T1036.006 Microsoft Sentinel · KQL

Detect Space after Filename in Microsoft Sentinel

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.006 Space after Filename
Canonical reference
https://attack.mitre.org/techniques/T1036/006/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
DeviceFileEvents
| where Timestamp > ago(24h)
| where FileName matches regex @"\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$"
| project Timestamp, DeviceName, AccountName, FileName, FolderPath, ActionType,
         InitiatingProcessFileName, InitiatingProcessCommandLine, SHA256
| sort by Timestamp desc
high severity high confidence

Detects file creation or modification events where the filename has a trailing space after a benign-looking extension. On macOS and Linux, this causes the OS to determine the true file type by content rather than extension, potentially executing a binary that appears to be a document or image. Used by APT38 and Keydnap malware.

Data Sources

File: File CreationFile: File MetadataMicrosoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives & Tuning

  • Users accidentally adding trailing spaces when renaming files (rare but possible)
  • File synchronization tools that may preserve trailing spaces from other operating systems
  • Automated file processing systems that generate files with improperly trimmed names
Download portable Sigma rule (.yml)

Other platforms for T1036.006

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Executable with Trailing Space (macOS)

    Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.

  2. Test 2Create Disguised Binary with Trailing Space (Linux)

    Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.

  3. Test 3Create File with Multiple Trailing Spaces (Windows)

    Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1036.008Masquerade File TypeT1204.002Malicious FileT1566.001Spearphishing AttachmentT1036.002Right-to-Left Override

Same Tactic: Defense Evasion

Popular Detections