Processes with Trailing Spaces
Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/08/24"
3integration = ["endpoint", "auditd_manager"]
4maturity = "production"
5updated_date = "2024/12/24"
6
7[rule]
8author = ["Elastic"]
9description = """
10Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity
11to evade default file handling mechanisms.
12"""
13from = "now-9m"
14index = ["logs-endpoint.events.*", "endgame-*", "auditbeat-*", "logs-auditd_manager.auditd-*"]
15language = "eql"
16license = "Elastic License v2"
17name = "Processes with Trailing Spaces"
18risk_score = 21
19rule_id = "0c093569-dff9-42b6-87b1-0242d9f7d9b4"
20severity = "low"
21tags = [
22 "Domain: Endpoint",
23 "OS: Linux",
24 "OS: macOS",
25 "Use Case: Threat Detection",
26 "Tactic: Defense Evasion",
27 "Data Source: Elastic Defend",
28 "Data Source: Elastic Endgame",
29 "Data Source: Auditd Manager",
30]
31timestamp_override = "event.ingested"
32type = "eql"
33query = '''
34process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
35process.name : "* "
36'''
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40
41[[rule.threat.technique]]
42id = "T1036"
43name = "Masquerading"
44reference = "https://attack.mitre.org/techniques/T1036/"
45
46[[rule.threat.technique.subtechnique]]
47id = "T1036.006"
48name = "Space after Filename"
49reference = "https://attack.mitre.org/techniques/T1036/006/"
50
51[rule.threat.tactic]
52id = "TA0005"
53name = "Defense Evasion"
54reference = "https://attack.mitre.org/tactics/TA0005/"
Related rules
- Tampering of Shell Command-Line History
- Trap Signals Execution
- Curl or Wget Spawned via Node.js
- Kernel Load or Unload via Kexec Detected
- Attempt to Clear Logs via Journalctl