Detect Space after Filename in Google Chronicle
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.006 Space after Filename
- Canonical reference
- https://attack.mitre.org/techniques/T1036/006/
YARA-L Detection Query
rule space_after_filename_masquerade {
meta:
author = "df00tech"
description = "Detects file creation or rename events where the filename ends with a common document or media extension followed by trailing whitespace, consistent with MITRE ATT&CK T1036.006 Space after Filename masquerading on macOS and Linux."
severity = "HIGH"
mitre_technique = "T1036.006"
created = "2026-04-18"
events:
$e.metadata.event_type = "FILE_CREATION" or
$e.metadata.event_type = "FILE_MODIFICATION"
re.regex($e.target.file.full_path, `\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$`)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting file creation and modification events in UDM where the full file path ends with a document or media extension followed by trailing whitespace, indicating T1036.006 Space after Filename masquerading primarily targeting macOS and Linux hosts.
Data Sources
Required Tables
False Positives & Tuning
- Third-party file sync clients that improperly encode Unicode whitespace characters in filenames when syncing from cloud storage services
- Automated penetration testing frameworks (Atomic Red Team, Caldera) running authorized T1036.006 simulation tests in detection validation environments
- Legacy macOS applications using outdated Cocoa file APIs that append whitespace to filenames as part of temporary file handling
Other platforms for T1036.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Executable with Trailing Space (macOS)
Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.
- Test 2Create Disguised Binary with Trailing Space (Linux)
Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.
- Test 3Create File with Multiple Trailing Spaces (Windows)
Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.
References (4)
- https://attack.mitre.org/techniques/T1036/006/
- https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md
- https://www.sentinelone.com/blog/trail-of-windows-mitre-attack-evasion-techniques/
Unlock Pro Content
Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.