Monday, May 5, 2025
HomeCyber AttackNew Attack Method Bypasses EDR with Low Privileged Access

New Attack Method Bypasses EDR with Low Privileged Access

Published on

SIEM as a Service

Follow Us on Google News

A new endpoint detection and response (EDR) evasion technique has been identified that allows attackers with low-privilege access to bypass detection and operate under the radar.

Unlike traditional evasion methods that require high privileges, this method exploits masquerading to deceive event monitoring systems, such as Sysmon or Security Information and Event Management (SIEM) platforms, without raising alarms.

EDR solutions are designed to detect and respond to potential threats. These systems rely heavily on process creation events and the legitimacy of file paths to distinguish between routine and malicious activities.

- Advertisement - Google News
Process creation event
Process creation event

However, this novel approach demonstrates how attackers can bypass detection using only a standard user account, eliminating the need for elevated privileges.

By utilizing a technique known as Path Masquerading, attackers are able to disguise malicious payloads to mimic legitimate system processes, specifically targeting the Antimalware Service Executable (MsMpEng.exe) associated with Windows Defender.

Path Masquerading in Action

The method hinges on exploiting Unicode characters that resemble whitespace (e.g., En Quad, Em Quad, or Hair Space) to create deceptive file paths. Here’s how it works:

  1. Creating a Spoof Directory:
    • With low privileges, attackers begin by creating directory structures such as “C:\Program Files 00” where they have fully read/write/execute permissions.
    • They then rename the directory to resemble a legitimate system path using Unicode characters, e.g., “C:\Program[U+2000] Files.”
Command Prompt
Command Prompt
  1. Cloning Windows Defender Path:
    • The legitimate folder structure of Windows Defender—C:\Program Files\Windows Defender—is mirrored into the newly created masqueraded path.
    • A malicious executable, such as “SuperJuicy.exe,” is dropped into the cloned path.
  2. Execution and Deception:
    • Once executed, tools like Sysmon log the event but only display the visual path “C:\Program Files\Windows Defender,” making it nearly indistinguishable from a legitimate execution path.
    • This completely cloaks the attacker’s malicious payload under the guise of legitimate antivirus processes, throwing off investigators.

The potential impact of this attack method is significant. By disguising payloads as legitimate system processes, analysts may be misled to focus investigations on trusted system tools like Windows Defender, as per a report by Zero Salarium.

Fake Defender folder
Fake Defender folder
Real Defender folder
Real Defender folder

This not only delays detection and remediation but also provides attackers with more time to execute their objectives undetected.

To further escalate the attack’s effectiveness, the technique can be combined with DLL hijacking or side-loading, enhancing its ability to bypass defenses.

Defending Against Path Masquerading

Defending against this sophisticated evasion method requires proactive measures by administrators:

  • Enhanced Logging Rules: Monitor paths containing Unicode whitespace characters.
  • Modified Log Display: Adjust log-viewing tools to reveal hidden characters (e.g., “Program[En Quad]Files”).
  • Access Restrictions: Limit folder creation permissions in critical directories such as “C:” to prevent unauthorized file paths.

The discovery of this new evasion technique highlights the evolving tactics used by attackers to bypass EDR solutions.

By leveraging low-privileged access and innovative path manipulation methods, this approach makes detection significantly more challenging.

Organizations must adapt by implementing more advanced monitoring and restricting permissions to critical system paths to protect against such stealthy attacks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu,...

Resilience at Scale

Why Application Security is Non-Negotiable

The resilience of your digital infrastructure directly impacts your ability to scale. And yet, application security remains a critical weak link for most organizations.

Application Security is no longer just a defensive play—it’s the cornerstone of cyber resilience and sustainable growth. In this webinar, Karthik Krishnamoorthy (CTO of Indusface) and Phani Deepak Akella (VP of Marketing – Indusface), will share how AI-powered application security can help organizations build resilience by

Discussion points


Protecting at internet scale using AI and behavioral-based DDoS & bot mitigation.
Autonomously discovering external assets and remediating vulnerabilities within 72 hours, enabling secure, confident scaling.
Ensuring 100% application availability through platforms architected for failure resilience.
Eliminating silos with real-time correlation between attack surface and active threats for rapid, accurate mitigation

More like this

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems...

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21...

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its...