T1036.007 Sumo Logic CSE · Sumo

Detect Double File Extension in Sumo Logic CSE

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system's policies. Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads, commonly tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access via Spearphishing Attachment then User Execution.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1036 Masquerading
Sub-technique
T1036.007 Double File Extension
Canonical reference
https://attack.mitre.org/techniques/T1036/007/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
_sourceCategory=*sysmon* OR _sourceCategory=*windows*
| where EventID = "11" OR EventCode = "11"
| parse field=Message "TargetFilename: *" as target_filename nodrop
| parse field=Message "Image: *" as process_image nodrop
| parse field=Message "User: *" as username nodrop
| toLowerCase(target_filename) as target_filename_lower
| where target_filename_lower matches "*.(txt|doc|docx|pdf|jpg|jpeg|png|gif|xls|xlsx|ppt|pptx|csv|rtf|bmp|mp3|mp4).(exe|scr|bat|cmd|com|pif|hta|lnk|vbs|vbe|js|jse|wsh|wsf|msi|ps1)"
| parse regex field=target_filename_lower "(?<second_ext>\.[a-z0-9]{2,5})\.(?<final_ext>[a-z0-9]{2,5})$" nodrop
| where !(isNull(second_ext)) and !(isNull(final_ext))
| where final_ext in ("exe","scr","bat","cmd","com","pif","hta","lnk","vbs","vbe","js","jse","wsh","wsf","msi","ps1")
| where second_ext in (".txt",".doc",".docx",".pdf",".jpg",".jpeg",".png",".gif",".xls",".xlsx",".ppt",".pptx",".csv",".rtf",".bmp",".mp3",".mp4")
| fields _messageTime, hostname, username, process_image, target_filename, second_ext, final_ext
| sort by _messageTime desc
high severity high confidence

Detects Sysmon EventID 11 (File Create) events in Sumo Logic where filenames exhibit the double extension masquerading pattern. Parses the raw Sysmon message to extract the target filename and validate both the decoy extension and the true executable extension.

Data Sources

Sumo Logic Cloud SIEMSysmon via Windows Event Log collectorSumo Logic Installed Collector on Windows endpoints

Required Tables

Sysmon Operational event log (_sourceCategory=*sysmon*)

False Positives & Tuning

  • Software packaging tools that produce compound-named artifacts during build processes (e.g., setup.msi.tmp misclassified if tmp resolves to an executable type)
  • Penetration testing or red team tooling executed during authorized engagements that creates test double-extension files
  • IT asset management or software inventory tools that temporarily rename files during scanning or cataloging operations
Download portable Sigma rule (.yml)

Other platforms for T1036.007

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Create Double Extension EXE File

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename containing 'report.pdf.exe' in the user's Temp directory. Sysmon Event ID 1: Process Create for cmd.exe with CommandLine containing 'copy' and 'report.pdf.exe'. DeviceFileEvents with ActionType=FileCreated and FileName=report.pdf.exe.

  2. Test 2Create Double Extension LNK File (Kimsuky/DarkGate Pattern)

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename ending in 'invoice.pdf.lnk'. Sysmon Event ID 1: Process Create for powershell.exe with CommandLine referencing WScript.Shell and CreateShortcut. DeviceFileEvents with FileName=invoice.pdf.lnk.

  3. Test 3Create and Execute Double Extension SCR File

    Expected signal: Sysmon Event ID 11: FileCreate with TargetFilename 'photo.jpg.scr'. Sysmon Event ID 1: Process Create with Image path ending in 'photo.jpg.scr'. DeviceFileEvents for file creation AND DeviceProcessEvents for process execution, both with the double extension filename.

Last updated: 2026-04-18 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1036.007 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1036Masquerading

Related Sub-techniques

T1036.001Invalid Code SignatureT1036.002Right-to-Left OverrideT1036.003Rename Legitimate UtilitiesT1036.004Masquerade Task or ServiceT1036.005Match Legitimate Resource Name or LocationT1036.006Space after FilenameT1036.008Masquerade File TypeT1036.009Break Process TreesT1036.010Masquerade Account NameT1036.011Overwrite Process ArgumentsT1036.012Browser Fingerprint

Related Techniques

T1036MasqueradingT1036.008Masquerade File TypeT1566.001Spearphishing AttachmentT1204.002Malicious FileT1105Ingress Tool TransferT1547.001Registry Run Keys / Startup FolderT1027Obfuscated Files or Information

Same Tactic: Defense Evasion

Popular Detections