Masquerading Space After Filename

  1[metadata]
  2creation_date = "2022/10/18"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10This rules identifies a process created from an executable with a space appended to the end of the filename. This may
 11indicate an attempt to masquerade a malicious file as benign to gain user execution. When a space is added to the end of
 12certain files, the OS will execute the file according to it's true filetype instead of it's extension. Adversaries can
 13hide a program's true filetype by changing the extension of the file. They can then add a space to the end of the name
 14so that the OS automatically executes the file when it's double-clicked.
 15"""
 16from = "now-9m"
 17index = ["auditbeat-*", "logs-endpoint.events.*"]
 18language = "eql"
 19license = "Elastic License v2"
 20name = "Masquerading Space After Filename"
 21references = [
 22    "https://www.picussecurity.com/resource/blog/picus-10-critical-mitre-attck-techniques-t1036-masquerading",
 23]
 24risk_score = 47
 25rule_id = "f5fb4598-4f10-11ed-bdc3-0242ac120002"
 26setup = """## Setup
 27
 28If enabling an EQL rule on a non-elastic-agent index (such as beats) for versions <8.2,
 29events will not define `event.ingested` and default fallback for EQL rules was not added until version 8.2.
 30Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
 31`event.ingested` to @timestamp.
 32For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html
 33"""
 34severity = "medium"
 35tags = [
 36    "Domain: Endpoint",
 37    "OS: Linux",
 38    "OS: macOS",
 39    "Use Case: Threat Detection",
 40    "Tactic: Defense Evasion",
 41    "Data Source: Elastic Defend",
 42    "Resources: Investigation Guide",
 43]
 44timestamp_override = "event.ingested"
 45type = "eql"
 46query = '''
 47process where host.os.type:("linux","macos") and event.type == "start" and
 48process.executable regex~ """/[a-z0-9\s_\-\\./]+\s""" and not (
 49  process.name in ("ls", "find", "grep", "xkbcomp") or
 50  process.executable like ("/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", "/tmp/ansible-admin/*") or
 51  process.parent.args in (
 52    "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", "/etc/rubrik/start_stop_agent.sh"
 53  )
 54)
 55'''
 56note = """## Triage and analysis
 57
 58> **Disclaimer**:
 59> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 60
 61### Investigating Masquerading Space After Filename
 62
 63In Linux and macOS environments, file execution is determined by the file's true type rather than its extension. Adversaries exploit this by appending a space to filenames, misleading users into executing malicious files disguised as benign. The detection rule identifies such anomalies by monitoring process creation events with filenames ending in a space, excluding known safe processes and paths, thus highlighting potential masquerading attempts.
 64
 65### Possible investigation steps
 66
 67- Review the process creation event details to identify the full path and name of the executable with a space appended. This can help determine if the file is located in a suspicious or unusual directory.
 68- Check the process.parent.args field to understand the parent process that initiated the execution. This can provide context on whether the execution was part of a legitimate process chain or potentially malicious activity.
 69- Investigate the user account associated with the process creation event to determine if the account has a history of executing similar files or if it has been compromised.
 70- Examine the file's true type and hash to verify its legitimacy and check against known malicious file databases or threat intelligence sources.
 71- Look for any additional process events or network activity associated with the suspicious executable to identify potential lateral movement or data exfiltration attempts.
 72- Cross-reference the event with any recent alerts or incidents involving the same host or user to identify patterns or ongoing threats.
 73
 74### False positive analysis
 75
 76- Processes like "ls", "find", "grep", and "xkbcomp" are known to be safe and can be excluded from triggering the rule by adding them to the exception list.
 77- Executables located in directories such as "/opt/nessus_agent/*", "/opt/gitlab/sv/gitlab-exporter/*", and "/tmp/ansible-admin/*" are typically non-threatening and should be excluded to prevent false positives.
 78- Parent processes with arguments like "./check_rubrik", "/usr/bin/check_mk_agent", "/etc/rubrik/start_stop_bootstrap.sh", and "/etc/rubrik/start_stop_agent.sh" are generally safe and can be added to the exclusion list to avoid unnecessary alerts.
 79- Regularly review and update the exception list to ensure that only verified safe processes and paths are excluded, maintaining the effectiveness of the detection rule.
 80
 81### Response and remediation
 82
 83- Immediately isolate the affected system from the network to prevent further execution or spread of the potentially malicious file.
 84- Terminate any suspicious processes identified by the detection rule to halt any ongoing malicious activity.
 85- Conduct a forensic analysis of the file with the appended space to determine its true file type and origin, using tools like file command or hex editors.
 86- Remove the malicious file from the system and any other locations it may have been copied to, ensuring complete eradication.
 87- Review and update endpoint protection settings to block execution of files with suspicious naming conventions, such as those ending with a space.
 88- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to assess potential impacts on other systems.
 89- Implement additional monitoring for similar masquerading attempts by enhancing logging and alerting mechanisms to detect files with unusual naming patterns."""
 90
 91[[rule.threat]]
 92framework = "MITRE ATT&CK"
 93
 94[[rule.threat.technique]]
 95id = "T1036"
 96name = "Masquerading"
 97reference = "https://attack.mitre.org/techniques/T1036/"
 98
 99[[rule.threat.technique.subtechnique]]
100id = "T1036.006"
101name = "Space after Filename"
102reference = "https://attack.mitre.org/techniques/T1036/006/"
103
104[rule.threat.tactic]
105id = "TA0005"
106name = "Defense Evasion"
107reference = "https://attack.mitre.org/tactics/TA0005/"