T1036.006 Splunk · SPL

Detect Space after Filename in Splunk

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.006 Space after Filename
Canonical reference
https://attack.mitre.org/techniques/T1036/006/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" (EventCode=11 OR EventCode=15)
| where match(TargetFilename, "\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$")
| table _time, host, User, Image, TargetFilename, Hashes
| sort - _time
high severity high confidence

Detects file creation events (Sysmon Event ID 11) and alternate data stream creation (Event ID 15) where the target filename contains a trailing space after a benign extension. This is a macOS/Linux-focused technique but file creation may be logged on Windows hosts when files are transferred or synced.

Data Sources

File: File CreationFile: File MetadataSysmon Event ID 11, 15

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Users accidentally adding trailing spaces when renaming files
  • File synchronization tools preserving trailing spaces from other operating systems
  • Automated file processing systems generating files with improperly trimmed names
Download portable Sigma rule (.yml)

Other platforms for T1036.006

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Executable with Trailing Space (macOS)

    Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.

  2. Test 2Create Disguised Binary with Trailing Space (Linux)

    Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.

  3. Test 3Create File with Multiple Trailing Spaces (Windows)

    Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.

Last updated: 2026-04-18 Research depth: deep
References (4)

Unlock Pro Content

Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.007Double File ExtensionT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.007Double File ExtensionT1036.008Masquerade File TypeT1204.002Malicious FileT1566.001Spearphishing AttachmentT1036.002Right-to-Left Override

Same Tactic: Defense Evasion

Popular Detections