1. Home
  2. ATT&CK Techniques
  3. T1036
  4. T1036.006
Stealth

T1036.006: Space after Filename

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a fi...

T1036.006 · Sub-technique ·2 platforms ·1 groups

Description

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

Platforms

LinuxmacOS

Threat Groups (1)

IDGroupContext
G0082APT38[APT38](https://attack.mitre.org/groups/G0082) has put several spaces before a file extension to avoid detection and suspicion.(Citation: 1 - appv)

Associated Software (1)

IDNameTypeContext
S0276KeydnapMalware[Keydnap](https://attack.mitre.org/software/S0276) puts a space after a false .jpg extension so that execution actually goes through the Terminal.app ...

References

Frequently Asked Questions

What is T1036.006 (Space after Filename)?

T1036.006 is a MITRE ATT&CK technique named 'Space after Filename'. It belongs to the Stealth tactic(s). Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a fi...

How can T1036.006 be detected?

Detection of T1036.006 (Space after Filename) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.

What mitigations exist for T1036.006?

Follow defense-in-depth principles including network segmentation, least privilege access, security monitoring, and regular patching to reduce the risk of this technique.

Which threat groups use T1036.006?

Known threat groups using T1036.006 include: APT38.