T1036.008 Masquerade File Type Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousMismatch = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where FileExt in ("jpg", "jpeg", "png", "gif", "bmp", "txt", "pdf", "doc", "mp3", "wav", "avi")
| where FileSize > 50000
| project Timestamp, DeviceName, FileName, FolderPath, FileExt, FileSize, SHA256,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
let ExecutableDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where FileExt in ("gif", "jpg", "png", "bmp", "txt", "mp3", "pub", "accdb")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileExt, FileSize,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
union SuspiciousMismatch, ExecutableDrops
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives

Legitimate image processing or media conversion software creating files with standard extensions from command-line tools
Web browsers saving downloaded images or documents that trigger file creation events from child processes
Backup and archival tools that rename or copy media files as part of automated workflows
Software build systems that generate resource files with image extensions during compilation

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| rex field=TargetFilename "(?<file_ext>\.[a-zA-Z0-9]+)$"
| eval file_ext=lower(file_ext)
| where file_ext IN (".gif", ".jpg", ".jpeg", ".png", ".bmp", ".txt", ".pdf", ".mp3", ".wav", ".pub", ".accdb")
| rex field=Image "(?<proc_name>[^\\]+)$"
| eval proc_name=lower(proc_name)
| eval suspicious_parent=if(match(proc_name, "^(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|rundll32\.exe)$"), 1, 0)
| where suspicious_parent=1
| eval is_temp_path=if(match(TargetFilename, "(?i)(\\temp\\|\\tmp\\|\\appdata\\|\\downloads\\)"), 1, 0)
| table _time, host, User, Image, TargetFilename, file_ext, is_temp_path
| sort - _time

high severity medium confidence

Data Sources

File: File Creation Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate image processing or media conversion software creating files from command-line tools
Web browsers saving downloads that trigger file creation events
Backup and archival tools that copy media files via scripted workflows
Software build systems generating resource files with image extensions

Elastic Security (EQL)

eql

sequence by host.id with maxspan=5m
  [file where event.action in ("creation", "modification") and
   file.extension in ("jpg", "jpeg", "png", "gif", "bmp", "txt", "pdf", "doc", "mp3", "wav", "avi", "pub", "accdb") and
   file.size > 50000 and
   process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "rundll32.exe") and
   (
     file.path like~ "*\\temp\\*" or
     file.path like~ "*\\tmp\\*" or
     file.path like~ "*\\appdata\\*" or
     file.path like~ "*\\downloads\\*"
   )
  ] by process.entity_id

high severity high confidence

Data Sources

Elastic Endpoint Sysmon via Beats (filebeat/winlogbeat)

Required Tables

logs-endpoint.events.file-* winlogbeat-*

False Positives

Certutil legitimately decodes base64 content to files with arbitrary extensions during PKI operations or package deployments
PowerShell scripts that generate reports or exports as PDF/CSV may write large files to AppData or temp directories
Software installers using cmd.exe or msiexec dropping binary blobs with document-like intermediate filenames during staged extraction

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       logsourceid,
       LOGSOURCENAME(logsourceid) AS log_source,
       sourceip,
       username,
       "filename",
       "filepath",
       "processname",
       "commandline",
       QIDNAME(qid) AS event_name
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12 /* Microsoft Windows Security Event Log */
  AND qid IN (SELECT id FROM qidmap WHERE name LIKE '%Sysmon%' OR name LIKE '%File Create%')
  AND devicetime > (NOW() - 86400000)
  AND (
    LOWER("filename") LIKE '%.gif'
    OR LOWER("filename") LIKE '%.jpg'
    OR LOWER("filename") LIKE '%.jpeg'
    OR LOWER("filename") LIKE '%.png'
    OR LOWER("filename") LIKE '%.bmp'
    OR LOWER("filename") LIKE '%.txt'
    OR LOWER("filename") LIKE '%.pdf'
    OR LOWER("filename") LIKE '%.mp3'
    OR LOWER("filename") LIKE '%.pub'
    OR LOWER("filename") LIKE '%.accdb'
  )
  AND (
    LOWER("processname") LIKE '%powershell.exe'
    OR LOWER("processname") LIKE '%cmd.exe'
    OR LOWER("processname") LIKE '%wscript.exe'
    OR LOWER("processname") LIKE '%cscript.exe'
    OR LOWER("processname") LIKE '%mshta.exe'
    OR LOWER("processname") LIKE '%certutil.exe'
    OR LOWER("processname") LIKE '%bitsadmin.exe'
    OR LOWER("processname") LIKE '%rundll32.exe'
  )
ORDER BY devicetime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar — Windows Sysmon DSM (EventID 11) Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives

Helpdesk or deployment scripts using certutil.exe or bitsadmin.exe to stage software packages with non-executable intermediate file names
PowerShell-based backup agents that write compressed or encoded blobs with image-like extensions as part of delta backup formats
Document management automation using wscript.exe or cmd.exe to batch-rename or convert files into PDF/DOC intermediates

