Матрица MITRE ATT&CK

Technique on mitre.org

T1036.008: Masquerade File Type

Adversaries may masquerade malicious payloads as legitimate files through changes to the payload's formatting, including the file’s signature, extension, and contents. Various file types have a typical standard format, including how they are encoded and organized. For example, a file’s signature (also known as header or magic bytes) is the beginning bytes of a file and is often used to identify the file’s type. For example, the header of a JPEG file, is 0xFF 0xD8 and the file extension is either .JPE, .JPEG or .JPG.

Adversaries may edit the header’s hex code and/or the file extension of a malicious payload in order to bypass file validation checks and/or input sanitization. This behavior is commonly used when payload files are transferred (e.g., Ingress Tool Transfer) and stored (e.g., Upload Malware) so that adversaries may move their malware without triggering detections.

Common non-executable file types and extensions, such as text files (.txt) and image files (.jpg, .gif, etc.) may be typically treated as benign. Based on this, adversaries may use a file extension to disguise malware, such as naming a PHP backdoor code with a file name of test.gif. A user may not know that a file is malicious due to the benign appearance and file extension.

Polygot files, which are files that have multiple different file types and that function differently based on the application that will execute them, may also be used to disguise malicious malware and capabilities.

Detection

ID	DS0022	Data source and component	File: File Modification	Description	Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation. In Linux, the `file` command may be used to check the file signature.

ID	DS0017	Data source and component	Command: Command Execution	Description	Monitor for abnormal command execution from otherwise non-executable file types (such as `.txt` and `.jpg`).

ID	Data source and component	Description
DS0022	File: File Modification	Check and ensure that file headers/signature and extensions match using magic bytes detection and/or file signature validation. In Linux, the `file` command may be used to check the file signature.
DS0017	Command: Command Execution	Monitor for abnormal command execution from otherwise non-executable file types (such as `.txt` and `.jpg`).

Mitigation

ID	M1049	Name	Antivirus/Antimalware	Description	Anti-virus can be used to automatically quarantine suspicious files.

ID	M1040	Name	Behavior Prevention on Endpoint	Description	Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.

ID	M1038	Name	Execution Prevention	Description	Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed. Restrict and/or block execution of files where headers and extensions do not match.

ID	Name	Description
M1049	Antivirus/Antimalware	Anti-virus can be used to automatically quarantine suspicious files.
M1040	Behavior Prevention on Endpoint	Implement security controls on the endpoint, such as a Host Intrusion Prevention System (HIPS), to identify and prevent execution of files with mismatching file signatures.
M1038	Execution Prevention	Ensure that input sanitization is performed and that files are validated properly before execution; furthermore, implement a strict allow list to ensure that only authorized file types are processed. Restrict and/or block execution of files where headers and extensions do not match.