Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is <code> 0xFF 0xD8</code> and the file extension is either .JPE, .JPEG or .JPG.
Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.
Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of <code>test.gif</code>. A user may not know that a file is malicious due to the benign appearance and file extension.
Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.(Citation: polygot_icedID)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DE.AE-02.01 | Event analysis and detection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides for implementation of methods to block similar future attacks via security tools such as antivirus and IDS/IPS to provide protection against threats and exploitation attempts.
References
|
| PR.IR-01.08 | End-user device access | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement implements technical controls (e.g., VPN, antivirus software) to address the risks of end-user personal computing devices accessing the organization’s network and resources.
References
|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-05.01 | Malware prevention | Mitigates | T1036.008 | Masquerade File Type |
Comments
Antivirus/Antimalware software can be utilized to detect and quarantine suspicious files that adversaries have manipulated to appear legitimate or benign.
References
|
| DE.CM-01.01 | Intrusion detection and prevention | Mitigates | T1036.008 | Masquerade File Type |
Comments
Implementing methods similar to Host Intrusion prevention (HIPS) can identify and prevent execution of malicious files and its metadata manipulated by adversaries.
References
|
| PR.PS-05.02 | Mobile code prevention | Mitigates | T1036.008 | Masquerade File Type |
Comments
Mobile code procedures address specific actions taken to prevent the development, acquisition, and introduction of unacceptable mobile code within organizational systems, including requiring mobile code to be digitally signed by a trusted source.
References
|
| PR.PS-01.08 | End-user device protection | Mitigates | T1036.008 | Masquerade File Type |
Comments
This diagnostic statement protects against Masquerade File Type through the use of limiting access to resources to only authorized devices, management of personal computing devices, network intrusion prevention, and the use of antimalware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| SI-10 | Information Input Validation | mitigates | T1036.008 | Masquerade File Type | |
| SI-03 | Malicious Code Protection | mitigates | T1036.008 | Masquerade File Type | |
| CM-07 | Least Functionality | mitigates | T1036.008 | Masquerade File Type | |
| SI-04 | System Monitoring | mitigates | T1036.008 | Masquerade File Type | |
| SC-07 | Boundary Protection | mitigates | T1036.008 | Masquerade File Type |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.social.variety.Evade Defenses | Modification of the action (rather than the system, as in 'Disable controls') to avoid detection. | related-to | T1036.008 | Masquerade File Type |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
| alerts_for_linux_machines | Alerts for Linux Machines | technique_scores | T1036.008 | Masquerade File Type |
Comments
This control can detect if files are created or edited where the header and extension do not match.
References
|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1036.008 | Masquerade File Type |
Comments
This control can detect if commands are executed that are otherwise non-executable file types.
References
|
| microsoft_antimalware_for_azure | Microsoft Antimalware for Azure | technique_scores | T1036.008 | Masquerade File Type |
Comments
This control can protect from malware.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| cloud_ids | Cloud IDS | technique_scores | T1036.008 | Masquerade File Type |
Comments
Google Cloud IDS can detect network-based threats like malicious software.
References
|
| google_secops | Google Security Operations | technique_scores | T1036.008 | Masquerade File Type |
Comments
Google Security Operations is able to trigger an alert based on abnormal command execution from otherwise non-executable file types (such as .txt and .jpg).
References
|