This rule aims to detect suspicious command-line padding vulnerabilities in LNK files that exploit the command-line length capabilities of Windows. Attackers can obfuscate potentially malicious payloads using whitespace characters, thus hiding them beyond the 260-character visual limit of the Windows Explorer UI, which only displays portions of the command line. The detection methodology is focused on process creation events where the parent process is 'explorer.exe' and where the command line of executed processes contains specific sequences of non-printable whitespace characters (such as Line Feed, Carriage Return, and tab characters). Given that these are often employed in scenarios of social engineering and stealthy execution of payloads, the rule flags any instances of this behavior for further investigation. The presence of padding can indicate an attempt to circumvent security measures by executing hidden commands.