Detect Masquerade File Type in Google Chronicle
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.008 Masquerade File Type
- Canonical reference
- https://attack.mitre.org/techniques/T1036/008/
YARA-L Detection Query
rule masquerade_file_type_lolbin_drop {
meta:
author = "Argus Detection Engineering"
description = "Detects LOLBin or scripting engine processes writing files with benign media or document extensions, indicating potential file type masquerading (T1036.008)"
mitre_attack_tactic = "Defense Evasion"
mitre_attack_technique = "T1036.008"
severity = "HIGH"
priority = "HIGH"
events:
$e.metadata.event_type = "FILE_CREATION"
$e.principal.process.file.full_path = /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|rundll32\.exe)$/
(
$e.target.file.full_path = /(?i)\.gif$/ or
$e.target.file.full_path = /(?i)\.jpg$/ or
$e.target.file.full_path = /(?i)\.jpeg$/ or
$e.target.file.full_path = /(?i)\.png$/ or
$e.target.file.full_path = /(?i)\.bmp$/ or
$e.target.file.full_path = /(?i)\.txt$/ or
$e.target.file.full_path = /(?i)\.pdf$/ or
$e.target.file.full_path = /(?i)\.mp3$/ or
$e.target.file.full_path = /(?i)\.wav$/ or
$e.target.file.full_path = /(?i)\.pub$/ or
$e.target.file.full_path = /(?i)\.accdb$/
)
(
$e.target.file.full_path = /(?i)\\temp\\/ or
$e.target.file.full_path = /(?i)\\tmp\\/ or
$e.target.file.full_path = /(?i)\\appdata\\/ or
$e.target.file.full_path = /(?i)\\downloads\\/
)
condition:
$e
}Chronicle YARA-L 2.0 rule matching FILE_CREATION UDM events where the initiating process is a known LOLBin or scripting engine and the target file carries a media or document extension written to a user-writable directory. Covers the core T1036.008 masquerade-via-extension pattern.
Data Sources
Required Tables
False Positives & Tuning
- PowerShell scripts performing legitimate file type conversion (e.g., generating thumbnails, rendering PDFs) may write intermediary files to AppData
- Certutil.exe invoked by patch management systems to decode base64-encoded payloads staged as image files before execution
- Enterprise archiving or DLP tools using cmd.exe to copy documents into downloads with normalized extensions for policy tagging
Other platforms for T1036.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.
- Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.
- Test 3Rename DLL to Image Extension
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.
- Test 4Certutil Download with Extension Masquerade
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.
References (7)
- https://attack.mitre.org/techniques/T1036/008/
- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
- https://www.secureworks.com/research/bronze-silhouette-targets-us-government-and-defense-organizations
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.008/T1036.008.md
- https://www.withsecure.com/en/research/publications/kapeka
- https://www.netskope.com/blog/lumma-stealer
Unlock Pro Content
Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.