Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Space after Filename

Adversaries can hide a program's true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed [1].

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

ID: T1151

Tactic: Defense Evasion, Execution

Platform:  Linux, macOS

Permissions Required:  User

Data Sources:  File monitoring, Process monitoring

Contributors:  Erye Hernandez, Palo Alto Networks

Version: 1.0

Examples

NameDescription
Keydnap

Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.[2]

Mitigation

Prevent files from having a trailing space after the extension.

Detection

It's not common for spaces to be at the end of filenames, so this is something that can easily be checked with file monitoring. From the user's perspective though, this is very hard to notice from within the Finder.app or on the command-line in Terminal.app. Processes executed from binaries containing non-standard extensions in the filename are suspicious.

References