New

The executive guide to generative AI

Read more

Whitespace Padding in Process Command Line

edit

Whitespace Padding in Process Command Line

edit

Identifies process execution events where the command line value contains a long sequence of whitespace characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious behavior.

Rule type: eql

Rule indices:

  • winlogbeat-*
  • logs-endpoint.events.*
  • logs-windows.*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: now-9m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Host
  • Windows
  • Threat Detection
  • Defense Evasion

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit
## Triage and analysis

- Analyze the command line of the process in question for evidence of malicious code execution.
- Review the ancestor and child processes spawned by the process in question for indicators of further malicious code execution.

Rule query

edit
process where event.type in ("start", "process_started") and
  process.command_line regex ".*[ ]{20,}.*" or

  /* this will match on 3 or more separate occurrences of 5+ contiguous whitespace characters */
  process.command_line regex ".*(.*[ ]{5,}[^ ]*){3,}.*"

Framework: MITRE ATT&CKTM

Was this helpful?
Feedback