Sumo Logic CSE

sql

_sourceCategory=windows/sysmon
| parse regex "EventID=(?<event_id>\d+)"
| where event_id = "11"
| parse regex "TargetFilename=(?<target_filename>[^\r\n]+)" nodrop
| parse regex "Image=(?<image>[^\r\n]+)" nodrop
| parse regex "User=(?<user>[^\r\n]+)" nodrop
| parse regex "ProcessId=(?<pid>[^\r\n]+)" nodrop
| eval file_ext = toLowerCase(replace(target_filename, /^.*(\.\w+)$/, "$1"))
| where file_ext in (".gif", ".jpg", ".jpeg", ".png", ".bmp", ".txt", ".pdf", ".mp3", ".wav", ".pub", ".accdb")
| eval proc_name = toLowerCase(replace(image, /^.*\\([^\\]+)$/, "$1"))
| where proc_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "rundll32.exe")
| eval is_suspicious_path = if(matches(toLowerCase(target_filename), "(\\\\temp\\\\|\\\\tmp\\\\|\\\\appdata\\\\|\\\\downloads\\\\)"), 1, 0)
| fields _messageTime, _sourceHost, user, proc_name, target_filename, file_ext, is_suspicious_path, pid
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Source — Sysmon Operational log

Required Tables

_sourceCategory=windows/sysmon

False Positives

Automated PowerShell IT inventory scripts that export host data as .txt or .csv files into the user temp directory
Certutil usage by PKI administrators downloading CRL files or certificate chains saved as .gif or similar extension during custom build pipelines
Build automation using cmd.exe spawning toolchains that emit intermediate binary artifacts with media extensions before later renaming

Google Chronicle / SecOps

yaral

rule masquerade_file_type_lolbin_drop {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects LOLBin or scripting engine processes writing files with benign media or document extensions, indicating potential file type masquerading (T1036.008)"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.008"
    severity = "HIGH"
    priority = "HIGH"

  events:
    $e.metadata.event_type = "FILE_CREATION"
    $e.principal.process.file.full_path = /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|rundll32\.exe)$/
    (
      $e.target.file.full_path = /(?i)\.gif$/ or
      $e.target.file.full_path = /(?i)\.jpg$/ or
      $e.target.file.full_path = /(?i)\.jpeg$/ or
      $e.target.file.full_path = /(?i)\.png$/ or
      $e.target.file.full_path = /(?i)\.bmp$/ or
      $e.target.file.full_path = /(?i)\.txt$/ or
      $e.target.file.full_path = /(?i)\.pdf$/ or
      $e.target.file.full_path = /(?i)\.mp3$/ or
      $e.target.file.full_path = /(?i)\.wav$/ or
      $e.target.file.full_path = /(?i)\.pub$/ or
      $e.target.file.full_path = /(?i)\.accdb$/
    )
    (
      $e.target.file.full_path = /(?i)\\temp\\/ or
      $e.target.file.full_path = /(?i)\\tmp\\/ or
      $e.target.file.full_path = /(?i)\\appdata\\/ or
      $e.target.file.full_path = /(?i)\\downloads\\/
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle — Windows Sensor (Sysmon or EDR forwarder) Chronicle UDM normalized file events

Required Tables

FILE_CREATION UDM events

False Positives

PowerShell scripts performing legitimate file type conversion (e.g., generating thumbnails, rendering PDFs) may write intermediary files to AppData
Certutil.exe invoked by patch management systems to decode base64-encoded payloads staged as image files before execution
Enterprise archiving or DLP tools using cmd.exe to copy documents into downloads with normalized extensions for policy tagging

CrowdStrike LogScale (CQL)

cql

#event_simpleName=WriteFile
| TargetFileName = /\.(gif|jpg|jpeg|png|bmp|txt|pdf|mp3|wav|pub|accdb)$/i
| ImageFileName = /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|rundll32\.exe)$/
| TargetFileName = /(?i)(\\temp\\|\\tmp\\|\\appdata\\|\\downloads\\)/
| eval proc_name = replace(ImageFileName, /^.*\\([^\\]+)$/, "$1")
| eval file_ext = replace(TargetFileName, /^.*(\.\w+)$/, "$1")
| table([_time, ComputerName, UserName, proc_name, TargetFileName, file_ext, TargetProcessId, CommandLine])
| sort(field=_time, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Sensor — WriteFile events via Falcon Data Replicator or LogScale ingestion

Required Tables

#event_simpleName=WriteFile

False Positives

Bitsadmin.exe or certutil.exe used by SCCM or Intune to stage pre-deployment packages as encoded blobs with image extensions
PowerShell-based log collection scripts exporting structured data to .txt or .pdf report files in the user downloads directory
Security tooling (e.g., DLP agents) using cmd.exe to create shadow copies of sensitive documents in AppData with renamed extensions for inspection

Masquerade File Type

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections