Processes with Trailing Spaces¶
Identifies processes running with a trailing space, which can be used to look like an ordinary file while evading default file handlers.
| id: | 391c27cf-68d5-4416-9315-cdfde096a33b |
|---|---|
| categories: | detect |
| confidence: | low |
| os: | macos, linux |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion, Execution |
|---|---|
| techniques: | T1151 Space after Filename |
Query¶
process where subtype.create
and process_name == "* "