T1036.007 Double File Extension Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let ExecutableExtensions = dynamic([".exe", ".scr", ".bat", ".cmd", ".com", ".pif", ".hta", ".lnk", ".vbs", ".vbe", ".js", ".jse", ".wsh", ".wsf", ".msi", ".ps1"]);
let BenignExtensions = dynamic([".txt", ".doc", ".docx", ".pdf", ".jpg", ".jpeg", ".png", ".gif", ".xls", ".xlsx", ".ppt", ".pptx", ".csv", ".rtf", ".bmp", ".mp3", ".mp4"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| extend FileExt = tolower(strcat(".", tostring(split(FileName, ".")[-1])))
| extend SecondToLastExt = tolower(strcat(".", tostring(split(FileName, ".")[-2])))
| extend DotCount = countof(FileName, ".")
| where DotCount >= 2
| where FileExt has_any (ExecutableExtensions)
| where SecondToLastExt has_any (BenignExtensions)
| extend IsDoubleExtension = true
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, FileExt, SecondToLastExt,
         InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp desc

high severity high confidence

Data Sources

File: File Creation File: File Modification Microsoft Defender for Endpoint

Required Tables

DeviceFileEvents

False Positives

Backup software that creates archive files with compound naming conventions (e.g., backup.tar.gz being misidentified if archive extensions are added to the list)
Software installers that download temporary files with double extensions to staging directories before execution
Developers or build systems generating files with multiple dots in the filename that coincidentally match the pattern (e.g., module.config.exe for legitimate .NET configuration tools)
Email security gateways that extract and re-save attachments with original filenames including double extensions for scanning purposes

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| rex field=TargetFilename "(?<base_name>[^\\]+)$"
| rex field=base_name "(?<second_ext>\.[a-zA-Z0-9]{2,5})\.(?<final_ext>[a-zA-Z0-9]{2,5})$"
| where isnotnull(second_ext) AND isnotnull(final_ext)
| eval final_ext=lower(final_ext)
| eval second_ext=lower(second_ext)
| eval is_executable=if(match(final_ext, "^(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$"), 1, 0)
| eval is_benign_decoy=if(match(second_ext, "^\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)$"), 1, 0)
| where is_executable=1 AND is_benign_decoy=1
| table _time, host, User, Image, TargetFilename, base_name, second_ext, final_ext
| sort - _time

high severity high confidence

Data Sources

File: File Creation Sysmon Event ID 11

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Backup software that creates archive files with compound naming conventions
Software installers that download temporary files with double extensions to staging directories
Developers or build systems generating files with multiple dots in the filename that coincidentally match the pattern
Email security gateways that extract and re-save attachments preserving original filenames

Elastic Security (EQL)

eql

file where event.action in ("creation", "rename") and (
  file.name regex~ ".*\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)\.(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$"
)

high severity high confidence

Data Sources

Elastic Endpoint Security Auditbeat (file integrity monitoring) Windows Event logs via Winlogbeat

Required Tables

file

False Positives

Legitimate software installers or updaters that temporarily create files with compound extensions during extraction or staging
Security tools and AV/EDR products that rename quarantined files by appending an extension to the original filename (e.g., malware.exe.quarantine)
Developer workflows involving build scripts that generate artifacts with versioned or typed extensions before final renaming

IBM QRadar (AQL)

sql

SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, "filename", QIDNAME(qid) AS event_name, logsourceid, LOGSOURCETYPENAME(logsourceid) AS log_source_type
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) ILIKE '%sysmon%'
  AND qid IN (SELECT qid FROM qidmap WHERE qname ILIKE '%file create%')
  AND (LOWER("filename") SIMILAR TO '%.txt\.exe' OR LOWER("filename") SIMILAR TO '%.txt\.scr'
    OR LOWER("filename") SIMILAR TO '%.doc\.exe' OR LOWER("filename") SIMILAR TO '%.doc\.bat'
    OR LOWER("filename") SIMILAR TO '%.docx\.exe' OR LOWER("filename") SIMILAR TO '%.docx\.cmd'
    OR LOWER("filename") SIMILAR TO '%.pdf\.exe' OR LOWER("filename") SIMILAR TO '%.pdf\.vbs'
    OR LOWER("filename") SIMILAR TO '%.pdf\.ps1' OR LOWER("filename") SIMILAR TO '%.jpg\.exe'
    OR LOWER("filename") SIMILAR TO '%.jpeg\.exe' OR LOWER("filename") SIMILAR TO '%.png\.exe'
    OR LOWER("filename") SIMILAR TO '%.gif\.exe' OR LOWER("filename") SIMILAR TO '%.xls\.exe'
    OR LOWER("filename") SIMILAR TO '%.xlsx\.exe' OR LOWER("filename") SIMILAR TO '%.ppt\.exe'
    OR LOWER("filename") SIMILAR TO '%.pptx\.exe' OR LOWER("filename") SIMILAR TO '%.csv\.exe'
    OR LOWER("filename") SIMILAR TO '%.rtf\.exe' OR LOWER("filename") SIMILAR TO '%.bmp\.exe'
    OR LOWER("filename") SIMILAR TO '%.mp3\.exe' OR LOWER("filename") SIMILAR TO '%.mp4\.exe'
    OR LOWER("filename") SIMILAR TO '%.txt\.hta' OR LOWER("filename") SIMILAR TO '%.pdf\.hta'
    OR LOWER("filename") SIMILAR TO '%.doc\.hta' OR LOWER("filename") SIMILAR TO '%.txt\.msi'
    OR LOWER("filename") SIMILAR TO '%.pdf\.lnk' OR LOWER("filename") SIMILAR TO '%.doc\.lnk'
    OR LOWER("filename") SIMILAR TO '%.txt\.js' OR LOWER("filename") SIMILAR TO '%.pdf\.js'
    OR LOWER("filename") SIMILAR TO '%.doc\.vbs' OR LOWER("filename") SIMILAR TO '%.pdf\.vbe'
    OR LOWER("filename") SIMILAR TO '%.txt\.wsh' OR LOWER("filename") SIMILAR TO '%.pdf\.wsf')
  AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

IBM QRadar SIEM Sysmon (EventCode 11) forwarded via Windows Event Log DSM QRadar Windows Security Event Log DSM

Required Tables

events

False Positives

File backup utilities that append the original extension to backup copies (e.g., report.pdf.bak misidentified if bak is mapped as executable)
Automated document processing pipelines that create intermediate files with compound names before final output
Browser download managers that temporarily name partially-downloaded files with an appended extension

Sumo Logic CSE

sql

_sourceCategory=*sysmon* OR _sourceCategory=*windows*
| where EventID = "11" OR EventCode = "11"
| parse field=Message "TargetFilename: *" as target_filename nodrop
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "User: *" as username nodrop
| toLowerCase(target_filename) as target_filename_lower
| where target_filename_lower matches "*.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4).(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)"
| parse regex field=target_filename_lower "(?<second_ext>\.[a-z0-9]{2,5})\.(?<final_ext>[a-z0-9]{2,5})$" nodrop
| where !(isNull(second_ext)) and !(isNull(final_ext))
| where final_ext in ("exe","scr","bat","cmd","com","pif","hta","lnk","vbs","vbe","js","jse","wsh","wsf","msi","ps1")
| where second_ext in (".txt",".doc",".docx",".pdf",".jpg",".jpeg",".png",".gif",".xls",".xlsx",".ppt",".pptx",".csv",".rtf",".bmp",".mp3",".mp4")
| fields _messageTime, hostname, username, process_image, target_filename, second_ext, final_ext
| sort by _messageTime desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Sysmon via Windows Event Log collector Sumo Logic Installed Collector on Windows endpoints

Required Tables

Sysmon Operational event log (_sourceCategory=*sysmon*)

False Positives

Software packaging tools that produce compound-named artifacts during build processes (e.g., setup.msi.tmp misclassified if tmp resolves to an executable type)
Penetration testing or red team tooling executed during authorized engagements that creates test double-extension files
IT asset management or software inventory tools that temporarily rename files during scanning or cataloging operations

Google Chronicle / SecOps

yaral

rule double_file_extension_masquerading {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects file creation or rename events with double file extensions where a benign extension precedes an executable extension, indicating T1036.007 masquerading."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.007"
    false_positives = "AV quarantine renaming, build artifacts, backup utilities"
    version = "1.0"
    created = "2024-01-01"

  events:
    $e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MOVE"
    re.regex($e.target.file.full_path, `(?i)\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)\.(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$`)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Google Chronicle UDM (Unified Data Model) Windows endpoint telemetry ingested into Chronicle Sysmon logs parsed to UDM by Chronicle parsers

Required Tables

UDM events with metadata.event_type FILE_CREATION or FILE_MOVE

False Positives

Backup and archiving tools that rename files by appending the original extension before compression or transfer
Security products (EDR, AV) that quarantine files by renaming them with an appended extension, resulting in apparent double extensions
Legitimate software deployment or patch management systems that stage installer packages with temporary compound extensions

CrowdStrike LogScale (CQL)

cql

#event_simpleName=FileOpenInfo OR #event_simpleName=NewExecutableWritten
| TargetFileName = /(?i)\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)\.(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$/
| regex("(?i)(?<second_ext>\.[a-z0-9]{2,5})\.(?<final_ext>[a-z0-9]{2,5})$", field=TargetFileName, as=[second_ext, final_ext])
| table([_timstamp, ComputerName, UserName, TargetFileName, second_ext, final_ext, ImageFileName, CommandLine])
| sort(field=@timestamp, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR CrowdStrike Falcon LogScale (Humio) Falcon sensor endpoint telemetry

Required Tables

FileOpenInfo event stream NewExecutableWritten event stream

False Positives

CrowdStrike Falcon itself or other endpoint security tools that write quarantine copies of files with compound extensions appended to the original filename
Software development or CI/CD pipelines running on endpoints that create build artifacts with version strings or type qualifiers embedded before the final extension
End users who intentionally save documents with compound names for organizational purposes, and whose naming convention happens to end in an executable extension

Double File Extension

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections