Detect Masquerade File Type in Microsoft Sentinel
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.008 Masquerade File Type
- Canonical reference
- https://attack.mitre.org/techniques/T1036/008/
KQL Detection Query
let SuspiciousMismatch = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileModified")
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where FileExt in ("jpg", "jpeg", "png", "gif", "bmp", "txt", "pdf", "doc", "mp3", "wav", "avi")
| where FileSize > 50000
| project Timestamp, DeviceName, FileName, FolderPath, FileExt, FileSize, SHA256,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
let ExecutableDrops = DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType == "FileCreated"
| extend FileExt = tolower(tostring(split(FileName, ".")[-1]))
| where FileExt in ("gif", "jpg", "png", "bmp", "txt", "mp3", "pub", "accdb")
| where InitiatingProcessFileName in~ ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe")
| project Timestamp, DeviceName, FileName, FolderPath, FileExt, FileSize,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName;
union SuspiciousMismatch, ExecutableDrops
| sort by Timestamp descDetects potential file type masquerading by identifying files with benign extensions (images, documents, media) created by suspicious processes commonly used for payload delivery (PowerShell, cmd, scripting hosts, certutil, bitsadmin). Also flags large files with media/document extensions that may contain hidden executables or polyglot content. This covers tradecraft from Volt Typhoon (.gif extension on ntds.dit), QakBot (payloads disguised as PNG), Lumma Stealer (JavaScript in .mp3/.pub files), and Brute Ratel C4 (malicious LNK with Word icons).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate image processing or media conversion software creating files with standard extensions from command-line tools
- Web browsers saving downloaded images or documents that trigger file creation events from child processes
- Backup and archival tools that rename or copy media files as part of automated workflows
- Software build systems that generate resource files with image extensions during compilation
Other platforms for T1036.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.
- Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.
- Test 3Rename DLL to Image Extension
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.
- Test 4Certutil Download with Extension Masquerade
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.
References (7)
- https://attack.mitre.org/techniques/T1036/008/
- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
- https://www.secureworks.com/research/bronze-silhouette-targets-us-government-and-defense-organizations
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.008/T1036.008.md
- https://www.withsecure.com/en/research/publications/kapeka
- https://www.netskope.com/blog/lumma-stealer
Unlock Pro Content
Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.