This detection rule identifies instances where the Windows Explorer process spawns PowerShell or cmd.exe processes that contain an excessive amount of padding (50 or more spaces) in the command line. This behavior aligns with the exploitation of the ZDI-CAN-25373 Windows shortcut vulnerability, where attackers create malicious LNK files embedded with padded characters to bypass security protections and achieve arbitrary code execution. When executed, such shortcuts manipulate how Windows interprets the command, leading to the execution of malicious payloads. This method has been observed in targeted attacks conducted by Advanced Persistent Threat (APT) groups, with threat actors delivering these LNK files using protocols like HTTP and SMB. Consequently, the presence of significant padding in a command line during the launch of cmd.exe or PowerShell by Explorer.exe is highly suspicious and merits further investigation to prevent potential compromises.