New Attack Technique to Bypassing EDR as Low Privileged Standard User

A new cyberattack technique has emerged, enabling attackers to bypass Endpoint Detection and Response (EDR) systems while operating under a low-privileged standard user account. 

Traditionally, EDR evasion requires elevated privileges, such as administrative or system-level access. 

However, this innovative approach leverages masquerading and path obfuscation to disguise malicious payloads as legitimate processes, deceiving both automated detection systems and human analysts.

Core Attack Techniques

Process Creation Events in EDR Monitoring

According to Zero Salarium reports process creation events are crucial for identifying potential threats. Tools like Sysmon log detailed information about process execution, including fields such as Image, CommandLine, CurrentDirectory, and ParentProcessID. 

Analysts often prioritize investigating suspicious processes based on their execution paths or filenames. 

For instance, a process running from C:\Program Files\Windows Defender\MsMpEng.exe might appear legitimate and a process from %TEMP%\SuperJuicy.exe would raise red flags.

EDR solutions rely on kernel-level protection to safeguard directories like C:\Program Files. 

Without administrative privileges, attackers cannot place payloads in these protected directories. However, this new technique circumvents such restrictions by manipulating the file path itself.

File Masquerading and Path Obfuscation

Masquerading is a well-known tactic in cybersecurity, where attackers disguise malicious files to appear benign. Common methods include:

• Double File Extensions: Naming files like document.pdf.exe.
• Right-to-Left Override (RLO): Reversing file name order using special characters.
• Legitimate Name Imitation: Renaming files to match trusted applications (e.g., svchost.exe).

In this attack, the focus shifts from file names to directory paths. The attacker creates a folder mimicking the legitimate path of antivirus software using Unicode characters that resemble ASCII whitespace. 

For instance, the attacker creates a folder named C:\Program Files 00 with full write permissions. This folder is renamed to C:\Program[U+2000]Files, where the Unicode character U+2000 (En Quad) visually resembles a space.

The attacker copies the contents of C:\Program Files\Windows Defender\ into this new directory and adds their payload (SuperJuicy.exe).

Payload Execution

Once the payload is executed from the spoofed directory, Sysmon logs show a process creation event with an image path resembling C:\Program Files\Windows Defender\SuperJuicy.exe. 

Without careful inspection or specialized tools to detect Unicode characters, analysts may mistake this for a legitimate process. 

Implications for EDR Systems

The use of Unicode-based path obfuscation complicates threat detection in several ways:

• Confusion in Log Analysis: Analysts may waste valuable time investigating false leads.
• Deceptive Attribution: The attack could be misinterpreted as a compromise of legitimate security software.
• Prolonged Dwell Time: By appearing benign, the malicious payload can persist longer on the target system.

Defensive Strategies

• Enhanced Logging Rules: Configure Sysmon or SIEM solutions to flag paths containing Unicode whitespace characters.
• Visual Indicators: Modify log viewers to display Unicode characters explicitly (e.g., showing Program[En Quad]Files instead of Program Files).
• Restrict Folder Creation Permissions: Limit standard user access to critical directories like C:\.

This novel EDR evasion technique highlights the evolving sophistication of cyberattacks. Security teams must adapt by enhancing visibility into subtle anomalies in logs and strengthening endpoint protections against such deceptive tactics.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

The post New Attack Technique to Bypassing EDR as Low Privileged Standard User appeared first on Cyber Security News.