I. INTRODUCTION
With low privileges as a normal user, how will you fly under the radar of
Endpoint Detection and Response (EDR)?
EDR evasion techniques often require the user to have high privileges (Admin,
System, etc.). Therefore, when operating under a normal user account, the
focus of bypassing EDR is primarily on executing actions in the most innocuous
manner possible.
In this article, with a Standard User account, I will implement the
masquerading attack technique to disguise the paths of payloads to closely
resemble the path of the Antimalware Service Executable file.
II. CORE
1. Process creation event
One of the most important pieces of information for Security information and
event management (SIEM) to monitor and assess whether an activity is malicious
is the process creation event. It provides extended information about a newly
created process. The full command line offers context on the process
execution.
Below is an example of a process creation event monitored by
Sysmon.
Some important data that is always monitored includes:
Image, CommandLine, CurrentDirectory, ParentProcessID,
and so on.
If it were you, upon receiving two process creation events with the images
“C:Program FilesWindows DefenderMsMpEng.exe” and “%TEMP%SuperJuicy.exe“. Which
case would you be more suspicious of?
As an experienced analyst, you would know that the operational directories of
antivirus and EDR solutions are always protected at the kernel level. Unless
an attacker can escalate privileges to the kernel (through BYOVD or kernel
exploits), they will not be able to drop payloads into these folders for
execution.
Therefore, returning to the two images above, I would pay more attention to
“SuperJuicy.exe” first. Not because of
its name, but because I know that “MsMpEng.exe” resides in the protected folder of Windows Defender. Of course, in the case
of a thorough investigation, both cases would be analyzed carefully.
2. File masquerading attack used in phishing
A file masquerading attack is a specific type of cyber attack where an
attacker disguises a malicious file as something harmless, tricking users into
opening it. This is commonly achieved by manipulating the file extension or
name to make it appear trustworthy.
-
Double file extension: For example, naming a file “document.pdf.exe” to
trick users into thinking it is a PDF -
Masquerading file types: Altering the file’s metadata to misidentify its
type. -
Right-to-left override: Using special characters to reverse the file name’s
order, e.g., “txt.exe” becomes “exe.txt”. -
Matching legitimate names or locations: Renaming malicious files to match
names of trusted applications, like “svchost.exe,” or placing them in
trusted directories like “C:\Windows\System32”. -
Invalid code signature: Copying valid code signatures and metadata to evade
signature-based defenses.
I will exploit the technique of matching legitimate names or locations and
apply it to the path of the image file. The goal is to disguise the image to
keep a low profile in the SIEM log data.
3. Path Masquerading: This is NOT the “Program Files” you are looking for
Unlike the masquerading attack used in phishing, my goal is to use
masquerading to lay low and avoid the attention of SIEM, rather than to create
enticing files for users to click on.
Next, I will use the Path Masquerading technique to disguise my payload as
“C:Program FilesWindows DefenderMsMpEng.exe“. My goal is to make my process appear identical to the antimalware
service executable when viewed from SysMon logs or from process monitoring
tools such as Process Monitor, Process Explorer, and others.
This technique relies on using
Unicode characters that resemble the “whitespace” character in
ASCII.
Unicode characters that resemble whitespace include:
U+2000: En Quad
U+2001: Em Quad
U+2002: En Space
…
U+200A: Hair Space
First, with low privileges, we need to find a location in the path “C:Program FilesWindows DefenderMsMpEng.exe” where we can create a folder or write a file.
If you agree with me, then in the above path, the location “C:” is the most feasible. At “C:“, a
Standard User is likely to have the permission to create a new folder here. I
am experimenting on Windows 11 and can create a folder. This depends on the
organizational policies within different networks.
Next, I will create a folder named “Program Files 00” at “C:“. After successfully
creating it, I will have the path “C:Program Files 00” where the current user has full read/write/execute permissions.
After creating “Program Files 00” I
will proceed to rename it to “Program[U+2000: En Quad]Files“
You could directly create the name like that from the beginning, but I wanted
to clarify the issue of folder creation permissions, which is why I separated
it into two steps.
After renaming, with the “dir” command as shown above, can you distinguish which “Program Files” is the location where software is typically installed and which one is the
newly created folder?
The next step, I will copy the entire folder “C:Program FilesWindows Defender” to the location “C:Program[U+2000: En Quad]FilesWindows Defender” and drop “SuperJuicy.exe” into this
new location.
To enhance the level of masquerading, after successfully spoofing the Windows
Defender path, you can further implement DLL Hijacking or DLL Side-Loading
techniques with the executable files of Windows Defender in this new folder.
Returning to the POC above, I will execute “TheJuicyOne.exe” and check the process creation event with Sysmon.
 |
| Fake Defender folder |
 |
| Real Defender folder |
With the two SysMon record logs above, can you identify the differences
between the two events? Based on the information collected from the process
creation event, I will know that a file in the path “C:Program FilesWindows Defender” has been executed. And if I only look at the log, I won’t be able to
distinguish that “TheJuicyOne.exe” is
actually located in a completely different path from “MpCmdRun.exe“.
Masquerading the path of Windows Defender or other Antivirus/EDR solutions can
have several effects:
- It can confuse log analysts, slowing down the tracing process.
-
It can mislead the investigation direction. For example, in the case above,
the Administrator is likely to think that Windows Defender has been
compromised and will probably analyze it from this perspective. -
Of course, the main goal here is to make the payload appear very legitimate
and proper.
4. Defending against Path Masquerading technique
Administrators can implement several methods to counter Path Masquerading,
such as:
-
Creating additional rules to monitor paths that contain Unicode characters
representing whitespace. -
Modifying log viewers to display whitespace characters. For example, instead
of showing “Program Files“, it would
change to “Program[En Quad]Files“. - Restricting folder creation permissions at the location “C:”.
III. SUMMARY
Attackers always seek ways to evade EDR in order to keep a low profile and
maintain their presence on the target system for as long as possible.
When lacking sufficient privileges to execute advanced EDR evasion techniques
such as blindfold EDR, tampering with log collection agents, or obstructing
interactions between the kernel and user mode of the EDR, the attackers’
objective is to disguise themselves to appear as benign as possible.
With the Path Masquerading technique, attackers can disguise their payloads to
closely resemble antivirus/EDR programs in the log data collected by the EDR.
This will create confusion and complicate the tracking and analysis of
activities on a machine. Worse yet, it can mislead analysts, resulting in the
oversight of active threats on the system.
IV. READING
Some books you should read to sharpen your cybersecurity skills,
especially in offensive security:
Books on Programming and Cybersecurity recommended by Zero Salarium
Researchers
Essential hardware tools that every security researcher and hacker should have in their toolkit:
Hardware Tools For Security Researcher and Hacker
Author of the article:
@TwoSevenOneT
