Detect Double File Extension in Splunk
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1036 Masquerading
- Sub-technique
- T1036.007 Double File Extension
- Canonical reference
- https://attack.mitre.org/techniques/T1036/007/
SPL Detection Query
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
| rex field=TargetFilename "(?<base_name>[^\\]+)$"
| rex field=base_name "(?<second_ext>\.[a-zA-Z0-9]{2,5})\.(?<final_ext>[a-zA-Z0-9]{2,5})$"
| where isnotnull(second_ext) AND isnotnull(final_ext)
| eval final_ext=lower(final_ext)
| eval second_ext=lower(second_ext)
| eval is_executable=if(match(final_ext, "^(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)$"), 1, 0)
| eval is_benign_decoy=if(match(second_ext, "^\.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4)$"), 1, 0)
| where is_executable=1 AND is_benign_decoy=1
| table _time, host, User, Image, TargetFilename, base_name, second_ext, final_ext
| sort - _timeDetects double file extension masquerading using Sysmon Event ID 11 (File Creation). Extracts the last two file extensions from newly created files and checks whether the pattern matches a benign decoy extension followed by a dangerous executable extension. This catches common attack patterns like report.pdf.exe, invoice.doc.scr, and image.jpg.hta used by threat actors including DarkGate, Bazar, and Kimsuky for initial access via phishing attachments.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Backup software that creates archive files with compound naming conventions
- Software installers that download temporary files with double extensions to staging directories
- Developers or build systems generating files with multiple dots in the filename that coincidentally match the pattern
- Email security gateways that extract and re-save attachments preserving original filenames
Other platforms for T1036.007
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Create Double Extension EXE File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.
- Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.
- Test 3Create and Execute Double Extension SCR File
Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.
References (7)
- https://attack.mitre.org/techniques/T1036/007/
- https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/
- https://www.pcmag.com/encyclopedia/term/double-extension
- https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-devicefileevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1036.007/T1036.007.md
- https://www.trellix.com/blogs/research/the-darkgate-menace/
Unlock Pro Content
Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.