Windows Explorer LNK Exploit Process Launch With Padding

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes with abnormally large padding (50 or more spaces) in the command line. This specific pattern is a key indicator of the ZDI-CAN-25373 Windows shortcut zero-day vulnerability exploitation, where threat actors craft malicious LNK files containing padded content to trigger code execution. The excessive spacing in the command line is used to manipulate the way Windows processes the shortcut file, enabling arbitrary code execution. This technique has been actively exploited by multiple APT groups in targeted attacks, with malicious LNK files being delivered through both HTTP and SMB protocols. The presence of significant command line padding when Explorer.exe launches command shells is highly suspicious and warrants immediate investigation.