title: Space after Filename (T1036.006)
id: df00tech-t1036-006
status: experimental
description: "Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if a Mach-O executable file called evil.bin is renamed to evil.txt (space at end), when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed. This technique primarily targets macOS and Linux systems."
references:
  - https://attack.mitre.org/techniques/T1036/006/
  - https://df00tech.com/detections/T1036.006
author: df00tech
date: 2026/04/18
tags:
  - attack.t1036.006
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Users accidentally adding trailing spaces when renaming files (rare but possible)
  - File synchronization tools that may preserve trailing spaces from other operating systems
  - Automated file processing systems that generate files with improperly trimmed names
level: high