Detect Double File Extension in Microsoft Sentinel
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.007 Double File Extension
- Canonical reference
- https://attack.mitre.org/techniques/T1036/007/
KQL Detection Query
let ExecutableExtensions = dynamic([".exe", ".scr", ".bat", ".cmd", ".com", ".pif", ".hta", ".lnk", ".vbs", ".vbe", ".js", ".jse", ".wsh", ".wsf", ".msi", ".ps1"]);
let BenignExtensions = dynamic([".txt", ".doc", ".docx", ".pdf", ".jpg", ".jpeg", ".png", ".gif", ".xls", ".xlsx", ".ppt", ".pptx", ".csv", ".rtf", ".bmp", ".mp3", ".mp4"]);
DeviceFileEvents
| where Timestamp > ago(24h)
| where ActionType in ("FileCreated", "FileRenamed")
| extend FileExt = tolower(strcat(".", tostring(split(FileName, ".")[-1])))
| extend SecondToLastExt = tolower(strcat(".", tostring(split(FileName, ".")[-2])))
| extend DotCount = countof(FileName, ".")
| where DotCount >= 2
| where FileExt has_any (ExecutableExtensions)
| where SecondToLastExt has_any (BenignExtensions)
| extend IsDoubleExtension = true
| project Timestamp, DeviceName, ActionType, FileName, FolderPath, FileExt, SecondToLastExt,
InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName
| sort by Timestamp descDetects files created or renamed with double extensions where a benign-looking extension (e.g., .txt, .pdf, .jpg) precedes a dangerous executable extension (e.g., .exe, .scr, .lnk, .hta). Uses DeviceFileEvents to catch both new file creation and file rename operations. The query counts dots in the filename and validates that the final extension is executable while the second-to-last extension appears benign, which is the classic double extension masquerade pattern used by DarkGate, Bazar, Kimsuky, and Mustang Panda.
Data Sources
Required Tables
False Positives & Tuning
- Backup software that creates archive files with compound naming conventions (e.g., backup.tar.gz being misidentified if archive extensions are added to the list)
- Software installers that download temporary files with double extensions to staging directories before execution
- Developers or build systems generating files with multiple dots in the filename that coincidentally match the pattern (e.g., module.config.exe for legitimate .NET configuration tools)
- Email security gateways that extract and re-save attachments with original filenames including double extensions for scanning purposes
Other platforms for T1036.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Double Extension EXE File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.
- Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.
- Test 3Create and Execute Double Extension SCR File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.
References (7)
- https://attack.mitre.org/techniques/T1036/007/
- https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/
- https://www.pcmag.com/encyclopedia/term/double-extension
- https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.007/T1036.007.md
- https://www.trellix.com/blogs/research/the-darkgate-menace/
Unlock Pro Content
Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.