Detect Space after Filename in CrowdStrike LogScale
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.006 Space after Filename
- Canonical reference
- https://attack.mitre.org/techniques/T1036/006/
LogScale Detection Query
#event_simpleName=/(AsepValueUpdate|WriteFile|PeFileWritten|SuspiciousFileWritten)/ ComputerName=* TargetFileName=/\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$/ | groupBy([ComputerName, UserName, TargetFileName, ImageFileName, CommandLine], function=([count(aid, as=event_count), min(@timestamp, as=first_seen), max(@timestamp, as=last_seen)])) | sort(last_seen, order=desc)Detects CrowdStrike Falcon endpoint events where a file write or PE file creation targets a filename ending with a common document or media extension followed by trailing whitespace, consistent with T1036.006 Space after Filename masquerading to disguise executables as benign files on macOS and Linux.
Data Sources
Required Tables
False Positives & Tuning
- CrowdStrike Falcon sensor itself or other EDR products creating quarantine copies of suspicious files that preserve the original malformed filename
- macOS Time Machine or other backup agents that preserve exact filesystem metadata including trailing spaces when creating backup snapshots
- Cross-compiled toolchains or package managers (MacPorts, Homebrew) that generate intermediate build files with non-sanitized filename strings derived from build manifests
Other platforms for T1036.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Executable with Trailing Space (macOS)
Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.
- Test 2Create Disguised Binary with Trailing Space (Linux)
Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.
- Test 3Create File with Multiple Trailing Spaces (Windows)
Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.
References (4)
- https://attack.mitre.org/techniques/T1036/006/
- https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md
- https://www.sentinelone.com/blog/trail-of-windows-mitre-attack-evasion-techniques/
Unlock Pro Content
Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.