Skip to content

DET0292 Masquerading via Space After Filename - Behavioral Detection Strategy

Item Value
ID DET0292
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1036.006 (Space after Filename)

Analytics

Linux

AN0812

Detection of file execution where the file name contains a trailing space to masquerade as a known executable. Adversaries may exploit the way command line interpreters handle file names with trailing whitespace.

Log Sources
Data Component Name Channel
Process Creation (DC0032) auditd:SYSCALL execve
File Metadata (DC0059) linux:syslog application or system execution logs
Mutable Elements
Field Description
ExecutableNameTrailingSpace This detection may vary based on how different shells and file systems treat trailing spaces. Normalize or regex-match file names with trailing space.
UserContext Monitor for untrusted or lower-privileged users executing suspicious scripts with disguised names.
TimeWindow Tune for execution patterns during off-hours to reduce false positives.

macOS

AN0813

Execution of renamed or dropped files with a trailing space to deceive users or analysts, especially in LaunchAgents or LaunchDaemons.

Log Sources
Data Component Name Channel
Process Creation (DC0032) macos:unifiedlog process events
File Access (DC0055) fs:fsusage filesystem activity
Mutable Elements
Field Description
FilenamePattern Tunable regex or path rule to match common masquerade attempts (e.g., ‘Terminal .app’).
TargetPath Analytic can be scoped to key directories (e.g., /Users/Library/LaunchAgents/).
UserContext Focus detection on suspicious user sessions or service creation under non-admin users.