Detection Engineering

The art and science of building high-quality, high-fidelity detection rules.

Detection Mechanisms

File-Based Detection (Hashing)

Foundational but easily bypassed by modifying a single bit.

CryptographicMD5, SHA256. Exact matches only.

ImphashImport Hash. Detects variants with same imports.

Fuzzy HashSSDEEP. Detects similar files (70% match).

OS Internals & Monitoring

Windows (ETW, AMSI)

ETW (Event Tracing for Windows): Kernel-level telemetry. The backbone of EDR.
AMSI: Allows apps to send content (scripts, macros) to AV for scanning before execution.

Linux (eBPF, Auditd)

eBPF: Runs sandboxed programs in kernel. High performance, massive observability.
fanotify/inotify: File system monitoring hooks.

Rule Languages

YARA

The "grep" for malware. Scans files and memory for byte sequences and strings.

rule Detect_Malware {
  strings:
    $a = "suspicious_string"
  condition:
    $a
}

Sigma

Generic signature format for SIEM detection rules. "Write once, deploy anywhere".

detection:
  selection:
    EventID: 4688
    CommandLine|contains: 'powershell'

Ready to put this into practice?

Master the 9-step Detection Engineering Methodology in our interactive drill.

Start Methodology Drill