Try it using Invoke-Atomic

Masquerading: Space after Filename

Description from ATT&CK

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to **evil.txt ** (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

Atomic Tests

Atomic Test #1 - Space After Filename (Manual)

Space After Filename

Supported Platforms: macos

auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f

Inputs:

None

Run it with these steps!

  1. echo '#!/bin/bash\necho "print \"hello, world!\"" /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt

  2. mv execute.txt "execute.txt "

  3. ./execute.txt\
1




Atomic Test #2 - Space After Filename


Space after filename.



Supported Platforms: macos,linux



auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea



Inputs:



None



Attack Commands: Run with bash!



1
2
3
4
5
6
7

mkdir -p /tmp/atomic-test-T1036.006
cd /tmp/atomic-test-T1036.006
mkdir -p 'testdirwithspaceend '
/usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init  '/;\nqx/'.\/init  ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
chmod +x 'testdirwithspaceend /init '
'./testdirwithspaceend /init '





Cleanup Commands:



1

rm -rf /tmp/atomic-test-T1036.006




Atomic Test #3 - Space After Filename (FreeBSD)


Space after filename.



Supported Platforms: freebsd



auto_generated_guid: cfc1fbb5-caae-4f4c-bfa8-1b7c8b5cc4e8



Inputs:



None



Attack Commands: Run with sh!



1
2
3
4
5
6
7

mkdir -p /tmp/atomic-test-T1036.006
cd /tmp/atomic-test-T1036.006
mkdir -p 'testdirwithspaceend '
/bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init "      
chmod +x 'testdirwithspaceend /init '
'./testdirwithspaceend /init '





Cleanup Commands:



1

rm -rf /tmp/atomic-test-T1036.006




source