Detection of file execution where the file name contains a trailing space to masquerade as a known executable. Adversaries may exploit the way command line interpreters handle file names with trailing whitespace.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| File Metadata (DC0059) | linux:syslog | application or system execution logs |
| Field | Description |
|---|---|
| ExecutableNameTrailingSpace | This detection may vary based on how different shells and file systems treat trailing spaces. Normalize or regex-match file names with trailing space. |
| UserContext | Monitor for untrusted or lower-privileged users executing suspicious scripts with disguised names. |
| TimeWindow | Tune for execution patterns during off-hours to reduce false positives. |
Execution of renamed or dropped files with a trailing space to deceive users or analysts, especially in LaunchAgents or LaunchDaemons.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | macos:unifiedlog | process events |
| File Access (DC0055) | fs:fsusage | filesystem activity |
| Field | Description |
|---|---|
| FilenamePattern | Tunable regex or path rule to match common masquerade attempts (e.g., 'Terminal .app'). |
| TargetPath | Analytic can be scoped to key directories (e.g., /Users/Library/LaunchAgents/). |
| UserContext | Focus detection on suspicious user sessions or service creation under non-admin users. |