Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)
Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain Initial Access into a user’s system via Spearphishing Attachment then User Execution. For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)
Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.01 | Configuration baselines | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides for securely configuring production systems. This includes hardening default configurations and making security-focused setting adjustments to reduce the attack surface, enforce best practices, and protect sensitive data thereby mitigating adversary exploitation.
References
|
| PR.PS-01.02 | Least functionality | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides for limiting unnecessary software, services, ports, protocols, etc. Ensuring systems only have installed and enabled what is essential for their operation reduces the attack surface and minimizes vulnerabilities, which mitigates a wide range of techniques.
References
|
| PR.PS-01.03 | Configuration deviation | Mitigates | T1036.007 | Double File Extension |
Comments
This diagnostic statement provides protection from Masquerading: Double File Extension through the implementation of security configuration baselines for OS, software, file integrity monitoring and imaging. Security baseline configuration of the Operating System and integrity checking can help protect against adversaries attempting to compromise and modify software and its configurations.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CA-07 | Continuous Monitoring | mitigates | T1036.007 | Double File Extension | |
| CM-06 | Configuration Settings | mitigates | T1036.007 | Double File Extension | |
| CM-02 | Baseline Configuration | mitigates | T1036.007 | Double File Extension | |
| IA-02 | Identification and Authentication (Organizational Users) | mitigates | T1036.007 | Double File Extension | |
| CM-07 | Least Functionality | mitigates | T1036.007 | Double File Extension | |
| SI-04 | System Monitoring | mitigates | T1036.007 | Double File Extension |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| file_integrity_monitoring | Microsoft Defender for Cloud: File Integrity Monitoring | technique_scores | T1036.007 | Double File Extension |
Comments
This control can detect when files with two file extensions are created.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| EOP-AMW-E3 | Antimalware | Technique Scores | T1036.007 | Double File Extension |
Comments
M365's Antimalware capability can be used to block specified file types from executing. This can be configured to only block nonessential file types (such as .exe files), which could prevent files with double extensions from being opened. However, this does not combat the technique as a whole.
References
|