Detect Double File Extension in IBM QRadar
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.007 Double File Extension
- Canonical reference
- https://attack.mitre.org/techniques/T1036/007/
QRadar Detection Query
SELECT DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time, sourceip, username, "filename", QIDNAME(qid) AS event_name, logsourceid, LOGSOURCETYPENAME(logsourceid) AS log_source_type
FROM events
WHERE LOGSOURCETYPENAME(logsourceid) ILIKE '%sysmon%'
AND qid IN (SELECT qid FROM qidmap WHERE qname ILIKE '%file create%')
AND (LOWER("filename") SIMILAR TO '%.txt\.exe' OR LOWER("filename") SIMILAR TO '%.txt\.scr'
OR LOWER("filename") SIMILAR TO '%.doc\.exe' OR LOWER("filename") SIMILAR TO '%.doc\.bat'
OR LOWER("filename") SIMILAR TO '%.docx\.exe' OR LOWER("filename") SIMILAR TO '%.docx\.cmd'
OR LOWER("filename") SIMILAR TO '%.pdf\.exe' OR LOWER("filename") SIMILAR TO '%.pdf\.vbs'
OR LOWER("filename") SIMILAR TO '%.pdf\.ps1' OR LOWER("filename") SIMILAR TO '%.jpg\.exe'
OR LOWER("filename") SIMILAR TO '%.jpeg\.exe' OR LOWER("filename") SIMILAR TO '%.png\.exe'
OR LOWER("filename") SIMILAR TO '%.gif\.exe' OR LOWER("filename") SIMILAR TO '%.xls\.exe'
OR LOWER("filename") SIMILAR TO '%.xlsx\.exe' OR LOWER("filename") SIMILAR TO '%.ppt\.exe'
OR LOWER("filename") SIMILAR TO '%.pptx\.exe' OR LOWER("filename") SIMILAR TO '%.csv\.exe'
OR LOWER("filename") SIMILAR TO '%.rtf\.exe' OR LOWER("filename") SIMILAR TO '%.bmp\.exe'
OR LOWER("filename") SIMILAR TO '%.mp3\.exe' OR LOWER("filename") SIMILAR TO '%.mp4\.exe'
OR LOWER("filename") SIMILAR TO '%.txt\.hta' OR LOWER("filename") SIMILAR TO '%.pdf\.hta'
OR LOWER("filename") SIMILAR TO '%.doc\.hta' OR LOWER("filename") SIMILAR TO '%.txt\.msi'
OR LOWER("filename") SIMILAR TO '%.pdf\.lnk' OR LOWER("filename") SIMILAR TO '%.doc\.lnk'
OR LOWER("filename") SIMILAR TO '%.txt\.js' OR LOWER("filename") SIMILAR TO '%.pdf\.js'
OR LOWER("filename") SIMILAR TO '%.doc\.vbs' OR LOWER("filename") SIMILAR TO '%.pdf\.vbe'
OR LOWER("filename") SIMILAR TO '%.txt\.wsh' OR LOWER("filename") SIMILAR TO '%.pdf\.wsf')
AND starttime > NOW() - 1 DAYS
ORDER BY starttime DESC
LIMIT 500Queries QRadar for Sysmon file creation events where the filename matches the double extension masquerading pattern — a benign-looking extension immediately followed by an executable extension. Covers the most prevalent combinations seen in phishing campaigns.
Data Sources
Required Tables
False Positives & Tuning
- File backup utilities that append the original extension to backup copies (e.g., report.pdf.bak misidentified if bak is mapped as executable)
- Automated document processing pipelines that create intermediate files with compound names before final output
- Browser download managers that temporarily name partially-downloaded files with an appended extension
Other platforms for T1036.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Double Extension EXE File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.
- Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.
- Test 3Create and Execute Double Extension SCR File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.
References (7)
- https://attack.mitre.org/techniques/T1036/007/
- https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/
- https://www.pcmag.com/encyclopedia/term/double-extension
- https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.007/T1036.007.md
- https://www.trellix.com/blogs/research/the-darkgate-menace/
Unlock Pro Content
Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.