title: Masquerade File Type (T1036.008)
id: df00tech-t1036-008
status: experimental
description: "Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file's signature, extension, icon, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file's signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file's type. Adversaries may edit the header's hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred and stored so that adversaries may move their malware without triggering detections. Polyglot files, which function differently based on the application that executes them, may also be used to disguise malicious capabilities."
references:
  - https://attack.mitre.org/techniques/T1036/008/
  - https://df00tech.com/detections/T1036.008
author: df00tech
date: 2026/04/16
tags:
  - attack.t1036.008
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate image processing or media conversion software creating files with standard extensions from command-line tools
  - Web browsers saving downloaded images or documents that trigger file creation events from child processes
  - Backup and archival tools that rename or copy media files as part of automated workflows
  - Software build systems that generate resource files with image extensions during compilation
level: high