T1036.008 Sumo Logic CSE · Sumo

Detect Masquerade File Type in Sumo Logic CSE

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.008 Masquerade File Type
Canonical reference
https://attack.mitre.org/techniques/T1036/008/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=windows/sysmon
| parse regex "EventID=(?<event_id>\d+)"
| where event_id = "11"
| parse regex "TargetFilename=(?<target_filename>[^\r\n]+)" nodrop
| parse regex "Image=(?<image>[^\r\n]+)" nodrop
| parse regex "User=(?<user>[^\r\n]+)" nodrop
| parse regex "ProcessId=(?<pid>[^\r\n]+)" nodrop
| eval file_ext = toLowerCase(replace(target_filename, /^.*(\.\w+)$/, "$1"))
| where file_ext in (".gif", ".jpg", ".jpeg", ".png", ".bmp", ".txt", ".pdf", ".mp3", ".wav", ".pub", ".accdb")
| eval proc_name = toLowerCase(replace(image, /^.*\\([^\\]+)$/, "$1"))
| where proc_name in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "certutil.exe", "bitsadmin.exe", "rundll32.exe")
| eval is_suspicious_path = if(matches(toLowerCase(target_filename), "(\\\\temp\\\\|\\\\tmp\\\\|\\\\appdata\\\\|\\\\downloads\\\\)"), 1, 0)
| fields _messageTime, _sourceHost, user, proc_name, target_filename, file_ext, is_suspicious_path, pid
| sort by _messageTime desc
high severity high confidence

Sumo Logic CSE search over Sysmon EventID 11 (File Create) events identifying LOLBin or scripting processes that drop files with media or document extensions. Parses raw event fields, normalizes extension and process name, and flags writes to high-risk user-writable paths.

Data Sources

Sumo Logic Installed Collector with Windows Event Source — Sysmon Operational log

Required Tables

_sourceCategory=windows/sysmon

False Positives & Tuning

  • Automated PowerShell IT inventory scripts that export host data as .txt or .csv files into the user temp directory
  • Certutil usage by PKI administrators downloading CRL files or certificate chains saved as .gif or similar extension during custom build pipelines
  • Build automation using cmd.exe spawning toolchains that emit intermediate binary artifacts with media extensions before later renaming
Download portable Sigma rule (.yml)

Other platforms for T1036.008

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Masquerade EXE as GIF File (Volt Typhoon Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'data_export.gif'. The file hash will match calc.exe despite the .gif extension. DeviceFileEvents with FileName=data_export.gif, ActionType=FileCreated, InitiatingProcessFileName=cmd.exe.

  2. Test 2Create Polyglot HTML/DLL File (StrelaStealer Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'invoice_polyglot.html'. Sysmon Event ID 1: Process Create for powershell.exe with Set-Content command. PowerShell ScriptBlock Log Event ID 4104 with the polyglot content creation.

  3. Test 3Rename DLL to Image Extension

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'screenshot.png' in Temp directory. File hash will match version.dll. DeviceFileEvents with FileName=screenshot.png created by cmd.exe.

  4. Test 4Certutil Download with Extension Masquerade

    Expected signal: Sysmon Event ID 1: Process Create for certutil.exe with '-encode' in CommandLine. Sysmon Event ID 11: FileCreate with TargetFilename 'payload.txt'. DeviceProcessEvents with ProcessCommandLine containing 'certutil -encode'.

Last updated: 2026-04-16 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.008 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.007Double File ExtensionT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1105Ingress Tool TransferT1608.001Upload MalwareT1204.002Malicious FileT1059.001PowerShellT1218.011Rundll32T1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections