T1036.008 Elastic Security · Elastic

Detect Masquerade File Type in Elastic Security

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.008 Masquerade File Type
Canonical reference
https://attack.mitre.org/techniques/T1036/008/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by host.id with maxspan=5m
  [file where event.action in ("creation", "modification") and
   file.extension in ("jpg", "jpeg", "png", "gif", "bmp", "txt", "pdf", "doc", "mp3", "wav", "avi", "pub", "accdb") and
   file.size > 50000 and
   process.name in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "rundll32.exe") and
   (
     file.path like~ "*\\temp\\*" or
     file.path like~ "*\\tmp\\*" or
     file.path like~ "*\\appdata\\*" or
     file.path like~ "*\\downloads\\*"
   )
  ] by process.entity_id
high severity high confidence

Detects masqueraded file type drops where suspicious scripting or LOLBin processes write files with benign media or document extensions (jpg, png, pdf, etc.) that exceed 50KB into writable user directories. Sequences on host and process entity to correlate parent context.

Data Sources

Elastic EndpointSysmon via Beats (filebeat/winlogbeat)

Required Tables

logs-endpoint.events.file-*winlogbeat-*

False Positives & Tuning

  • Certutil legitimately decodes base64 content to files with arbitrary extensions during PKI operations or package deployments
  • PowerShell scripts that generate reports or exports as PDF/CSV may write large files to AppData or temp directories
  • Software installers using cmd.exe or msiexec dropping binary blobs with document-like intermediate filenames during staged extraction
Download portable Sigma rule (.yml)

Other platforms for T1036.008

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.

  2. Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.

  3. Test 3Rename DLL to Image Extension

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.

  4. Test 4Certutil Download with Extension Masquerade

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1105Ingress Tool TransferT1608.001Upload MalwareT1204.002Malicious FileT1059.001PowerShellT1218.011Rundll32T1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections