T1036.008 CrowdStrike LogScale · LogScale

Detect Masquerade File Type in CrowdStrike LogScale

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.008 Masquerade File Type
Canonical reference
https://attack.mitre.org/techniques/T1036/008/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=WriteFile
| TargetFileName = /\.(gif|jpg|jpeg|png|bmp|txt|pdf|mp3|wav|pub|accdb)$/i
| ImageFileName = /(?i)(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|rundll32\.exe)$/
| TargetFileName = /(?i)(\\temp\\|\\tmp\\|\\appdata\\|\\downloads\\)/
| eval proc_name = replace(ImageFileName, /^.*\\([^\\]+)$/, "$1")
| eval file_ext = replace(TargetFileName, /^.*(\.\w+)$/, "$1")
| table([_time, ComputerName, UserName, proc_name, TargetFileName, file_ext, TargetProcessId, CommandLine])
| sort(field=_time, order=desc)
high severity high confidence

CrowdStrike LogScale query against WriteFile telemetry matching Falcon sensor events where a LOLBin process writes a file with a benign media or document extension to a high-risk user-writable directory. Surfaces the process name, command line, target path, and user for rapid analyst triage.

Data Sources

CrowdStrike Falcon Sensor — WriteFile events via Falcon Data Replicator or LogScale ingestion

Required Tables

#event_simpleName=WriteFile

False Positives & Tuning

  • Bitsadmin.exe or certutil.exe used by SCCM or Intune to stage pre-deployment packages as encoded blobs with image extensions
  • PowerShell-based log collection scripts exporting structured data to .txt or .pdf report files in the user downloads directory
  • Security tooling (e.g., DLP agents) using cmd.exe to create shadow copies of sensitive documents in AppData with renamed extensions for inspection
Download portable Sigma rule (.yml)

Other platforms for T1036.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.

  2. Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.

  3. Test 3Rename DLL to Image Extension

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.

  4. Test 4Certutil Download with Extension Masquerade

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1105Ingress Tool TransferT1608.001Upload MalwareT1204.002Malicious FileT1059.001PowerShellT1218.011Rundll32T1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections