T1036.007 Double File Extension
Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe
may render in some views as just File.txt
). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.12
Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named Evil.txt.exe
may display as Evil.txt
to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.2
Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
Item | Value |
---|---|
ID | T1036.007 |
Sub-techniques | T1036.001, T1036.002, T1036.003, T1036.004, T1036.005, T1036.006, T1036.007, T1036.008 |
Tactics | TA0005 |
Platforms | Windows |
Version | 1.0 |
Created | 04 August 2021 |
Last Modified | 14 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
S0534 | Bazar | The Bazar loader has used dual-extension executable files such as PreviewReport.DOC.exe.5 |
S1015 | Milan | Milan has used an executable named companycatalog.exe.config to appear benign.6 |
G0129 | Mustang Panda | Mustang Panda has used an additional filename extension to hide the true file type.78 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1028 | Operating System Configuration | Disable the default to “hide file extensions for known file types” in Windows OS.34 |
M1017 | User Training | Train users to look for double extensions in filenames, and in general use training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0022 | File | File Creation |
References
-
PCMag. (n.d.). Encyclopedia: double extension. Retrieved August 4, 2021. ↩
-
Eugene Tkachenko. (2020, May 1). Rule of the Week: Possible Malicious File Double Extension. Retrieved July 27, 2021. ↩↩
-
Seqrite. (n.d.). How to avoid dual attack and vulnerable files with double extension?. Retrieved July 27, 2021. ↩
-
Chris Hoffman. (2017, March 8). How to Make Windows Show File Extensions. Retrieved August 4, 2021. ↩
-
Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. ↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩
-
Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. ↩
-
Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. ↩