS Service Client Process	3
`CommandLine`	`contains`	`sdelete` kustoPotential re-named sdelete usage kustoPotential re-named sdelete usage (ASIM Version)	2

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Masquerading `T1036`

Events covered

Authoring guide

Fields filtered most (128 distinct)

Top indicator values (5560 distinct)

Exclusions (979 distinct)

Rules under this technique

Sigma 96 rules

Elastic 78 rules

Splunk 63 rules

Kusto 24 rules

Keyboard shortcuts

Search operators

Masquerading T1036

Events covered

Authoring guide

Fields filtered most (128 distinct)

Top indicator values (5560 distinct)

Exclusions (979 distinct)

Rules under this technique

Sigma 96 rules

Elastic 78 rules

Splunk 63 rules

Kusto 24 rules

Masquerading `T1036`