Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0292: Masquerading via Space After Filename - Behavioral Detection Strategy

DET0292 is a behavioral detection strategy for spotting masquerading that relies on a space after a filename, linked to ATT&CK technique T1036.006. The bus...

EnterpriseDET0292Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0292 is a behavioral detection strategy for spotting masquerading that relies on a space after a filename, linked to ATT&CK technique T1036.006. The business risk is not the filename trick itself; it is that users and tools may misread what a file really is, allowing suspicious executables or scripts to blend into normal file activity on supported Linux and macOS environments.

Executive priority

Security leaders should treat this as a coverage-validation issue for endpoint visibility and SOC triage quality. Ask whether endpoint logging, file inventory, and alert pipelines preserve unusual filename characters such as trailing spaces, or whether normalization silently removes the evidence. This matters for incident response readiness, audit evidence, and control assurance because a small parsing blind spot can make masquerading activity harder to investigate.

Technical view

The supplied detection strategy has no official detection text or platform list, but it detects T1036.006, which is associated with Linux and macOS and the stealth tactic. SOC and detection teams should validate whether they can identify files whose names contain trailing spaces, especially when the apparent extension does not align with how the operating system processes or launches the file. IR teams should confirm that endpoint timelines retain original filenames, file rename/create events, and process execution context without trimming whitespace.

Likely telemetry

  • Endpoint file creation, rename, and modification events that preserve exact filename strings, including trailing whitespace
  • Process execution telemetry showing launched file path, parent process, command line, and user context
  • File metadata and content/type inspection where available to compare displayed extension with actual executable or file format
  • macOS user-launched process context where available, including launches involving Terminal.app when relevant to local telemetry
  • EDR, filesystem, and SIEM pipelines that can demonstrate whether trailing spaces are retained or normalized

Detection direction

  • Test whether collection agents, log forwarders, SIEM parsers, and analyst search interfaces preserve trailing spaces in filenames; trimming or normalization is a key blind spot.
  • Look for files with trailing whitespace in the basename or extension area, then prioritize cases where execution follows creation, rename, download, or user interaction.
  • Correlate suspicious filenames with process execution, parent-child relationships, user context, and file type/content indicators to reduce false positives from accidental or legacy filenames.
  • Tune detections separately for Linux and macOS environments where T1036.006 is applicable, rather than assuming broad enterprise coverage from the detection strategy object itself.
  • Document known benign sources of trailing-space filenames so alerts can focus on newly created, renamed, or executed files.

Mitigation priorities

  • First, ensure endpoint and SIEM telemetry preserve exact filenames and paths; without this, policy and detection controls may not be provable.
  • Add validation or policy controls that flag, block, or review filenames with trailing whitespace where operationally feasible.
  • Harden execution controls so files cannot run solely because a user misinterprets the displayed extension or name.
  • Include this behavior in user-awareness and incident-response playbooks for suspicious attachments, downloads, and renamed files on Linux/macOS systems.
  • Use periodic hunts or control tests to confirm that trailing-space filename cases remain visible after tooling, parser, or logging changes.
Analyst notes and limits

This take is based on the detection strategy object DET0292 and its relationship to ATT&CK technique T1036.006 Space after Filename. The ATT&CK object does not provide an official description or detection logic, so the practical guidance focuses on validating telemetry and parser behavior implied by the related technique.

No active exploitation, actor attribution, prevalence, specific data sources, mitigations, or official detection analytics were supplied. Local operating system behavior, endpoint tooling, filename normalization, and business process exceptions must be validated before operationalizing detection or control decisions.

Official MITRE ATT&CK definition

Masquerading via Space After Filename - Behavioral Detection Strategy

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1036.006 Space after Filename Sub-technique This object detects Space after Filename.
Relationship explorer

All related ATT&CK context

detects · Technique T1036.006: Space after Filename Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
cdb68f3042d1d709...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle cdb68f3042d1…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0292
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use