From e449f4510cd74e06aa3a04dccbbbe8a85d40654d Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 30 Jun 2025 11:05:33 +0100
Subject: [PATCH 1/8] Create
 defense_evasion_whitespace_padding_command_line.toml

---
 ...asion_whitespace_padding_command_line.toml | 127 ++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 rules/windows/defense_evasion_whitespace_padding_command_line.toml

diff --git a/rules/windows/defense_evasion_whitespace_padding_command_line.toml b/rules/windows/defense_evasion_whitespace_padding_command_line.toml
new file mode 100644
index 00000000000..79239fe2e5c
--- /dev/null
+++ b/rules/windows/defense_evasion_whitespace_padding_command_line.toml
@@ -0,0 +1,127 @@
+[metadata]
+creation_date = "2025/06/30"
+integration = ["windows"]
+maturity = "production"
+updated_date = "2025/06/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies process execution events where the command line value contains a long sequence of whitespace characters or
+multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections by padding
+their malicious command with unnecessary whitespace characters. These observations should be investigated for malicious
+behavior.
+"""
+from = "now-9m"
+language = "esql"
+license = "Elastic License v2"
+name = "Command Line Obfuscation via Whitespace Padding"
+note = """## Triage and analysis
+
+### Investigating Command Line Obfuscation via Whitespace Padding
+
+This rule identifies process execution events where the command line value contains a long sequence of whitespace
+characters or multiple occurrences of contiguous whitespace. Attackers may attempt to evade signature-based detections
+by padding their malicious command with unnecessary whitespace characters.
+
+#### Possible investigation steps
+
+- Analyze the command line of the process in question for evidence of malicious code execution.
+- Investigate the process execution chain (parent process tree) for unknown processes. Examine their executable files
+for prevalence, whether they are located in expected locations, and if they are signed with valid digital signatures.
+- Investigate other alerts associated with the user/host during the past 48 hours.
+- Investigate abnormal behaviors observed by the subject process such as network connections, registry or file
+modifications, and any spawned child processes.
+- Retrieve the process executable and determine if it is malicious:
+  - Use a private sandboxed malware analysis system to perform analysis.
+    - Observe and collect information about the following activities:
+      - Attempts to contact external domains and addresses.
+      - File and registry access, modification, and creation activities.
+      - Service creation and launch activities.
+      - Scheduled tasks creation.
+  - Use the PowerShell `Get-FileHash` cmdlet to get the files' SHA-256 hash values.
+    - Search for the existence and reputation of the hashes in resources like VirusTotal, Hybrid-Analysis, CISCO Talos, Any.run, etc.
+
+### False positive analysis
+
+- Alerts derived from this rule are not inherently malicious. Analysts can dismiss the alert if they don't find enough
+evidence of further suspicious activity.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Isolate the involved host to prevent further post-compromise behavior.
+- If the triage identified malware, search the environment for additional compromised hosts.
+  - Implement temporary network rules, procedures, and segmentation to contain the malware.
+  - Stop suspicious processes.
+  - Immediately block the identified indicators of compromise (IoCs).
+  - Inspect the affected systems for additional malware backdoors like reverse shells, reverse proxies, or droppers that
+  attackers could use to reinfect the system.
+- Remove the malicious certificate from the root certificate store.
+- Remove and block malicious artifacts identified during triage.
+- Run a full antimalware scan. This may reveal additional artifacts left in the system, persistence mechanisms, and
+malware components.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are
+identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business
+systems, and web services.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection through the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
+mean time to respond (MTTR).
+"""
+risk_score = 73
+rule_id = "5a876e0d-d39a-49b9-8ad8-19c9b622203b"
+severity = "high"
+tags = [
+    "Domain: Endpoint",
+    "OS: Windows",
+    "Use Case: Threat Detection",
+    "Tactic: Defense Evasion",
+    "Tactic: Execution",
+]
+timestamp_override = "event.ingested"
+type = "esql"
+
+query = '''
+FROM logs-* metadata _id, _version, _index 
+| where event.category == "process" and event.type == "start" 
+// more than 100 spaces in process.command_line
+| eval multi_spaces = LOCATE(process.command_line, space(100)) 
+| where multi_spaces > 0 
+| keep user.name, host.id, host.name, process.command_line
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1027"
+name = "Obfuscated Files or Information"
+reference = "https://attack.mitre.org/techniques/T1027/"
+
+[[rule.threat.technique]]
+id = "T1140"
+name = "Deobfuscate/Decode Files or Information"
+reference = "https://attack.mitre.org/techniques/T1140/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1059"
+name = "Command and Scripting Interpreter"
+reference = "https://attack.mitre.org/techniques/T1059/"
+[[rule.threat.technique.subtechnique]]
+id = "T1059.001"
+name = "PowerShell"
+reference = "https://attack.mitre.org/techniques/T1059/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0002"
+name = "Execution"
+reference = "https://attack.mitre.org/tactics/TA0002/"

From 4f8d6902ae5795c60d2a731663b9d1751a9c6698 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 30 Jun 2025 11:07:21 +0100
Subject: [PATCH 2/8] Update
 defense_evasion_whitespace_padding_command_line.toml

---
 .../defense_evasion_whitespace_padding_command_line.toml      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/windows/defense_evasion_whitespace_padding_command_line.toml b/rules/windows/defense_evasion_whitespace_padding_command_line.toml
index 79239fe2e5c..abb97ce7575 100644
--- a/rules/windows/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/windows/defense_evasion_whitespace_padding_command_line.toml
@@ -68,9 +68,9 @@ systems, and web services.
 - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the
 mean time to respond (MTTR).
 """
-risk_score = 73
+risk_score = 47
 rule_id = "5a876e0d-d39a-49b9-8ad8-19c9b622203b"
-severity = "high"
+severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",

From ddbb78e93889fcaa0f1d68e6c10b3bd91501ba4a Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 30 Jun 2025 11:25:04 +0100
Subject: [PATCH 3/8] Update
 defense_evasion_whitespace_padding_command_line.toml

---
 .../defense_evasion_whitespace_padding_command_line.toml       | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/defense_evasion_whitespace_padding_command_line.toml b/rules/windows/defense_evasion_whitespace_padding_command_line.toml
index abb97ce7575..fd53c8995b6 100644
--- a/rules/windows/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/windows/defense_evasion_whitespace_padding_command_line.toml
@@ -77,6 +77,7 @@ tags = [
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
     "Tactic: Execution",
+    "Resources: Investigation Guide"
 ]
 timestamp_override = "event.ingested"
 type = "esql"
@@ -87,7 +88,7 @@ FROM logs-* metadata _id, _version, _index
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 
-| keep user.name, host.id, host.name, process.command_line
+| keep user.name, host.id, host.name, process.command_line, process.executable, process.parent.executable
 '''
 
 

From d982e64f0aa887510e57578e01d4965b113a6745 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 30 Jun 2025 11:32:05 +0100
Subject: [PATCH 4/8] Update and rename
 defense_evasion_whitespace_padding_command_line.toml to
 defense_evasion_whitespace_padding_command_line.toml

---
 .../defense_evasion_whitespace_padding_command_line.toml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 rename rules/{windows => cross-platform}/defense_evasion_whitespace_padding_command_line.toml (98%)

diff --git a/rules/windows/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
similarity index 98%
rename from rules/windows/defense_evasion_whitespace_padding_command_line.toml
rename to rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
index fd53c8995b6..7bbc2e2210f 100644
--- a/rules/windows/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2025/06/30"
-integration = ["windows"]
+integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike"]
 maturity = "production"
 updated_date = "2025/06/30"
 

From 6387a67a893571db56df9856b6ed47f40331ea83 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 18 Aug 2025 14:01:42 +0100
Subject: [PATCH 5/8] Update
 rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 .../defense_evasion_whitespace_padding_command_line.toml        | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
index 7bbc2e2210f..931c6eb39ea 100644
--- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
@@ -74,6 +74,8 @@ severity = "medium"
 tags = [
     "Domain: Endpoint",
     "OS: Windows",
+    "OS: macOS",
+    "OS: Linux",
     "Use Case: Threat Detection",
     "Tactic: Defense Evasion",
     "Tactic: Execution",

From 6dce57be15fde6217d2702f008911d636b56f7f2 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 18 Aug 2025 14:02:05 +0100
Subject: [PATCH 6/8] Update
 rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml

Co-authored-by: Ruben Groenewoud <78494512+Aegrah@users.noreply.github.com>
---
 .../defense_evasion_whitespace_padding_command_line.toml    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
index 931c6eb39ea..00e65b5db73 100644
--- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
@@ -86,7 +86,11 @@ type = "esql"
 
 query = '''
 FROM logs-* metadata _id, _version, _index 
-| where event.category == "process" and event.type == "start" 
+| where event.category == "process" and (
+  (host.os.type == "windows" and event.type == "start") or
+  (host.os.type == "macos" and event.type == "start" and event.action == "exec") or
+  (host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "executed", "process_started")
+)
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 

From 2c524cfcc9bf861f4266ee0ef4f066ef4dd82279 Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 18 Aug 2025 14:11:38 +0100
Subject: [PATCH 7/8] Update
 defense_evasion_whitespace_padding_command_line.toml

---
 .../defense_evasion_whitespace_padding_command_line.toml    | 6 +-----
 1 file changed, 1 insertion(+), 5 deletions(-)

diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
index 00e65b5db73..80791f07c49 100644
--- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
@@ -86,11 +86,7 @@ type = "esql"
 
 query = '''
 FROM logs-* metadata _id, _version, _index 
-| where event.category == "process" and (
-  (host.os.type == "windows" and event.type == "start") or
-  (host.os.type == "macos" and event.type == "start" and event.action == "exec") or
-  (host.os.type == "linux" and event.type == "start" and event.action in ("exec", "exec_event", "start", "executed", "process_started")
-)
+| where event.category == "process" and event.type == "start" and event.action != "fork"
 // more than 100 spaces in process.command_line
 | eval multi_spaces = LOCATE(process.command_line, space(100)) 
 | where multi_spaces > 0 

From 7c812da59b626c3110e2432ec73f4211126ab32a Mon Sep 17 00:00:00 2001
From: Samirbous <64742097+Samirbous@users.noreply.github.com>
Date: Mon, 18 Aug 2025 14:13:10 +0100
Subject: [PATCH 8/8] Update
 defense_evasion_whitespace_padding_command_line.toml

---
 .../defense_evasion_whitespace_padding_command_line.toml        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
index 80791f07c49..1c3a6804e8c 100644
--- a/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
+++ b/rules/cross-platform/defense_evasion_whitespace_padding_command_line.toml
@@ -1,6 +1,6 @@
 [metadata]
 creation_date = "2025/06/30"
-integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike"]
+integration = ["endpoint", "system", "windows", "auditd_manager", "m365_defender", "crowdstrike", "sentinel_one_cloud_funnel"]
 maturity = "production"
 updated_date = "2025/06/30"