From d175aaa74b51c934224d0869081a1c84651aa09e Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Wed, 19 Mar 2025 22:28:52 +0545
Subject: [PATCH 1/2] Addded rule for LNK Command-Line Padding with Whitespace
 Characters

---
 ..._creation_win_susp_lnk_exec_hidden_cmd.yml | 41 +++++++++++++++++++
 1 file changed, 41 insertions(+)
 create mode 100644 rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml

diff --git a/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml
new file mode 100644
index 00000000000..3d0064d18b1
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml
@@ -0,0 +1,41 @@
+title: Suspicious LNK Command-Line Padding with Whitespace Characters
+id: dd8756e7-a3a0-4768-b47e-8f545d1a751c
+status: experimental
+description: |
+    Detects exploitation of LNK file command-line length discrepancy, where attackers hide malicious commands beyond the 260-character UI limit while the actual command-line argument field supports 4096 characters using whitespace padding (e.g., 0x20, 0x09-0x0D).
+    Adversaries insert non-printable whitespace characters (e.g., Line Feed \x0A, Carriage Return \x0D) to pad the visible section of the LNK file, pushing malicious commands past the UI-visible boundary.
+    The hidden payload, executed at runtime but invisible in Windows Explorer properties, enables stealthy execution and evasion—commonly used for social engineering attacks.
+    This rule flags suspicious use of such padding observed in real-world attacks.
+references:
+    - https://syedhasan010.medium.com/forensics-analysis-of-an-lnk-file-da68a98b8415
+    - https://thehackernews.com/2025/03/unpatched-windows-zero-day-flaw.html
+    - https://www.trendmicro.com/en_us/research/25/c/windows-shortcut-zero-day-exploit.html
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-03-19
+tags:
+    - attack.initial-access
+    - attack.execution
+    - attack.t1204.002
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - ParentImage|endswith: '\explorer.exe'
+        - ParentCommandLine|contains: '.lnk'
+    selection_cmd:
+        - CommandLine|contains:
+              - '                 '  # Padding of SPACE (0x20)
+              - '	'  # Horizontal Tab (0x9)
+              - '\u000A' # Line Feed
+              - '\u0011'
+              - '\u0012'
+              - '\u0013'
+              - '\u000B' # Vertical Tab
+              - '\u000C'  # \x0C
+              - '\u000D'  # \x0D
+        - CommandLine|re: '\n\n\n\n\n\n' # In some cases \u000[ABCD] are represented as a newline in the eventlog
+    condition: all of selection_*
+falsepositives:
+    - Unknown
+level: high

From f001c9a18f56a016ead10170d25708e97b2158f5 Mon Sep 17 00:00:00 2001
From: swachchhanda000 <swachchhandashrawan@gmail.com>
Date: Wed, 19 Mar 2025 22:38:52 +0545
Subject: [PATCH 2/2] added comment on horizontal tab

---
 .../proc_creation_win_susp_lnk_exec_hidden_cmd.yml             | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml b/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml
index 3d0064d18b1..988b7d8f47d 100644
--- a/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml
+++ b/rules/windows/process_creation/proc_creation_win_susp_lnk_exec_hidden_cmd.yml
@@ -26,7 +26,8 @@ detection:
     selection_cmd:
         - CommandLine|contains:
               - '                 '  # Padding of SPACE (0x20)
-              - '	'  # Horizontal Tab (0x9)
+            # - '	'  # Horizontal Tab (0x9)
+              - '\u0009'
               - '\u000A' # Line Feed
               - '\u0011'
               - '\u0012'