Detect Masquerade File Type in Splunk
Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.008 Masquerade File Type
- Canonical reference
- https://attack.mitre.org/techniques/T1036/008/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| rex field=TargetFilename "(?<file_ext>\.[a-zA-Z0-9]+)$"
| eval file_ext=lower(file_ext)
| where file_ext IN (".gif", ".jpg", ".jpeg", ".png", ".bmp", ".txt", ".pdf", ".mp3", ".wav", ".pub", ".accdb")
| rex field=Image "(?<proc_name>[^\\]+)$"
| eval proc_name=lower(proc_name)
| eval suspicious_parent=if(match(proc_name, "^(powershell\.exe|cmd\.exe|wscript\.exe|cscript\.exe|mshta\.exe|certutil\.exe|bitsadmin\.exe|rundll32\.exe)$"), 1, 0)
| where suspicious_parent=1
| eval is_temp_path=if(match(TargetFilename, "(?i)(\\temp\\|\\tmp\\|\\appdata\\|\\downloads\\)"), 1, 0)
| table _time, host, User, Image, TargetFilename, file_ext, is_temp_path
| sort - _timeDetects files with benign-looking extensions (images, documents, media) created by suspicious processes using Sysmon Event ID 11 (File Creation). Focuses on cases where LOLBins or scripting engines drop files masquerading as harmless file types — a pattern used by threat actors to stage payloads that bypass extension-based security controls. Includes a flag for files dropped in temporary/user directories, which increases suspicion.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate image processing or media conversion software creating files from command-line tools
- Web browsers saving downloads that trigger file creation events
- Backup and archival tools that copy media files via scripted workflows
- Software build systems generating resource files with image extensions
Other platforms for T1036.008
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.
- Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.
- Test 3Rename DLL to Image Extension
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.
- Test 4Certutil Download with Extension Masquerade
Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.
References (7)
- https://attack.mitre.org/techniques/T1036/008/
- https://unit42.paloaltonetworks.com/polyglot-file-icedid-payload
- https://www.secureworks.com/research/bronze-silhouette-targets-us-government-and-defense-organizations
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.008/T1036.008.md
- https://www.withsecure.com/en/research/publications/kapeka
- https://www.netskope.com/blog/lumma-stealer
Unlock Pro Content
Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.