Skip to content

T1036.006 Space after Filename

Adversaries can hide a program’s true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to evil.txt (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed 1.

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

Item Value
ID T1036.006
Sub-techniques T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007
Tactics TA0005
CAPEC ID CAPEC-649
Platforms Linux, macOS
Permissions required User
Version 1.0
Created 10 February 2020
Last Modified 29 March 2020

Procedure Examples

ID Name Description
S0276 Keydnap Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.2

Detection

ID Data Source Data Component
DS0022 File File Metadata

References

Back to top