Find sigma rule 
Attack: Masquerading
Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.(Citation: LOLBAS Main Site)
MITRE
Tactic
- defense-evasion
technique
- T1036
Test : Malware Masquerading and Execution from Zip File
OS
- windows
Description:
When the file is unzipped and the README.cmd file opened, it executes and changes the .pdf to .dll and executes the dll. This is a BazaLoader technique as reported here
Executor
powershell
Sigma Rule
- file_rename_win_non_dll_to_dll_ext.yml (id: bbfd974c-248e-4435-8de6-1e938c79c5c1)