T1036.007 CrowdStrike LogScale · LogScale

Detect Double File Extension in CrowdStrike LogScale

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.007 Double File Extension
Canonical reference
https://attack.mitre.org/techniques/T1036/007/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName=FileOpenInfo OR #event_simpleName=NewExecutableWritten
| TargetFileName = /(?i)\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)\.(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$/
| regex("(?i)(?<second_ext>\.[a-z0-9]{2,5})\.(?<final_ext>[a-z0-9]{2,5})$", field=TargetFileName, as=[second_ext, final_ext])
| table([_timstamp, ComputerName, UserName, TargetFileName, second_ext, final_ext, ImageFileName, CommandLine])
| sort(field=@timestamp, order=desc)
high severity medium confidence

CrowdStrike Falcon LogScale (CQL) query detecting file creation and executable write events where the TargetFileName matches the double extension masquerading pattern. Uses regex to extract and display the decoy and true extensions for analyst triage.

Data Sources

CrowdStrike Falcon EDRCrowdStrike Falcon LogScale (Humio)Falcon sensor endpoint telemetry

Required Tables

FileOpenInfo event streamNewExecutableWritten event stream

False Positives & Tuning

  • CrowdStrike Falcon itself or other endpoint security tools that write quarantine copies of files with compound extensions appended to the original filename
  • Software development or CI/CD pipelines running on endpoints that create build artifacts with version strings or type qualifiers embedded before the final extension
  • End users who intentionally save documents with compound names for organizational purposes, and whose naming convention happens to end in an executable extension
Download portable Sigma rule (.yml)

Other platforms for T1036.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Double Extension EXE File

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.

  2. Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.

  3. Test 3Create and Execute Double Extension SCR File

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.

Last updated: 2026-04-18 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.008Masquerade File TypeT1566.001Spearphishing AttachmentT1204.002Malicious FileT1105Ingress Tool TransferT1547.001Registry Run Keys / Startup FolderT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections