Detect Space after Filename in Sumo Logic CSE
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.006 Space after Filename
- Canonical reference
- https://attack.mitre.org/techniques/T1036/006/
Sumo Detection Query
_sourceCategory=endpoint/*/sysmon OR _sourceCategory=endpoint/*/auditd | where EventID in ("11", "15") OR _sourceCategory matches "*auditd*" | where TargetFilename matches /\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$/ OR FileName matches /\.(txt|pdf|doc|docx|jpg|jpeg|png|gif|mp4|mp3|csv|xls|xlsx|rtf)\s+$/ | parse field=TargetFilename "*" as matched_filename nodrop | parse field=FileName "*" as matched_filename nodrop | toUpperCase(matched_filename) as upper_fn | fields _messageTime, host, User, Image, TargetFilename, FileName, matched_filename | sort by _messageTime descDetects Sysmon file create (EventID 11) and file stream create (EventID 15) events, plus Linux auditd file events, where the filename contains a trailing space after a common non-executable extension — a hallmark of the Space after Filename masquerading technique.
Data Sources
Required Tables
False Positives & Tuning
- File download managers or browser extensions that temporarily write partially downloaded files with malformed names before renaming to the final filename
- Backup restoration software that preserves exact byte sequences from backup archives, including any trailing whitespace in originally stored filenames
- Developer toolchains on macOS (Xcode, Homebrew scripts) that generate intermediate build artifacts with non-standard naming conventions
Other platforms for T1036.006
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Executable with Trailing Space (macOS)
Expected signal: Process creation event for '/tmp/report.txt ' (with trailing space). File creation event showing the trailing space in the filename.
- Test 2Create Disguised Binary with Trailing Space (Linux)
Expected signal: Auditd SYSCALL execve event for '/tmp/photo.jpg '. File creation event for the disguised binary.
- Test 3Create File with Multiple Trailing Spaces (Windows)
Expected signal: Sysmon Event ID 11: FileCreate for the file (Windows may strip the space). PowerShell ScriptBlock Log Event ID 4104.
References (4)
- https://attack.mitre.org/techniques/T1036/006/
- https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.006/T1036.006.md
- https://www.sentinelone.com/blog/trail-of-windows-mitre-attack-evasion-techniques/
Unlock Pro Content
Get the full detection package for T1036.006 including response playbook, investigation guide, and atomic red team tests.