Detection rules › Sigma
Suspicious LNK Command-Line Padding with Whitespace Characters
Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D). Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary. The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks. This rule flags suspicious use of such padding observed in real-world attacks.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Execution | T1204.002 User Execution: Malicious File |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Sysmon | 1 | Process creation |
Stages and Predicates
Stage 1: all of selection_img
or:
ParentCommandLine|contains: .lnk
ParentImage|endswith: '\explorer.exe'
Stage 2: all of selection_cmd
or:
CommandLine|contains: ' '
CommandLine|contains: '\u0009'
CommandLine|contains: '\u000A'
CommandLine|contains: '\u000B'
CommandLine|contains: '\u000C'
CommandLine|contains: '\u000D'
CommandLine|contains: '\u0011'
CommandLine|contains: '\u0012'
CommandLine|contains: '\u0013'
CommandLine|re: '\n\n\n\n\n\n'
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
CommandLine | match |
|
CommandLine | regex_match |
|
ParentCommandLine | match |
|
ParentImage | ends_with |
|