This detection rule identifies instances of adversarial behavior where trailing space characters are added to process names to avoid detection by standard file handling systems. The rule targets process start events and checks if the process name matches a pattern that includes a trailing space. By leveraging Elastic's EQL query language, this rule specifically captures process executions that may be an attempt at masquerading, as defined by the MITRE ATT&CK framework. This technique falls under the Defense Evasion tactic, specifically the sub-technique of Space after Filename (T1036.006), aiming to bypass security measures designed to detect malicious executions. The rule is applicable across Linux and macOS environments and integrates with various Elastic products to enhance threat detection capabilities.