Category: Detection Engineering

  • Mind the Gap: How Spaces Sabotage Security Detections

    Mind the Gap: How Spaces Sabotage Security Detections

    When building custom detections, it’s easy to rely on spaces when matching multiple strings or arguments in a command. The problem is that this creates a simple evasion path. This weakness frequently appears in Microsoft Defender for Endpoint (MDE), Microsoft Sentinel, and Sysmon, but it can just as easily impact other tools. KQL At first…