Detect Double File Extension in Elastic Security
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.007 Double File Extension
- Canonical reference
- https://attack.mitre.org/techniques/T1036/007/
Elastic Detection Query
file where event.action in ("creation", "rename") and (
file.name regex~ ".*\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)\.(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$"
)Detects files created or renamed with double extensions where a benign-looking extension (e.g., .txt, .pdf, .jpg) precedes an executable extension (e.g., .exe, .vbs, .ps1), a common masquerading technique used in phishing and malware delivery (T1036.007).
Data Sources
Required Tables
False Positives & Tuning
- Legitimate software installers or updaters that temporarily create files with compound extensions during extraction or staging
- Security tools and AV/EDR products that rename quarantined files by appending an extension to the original filename (e.g., malware.exe.quarantine)
- Developer workflows involving build scripts that generate artifacts with versioned or typed extensions before final renaming
Other platforms for T1036.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Double Extension EXE File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.
- Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.
- Test 3Create and Execute Double Extension SCR File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.
References (7)
- https://attack.mitre.org/techniques/T1036/007/
- https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/
- https://www.pcmag.com/encyclopedia/term/double-extension
- https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.007/T1036.007.md
- https://www.trellix.com/blogs/research/the-darkgate-menace/
Unlock Pro Content
Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.