When building custom detections, it’s easy to rely on spaces when matching multiple strings or arguments in a command. The problem is that this creates a simple evasion path. This weakness frequently appears in Microsoft Defender for Endpoint (MDE), Microsoft Sentinel, and Sysmon, but it can just as easily impact other tools.
KQL
At first glance, the output below looks like standard process command-line events. But one of them isn’t what it seems—and the difference has nothing to do with the processes being spawned by wmic.

The event that spawns explorer.exe includes extra spaces in the command line. While these spaces appear stripped out in the Advanced Hunting views of Microsoft Defender for Endpoint and Microsoft Sentinel—making them invisible at first glance—they still affect how the data can be queried.

In the example below, I convert the data to Base64, which reveals the hidden spaces that would otherwise remain invisible. The screenshot also shows the Base64 decoded back in CyberChef, confirming the extra spaces.


When filtering the data using the query shown below, the event that spawns explorer.exe no longer appears. The reason is the extra spaces—causing the query to miss critical events.

Now that we’ve seen what doesn’t work, we can build a rule that accounts for potential extra spaces. In the final screenshot, the has_all operator is used with a list of arguments to ensure the hunt captures all relevant events.

Using a has_all list of fields is a smarter way to build detections, since it not only addresses spacing issues but also catches many other forms of obfuscation.
Splunk & Sysmon
This behavior also impacts Sysmon data. In my own testing, I found that the issue carries over into Sysmon logs ingested by Splunk as well—though I don’t currently have a private Splunk instance configured to demonstrate it. See the below screenshots:
Raw XML logs from sysmon

Even Viewer XML view

Event Viewer general view

In the XML logs and the Event Viewer’s general view, the spaces are preserved. However, in the Event Viewer’s XML view, those spaces are omitted—creating an inconsistency that can impact analysis.
Further testing showed that Splunk research rules only partially address this issue. In some cases, detections work as expected, but in others, they fail. For example, a rule containing (“process list“, “service list“) is vulnerable—an attacker can simply insert extra spaces between process and list, or service and list, to evade detection.
The below detection is from https://research.splunk.com/endpoint/ef3c5ef2-3f6d-4087-aa75-49bf746dc907/?query=wmic%20proces
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime from datamodel=Endpoint.Processes where `process_wmic` Processes.process IN ("*process list*", "*service list*") by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmi_process_and_service_list_filter`
The query below resolves the issue, but it may also introduce additional false positives.
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime
from datamodel=Endpoint.Processes
where `process_wmic`
(
(Processes.process="*process*" AND Processes.process="*list*")
OR
(Processes.process="*service*" AND Processes.process="* list*")
)
by Processes.action Processes.dest Processes.original_file_name Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path Processes.process Processes.process_exec Processes.process_guid Processes.process_hash Processes.process_id Processes.process_integrity_level Processes.process_name Processes.process_path Processes.user Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `windows_wmi_process_and_service_list_filter`
Conclusion
In conclusion, both Splunk and Azure Sentinel omit spaces when displaying logs, but queries must still account for them. Effective detection testing should anticipate evasion tactics such as inserting extra spaces. While this test focused on commands executed in Command Prompt, results may vary when using PowerShell or other scripting interpreters.
