T1036.007 Google Chronicle · YARA-L

Detect Double File Extension in Google Chronicle

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.007 Double File Extension
Canonical reference
https://attack.mitre.org/techniques/T1036/007/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
rule double_file_extension_masquerading {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects file creation or rename events with double file extensions where a benign extension precedes an executable extension, indicating T1036.007 masquerading."
    severity = "HIGH"
    priority = "HIGH"
    mitre_attack_tactic = "Defense Evasion"
    mitre_attack_technique = "T1036.007"
    false_positives = "AV quarantine renaming, build artifacts, backup utilities"
    version = "1.0"
    created = "2024-01-01"

  events:
    $e.metadata.event_type = "FILE_CREATION" or $e.metadata.event_type = "FILE_MOVE"
    re.regex($e.target.file.full_path, `(?i)\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)\.(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$`)

  condition:
    $e
}
high severity high confidence

Chronicle YARA-L 2.0 rule detecting FILE_CREATION and FILE_MOVE UDM events where the target file path matches a double extension pattern with a benign decoy extension followed by an executable extension. Leverages the UDM target.file.full_path field with a regex match.

Data Sources

Google Chronicle SIEMGoogle Chronicle UDM (Unified Data Model)Windows endpoint telemetry ingested into ChronicleSysmon logs parsed to UDM by Chronicle parsers

Required Tables

UDM events with metadata.event_type FILE_CREATION or FILE_MOVE

False Positives & Tuning

  • Backup and archiving tools that rename files by appending the original extension before compression or transfer
  • Security products (EDR, AV) that quarantine files by renaming them with an appended extension, resulting in apparent double extensions
  • Legitimate software deployment or patch management systems that stage installer packages with temporary compound extensions
Download portable Sigma rule (.yml)

Other platforms for T1036.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Double Extension EXE File

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.

  2. Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.

  3. Test 3Create and Execute Double Extension SCR File

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.

Last updated: 2026-04-18 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.008Masquerade File TypeT1566.001Spearphishing AttachmentT1204.002Malicious FileT1105Ingress Tool TransferT1547.001Registry Run Keys / Startup FolderT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections