A new cyberattack technique has surfaced, allowing attackers to circumvent Endpoint Detection and Response (EDR) systems while operating from a low-privileged standard user account. Historically, evading EDR protections necessitated elevated privileges, such as administrative or system-level access. However, this innovative method employs masquerading and path obfuscation to cloak malicious payloads as legitimate processes, effectively misleading both automated detection systems and human analysts.
Core Attack Techniques
Process Creation Events in EDR Monitoring
According to reports from Zero Salarium, process creation events play a pivotal role in identifying potential threats. Tools like Sysmon meticulously log detailed information about process execution, capturing essential fields such as Image, CommandLine, CurrentDirectory, and ParentProcessID. Analysts typically prioritize the investigation of suspicious processes based on their execution paths or filenames.
For example, a process originating from C:Program FilesWindows DefenderMsMpEng.exe might be perceived as legitimate, while one from %TEMP%SuperJuicy.exe would likely raise alarms. EDR solutions depend on kernel-level protection to secure directories like C:Program Files. Without administrative privileges, attackers are generally unable to place payloads in these safeguarded directories. However, this new technique cleverly navigates around such restrictions by manipulating the file path itself.
File Masquerading and Path Obfuscation
Masquerading is a well-established tactic in cybersecurity, wherein attackers disguise malicious files to appear harmless. Common methods include:
- Double File Extensions: Naming files in a deceptive manner, such as document.pdf.exe.
- Right-to-Left Override (RLO): Reversing file name order using special characters.
- Legitimate Name Imitation: Renaming files to mimic trusted applications (e.g., svchost.exe).
In this particular attack, the emphasis shifts from file names to directory paths. The attacker creates a folder that mimics the legitimate path of antivirus software, employing Unicode characters that resemble ASCII whitespace. For instance, a folder named C:Program Files 00 is created with full write permissions, which is then renamed to C:Program[U+2000]Files, where the Unicode character U+2000 (En Quad) visually resembles a space. The attacker subsequently copies the contents of C:Program FilesWindows Defender into this new directory and introduces their payload (SuperJuicy.exe).
Payload Execution
Upon executing the payload from the spoofed directory, Sysmon logs reflect a process creation event with an image path resembling C:Program FilesWindows DefenderSuperJuicy.exe. Without meticulous inspection or specialized tools to detect Unicode characters, analysts may mistakenly identify this as a legitimate process.
Implications for EDR Systems
The utilization of Unicode-based path obfuscation presents several challenges for threat detection:
- Confusion in Log Analysis: Analysts may expend valuable time pursuing false leads.
- Deceptive Attribution: The attack could be misconstrued as a compromise of legitimate security software.
- Prolonged Dwell Time: By masquerading as benign, the malicious payload can linger longer on the target system.
Defensive Strategies
- Enhanced Logging Rules: Configure Sysmon or SIEM solutions to flag paths containing Unicode whitespace characters.
- Visual Indicators: Adjust log viewers to display Unicode characters explicitly (e.g., showing Program[En Quad]Files instead of Program Files).
- Restrict Folder Creation Permissions: Limit standard user access to critical directories like C:.
This emerging EDR evasion technique underscores the increasing sophistication of cyberattacks. Security teams must evolve by enhancing visibility into subtle anomalies in logs and fortifying endpoint protections against such deceptive tactics.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
