T1036.008 IBM QRadar · QRadar

Detect Masquerade File Type in IBM QRadar

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.008 Masquerade File Type
Canonical reference
https://attack.mitre.org/techniques/T1036/008/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
       logsourceid,
       LOGSOURCENAME(logsourceid) AS log_source,
       sourceip,
       username,
       "filename",
       "filepath",
       "processname",
       "commandline",
       QIDNAME(qid) AS event_name
FROM events
WHERE LOGSOURCETYPEID(logsourceid) = 12 /* Microsoft Windows Security Event Log */
  AND qid IN (SELECT id FROM qidmap WHERE name LIKE '%Sysmon%' OR name LIKE '%File Create%')
  AND devicetime > (NOW() - 86400000)
  AND (
    LOWER("filename") LIKE '%.gif'
    OR LOWER("filename") LIKE '%.jpg'
    OR LOWER("filename") LIKE '%.jpeg'
    OR LOWER("filename") LIKE '%.png'
    OR LOWER("filename") LIKE '%.bmp'
    OR LOWER("filename") LIKE '%.txt'
    OR LOWER("filename") LIKE '%.pdf'
    OR LOWER("filename") LIKE '%.mp3'
    OR LOWER("filename") LIKE '%.pub'
    OR LOWER("filename") LIKE '%.accdb'
  )
  AND (
    LOWER("processname") LIKE '%powershell.exe'
    OR LOWER("processname") LIKE '%cmd.exe'
    OR LOWER("processname") LIKE '%wscript.exe'
    OR LOWER("processname") LIKE '%cscript.exe'
    OR LOWER("processname") LIKE '%mshta.exe'
    OR LOWER("processname") LIKE '%certutil.exe'
    OR LOWER("processname") LIKE '%bitsadmin.exe'
    OR LOWER("processname") LIKE '%rundll32.exe'
  )
ORDER BY devicetime DESC
LIMIT 500
high severity medium confidence

AQL query correlating Sysmon file creation events (EventID 11) ingested via Windows DSM against suspicious LOLBin process names writing files with media or document extensions. Targets the last 24 hours and returns the process, filename, and source context for analyst triage.

Data Sources

IBM QRadar — Windows Sysmon DSM (EventID 11)Microsoft Windows Security Event Log DSM

Required Tables

events

False Positives & Tuning

  • Helpdesk or deployment scripts using certutil.exe or bitsadmin.exe to stage software packages with non-executable intermediate file names
  • PowerShell-based backup agents that write compressed or encoded blobs with image-like extensions as part of delta backup formats
  • Document management automation using wscript.exe or cmd.exe to batch-rename or convert files into PDF/DOC intermediates
Download portable Sigma rule (.yml)

Other platforms for T1036.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.

  2. Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.

  3. Test 3Rename DLL to Image Extension

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.

  4. Test 4Certutil Download with Extension Masquerade

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1105Ingress Tool TransferT1608.001Upload MalwareT1204.002Malicious FileT1059.001PowerShellT1218.011Rundll32T1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections