T1036.006
Masquerading: Space after Filename
Description from ATT&CK
Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system.
For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to **evil.txt ** (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).
Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.
Atomic Tests
Atomic Test #1 - Space After Filename (Manual)
Space After Filename
Supported Platforms: macos
auto_generated_guid: 89a7dd26-e510-4c9f-9b15-f3bae333360f
Inputs:
None
Run it with these steps!
-
echo '#!/bin/bash\necho "print \"hello, world!\"" /usr/bin/python\nexit' > execute.txt && chmod +x execute.txt -
mv execute.txt "execute.txt "
- ./execute.txt\
1
Atomic Test #2 - Space After Filename
Space after filename.
Supported Platforms: macos,linux
auto_generated_guid: b95ce2eb-a093-4cd8-938d-5258cef656ea
Inputs:
None
Attack Commands: Run with sh!
1
2
3
4
5
6
mkdir -p /tmp/atomic-test-T1036.006
cd /tmp/atomic-test-T1036.006
mkdir -p 'testdirwithspaceend '
[ "$(uname)" = 'FreeBSD' ] && /bin/echo "#\!/bin/sh" > "testdirwithspaceend /init " && echo 'echo "print(\"running T1035.006 with space after filename to masquerade init\")" | python3.9' >> "testdirwithspaceend /init " && echo "exit" >> "testdirwithspaceend /init " || /usr/bin/echo -e "%d\na\n#!/usr/bin/perl\nprint \"running T1035.006 with space after filename to masquerade init\\n\";\nqx/cp \/usr\/bin\/perl 'init '/;\nqx/'.\/init ' -e 'sleep 5'/;\n.\nwq\n" | ed 'testdirwithspaceend /init ' >/dev/null
chmod +x 'testdirwithspaceend /init '
'./testdirwithspaceend /init '
Cleanup Commands:
1
rm -rf /tmp/atomic-test-T1036.006