Detect Space after Filename in IBM QRadar
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.006 Space after Filename
- Canonical reference
- https://attack.mitre.org/techniques/T1036/006/
QRadar Detection Query
SELECT DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time, logsourcename(logsourceid) AS log_source, username, sourceip, QIDNAME(qid) AS event_name, "filename", "filepath", "process" FROM events WHERE LOGSOURCETYPENAME(logsourceid) IN ('Microsoft Sysmon', 'Linux Auditd') AND (QIDNAME(qid) LIKE '%File Created%' OR QIDNAME(qid) LIKE '%File Renamed%') AND REGEXP_MATCH("filename", '\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$') LAST 24 HOURSDetects file creation and rename events in QRadar where the filename contains a trailing space after a common document or media file extension, consistent with the Space after Filename masquerading technique targeting macOS and Linux.
Data Sources
Required Tables
False Positives & Tuning
- Automated file ingestion pipelines from third-party vendors that fail to sanitize whitespace from filenames before writing to disk
- Cross-platform file transfers (Windows SMB to macOS/Linux NFS) where Windows NTFS allows trailing spaces but the receiving system interprets the filename differently
- Security research or red team tooling in authorized test environments generating intentionally malformed filenames
Other platforms for T1036.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Executable with Trailing Space (macOS)
Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.
- Test 2Create Disguised Binary with Trailing Space (Linux)
Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.
- Test 3Create File with Multiple Trailing Spaces (Windows)
Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.
References (4)
- https://attack.mitre.org/techniques/T1036/006/
- https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md
- https://www.sentinelone.com/blog/trail-of-windows-mitre-attack-evasion-techniques/
Unlock Pro Content
Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.