Execution Of File With Spaces Before Extension

Description

This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Malware

Alert Volume

This search looks for processes launched from files with at least five spaces in the name before the extension. This is typically done to obfuscate the file extension by pushing it outside of the default view.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Masquerading

Masquerading

MITRE Threat Groups

APT32
BRONZE BUTLER
Dragonfly 2.0
Windshift
menuPass

Kill Chain Phases

Actions On Objectives

Data Sources

Endpoint Detection and Response

   Help

Execution Of File With Spaces Before Extension Help

To successfully implement this search, you must be ingesting data that records process activity from your hosts to populate the endpoint data model in the processes node. If you are using Sysmon, you must have at least version 6.0.4 of the Sysmon TA.

   Search

Open in Search