T1036.006
Space after Filename
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.
Microsoft Sentinel / Defender
kusto
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName matches regex @"\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc high severity
high confidence
Data Sources
File: File Creation File: File Metadata Microsoft Defender for Endpoint
Required Tables
DeviceFileEvents
False Positives
- Users accidentally adding trailing spaces when renaming files (rare but possible)
- File synchronization tools that may preserve trailing spaces from other operating systems
- Automated file processing systems that generate files with improperly trimmed names
Last updated: 2026-04-18 Research depth: deep
References (4)
- https://attack.mitre.org/techniques/T1036/006/
- https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md
- https://www.sentinelone.com/blog/trail-of-windows-mitre-attack-evasion-techniques/
Unlock Pro Content
Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.
Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Related Detections
Parent Technique
T1036MasqueradingRelated Sub-techniques
T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint