This detection rule focuses on identifying suspicious child processes spawned by explorer.exe, specifically targeting command-line arguments that include excessive whitespace or non-printable control characters. Attackers often utilize command-line padding techniques to obscure the actual intent of their commands, particularly when leveraging LNK files to execute malicious payloads undetected. This rule uses a Splunk query to analyze endpoint events, looking for instances where explorer.exe launches processes with anomalous command-line padding. Notably, this behavior is associated with known attack techniques aiming to hide malicious user executions. The detection logic emphasizes the importance of using Sysmon or EDR (Endpoint Detection and Response) logs for accurate command-line data, as other log sources may sanitize or normalize these logs, potentially omitting critical details. It is paramount for organizations employing different EDR solutions to validate logging configurations to ensure they capture the required attributes for this detection to function effectively. The rule also encourages testing against specific threats to confirm that log sanitization does not hinder detection capabilities.