mistyped commands or legitimate binaries named to match the pattern

source: <a href=https://github.com/SigmaHQ/sigma/blob/master/rules/macos/process_creation/proc_creation_macos_space_after_filename.yml>sigma
technicques: t1036 t1036.006

Techniques

Detects attempts to masquerade as legitimate files by adding a space to the end of the filename.

condition: 1 of selection*
selection1:
  CommandLine|endswith: ' '
selection2:
  Image|endswith: ' '