Detectionlowtest

Space After Filename - macOS

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

remotephoneCreated Sat Nov 20Updated Wed Jan 04b6e2a2e3-2d30-43b1-a4ea-071e36595690macos

Log Source

macOSProcess Creation

ProductmacOS← raw: macos

CategoryProcess Creation← raw: process_creation

Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.

Detection Logic

detection:
    selection1:
        CommandLine|endswith: ' '
    selection2:
        Image|endswith: ' '
    condition: 1 of selection*

False Positives

Mistyped commands or legitimate binaries named to match the pattern

References

MITRE ATT&CK

Tactics

Sub-techniques

Rule Metadata

Rule ID

b6e2a2e3-2d30-43b1-a4ea-071e36595690

Status

test

Level

low

Type

Detection

Created

Sat Nov 20

Modified

Wed Jan 04

Author

Path

rules/macos/process_creation/proc_creation_macos_space_after_filename.yml

Raw Tags

attack.defense-evasionattack.t1036.006