Processes with Trailing Spaces

Elastic Stack Serverless Security

Identify instances where adversaries include trailing space characters to mimic regular files, disguising their activity to evade default file handling mechanisms.

Rule type: eql

Rule indices:

• logs-endpoint.events.*
• endgame-*
• auditbeat-*
• logs-auditd_manager.auditd-*

Severity: low

Risk score: 21

Runs every: 60m

Searches indices from: now-119m (https://www.elastic.co/guide/en/elasticsearch/reference/current/common-options.html#date-math[Date Math format], see also Additional look-back time)

Maximum alerts per execution: 100

References: None

Tags:

• Domain: Endpoint
• OS: Linux
• OS: macOS
• Use Case: Threat Detection
• Tactic: Defense Evasion
• Rule Type: BBR
• Data Source: Elastic Defend
• Data Source: Elastic Endgame
• Data Source: Auditd Manager

Version: 2

Rule authors:

• Elastic

Rule license: Elastic License v2

process where event.type == "start" and event.action in ("exec", "exec_event", "executed", "process_started") and
process.name : "* "

Framework: MITRE ATT&CKTM

• Tactic:

  • Name: Defense Evasion
  • ID: TA0005
  • Reference URL: https://attack.mitre.org/tactics/TA0005/

• Technique:

  • Name: Masquerading
  • ID: T1036
  • Reference URL: https://attack.mitre.org/techniques/T1036/

• Sub-technique:

  • Name: Space after Filename
  • ID: T1036.006
  • Reference URL: https://attack.mitre.org/techniques/T1036/006/