Try it using Invoke-Atomic

Masquerading: Space after Filename

Description from ATT&CK

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.

For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious. https://www.aleksandrhovhannisyan.com/blog/how-to-add-a-copy-to-clipboard-button-to-your-jekyll-blog/

Atomic Tests

Atomic Test #1 - Space After Filename

Space After Filename

Supported Platforms: macos

auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f

Inputs:

None

Run it with these steps!

    1. echo '#!/bin/bash\necho "print \"hello, world!\"" /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt
  1. mv execute.txt "execute.txt "

  2. ./execute.txt\
1

source