T1036.006 Elastic Security · Elastic

Detect Space after Filename in Elastic Security

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.006 Space after Filename
Canonical reference
https://attack.mitre.org/techniques/T1036/006/

Elastic Detection Query

Elastic Security (Elastic)
eql 
file where event.action in ("creation", "overwrite", "rename") and file.name regex~ "\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$"
high severity high confidence

Detects file creation, overwrite, or rename events where the filename ends with a common document or media extension followed by one or more trailing spaces, indicative of the Space after Filename masquerading technique on macOS and Linux.

Data Sources

Elastic Endpoint SecurityAuditbeat file integrity monitoring

Required Tables

logs-endpoint.events.file-*auditbeat-*

False Positives & Tuning

  • Poorly written scripts or legacy software that accidentally appends whitespace to filenames during file creation or download operations
  • File synchronization tools (rsync, Dropbox, OneDrive) that preserve trailing spaces from source systems with different filesystem semantics
  • Automated test harnesses or CI pipelines that programmatically generate filenames with trailing spaces as part of edge-case testing
Download portable Sigma rule (.yml)

Other platforms for T1036.006

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Executable with Trailing Space (macOS)

    Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.

  2. Test 2Create Disguised Binary with Trailing Space (Linux)

    Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.

  3. Test 3Create File with Multiple Trailing Spaces (Windows)

    Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1036.008Masquerade File TypeT1204.002Malicious FileT1566.001Spearphishing AttachmentT1036.002Right-to-Left Override

Same Tactic: Defense Evasion

Popular Detections