Saturday, February 8, 2025
HomeCyber AttackNew Attack Method Bypasses EDR with Low Privileged Access

New Attack Method Bypasses EDR with Low Privileged Access

Published on

SIEM as a Service

Follow Us on Google News

A new endpoint detection and response (EDR) evasion technique has been identified that allows attackers with low-privilege access to bypass detection and operate under the radar.

Unlike traditional evasion methods that require high privileges, this method exploits masquerading to deceive event monitoring systems, such as Sysmon or Security Information and Event Management (SIEM) platforms, without raising alarms.

EDR solutions are designed to detect and respond to potential threats. These systems rely heavily on process creation events and the legitimacy of file paths to distinguish between routine and malicious activities.

Process creation event
Process creation event

However, this novel approach demonstrates how attackers can bypass detection using only a standard user account, eliminating the need for elevated privileges.

By utilizing a technique known as Path Masquerading, attackers are able to disguise malicious payloads to mimic legitimate system processes, specifically targeting the Antimalware Service Executable (MsMpEng.exe) associated with Windows Defender.

Path Masquerading in Action

The method hinges on exploiting Unicode characters that resemble whitespace (e.g., En Quad, Em Quad, or Hair Space) to create deceptive file paths. Here’s how it works:

  1. Creating a Spoof Directory:
    • With low privileges, attackers begin by creating directory structures such as “C:\Program Files 00” where they have fully read/write/execute permissions.
    • They then rename the directory to resemble a legitimate system path using Unicode characters, e.g., “C:\Program[U+2000] Files.”
Command Prompt
Command Prompt
  1. Cloning Windows Defender Path:
    • The legitimate folder structure of Windows Defender—C:\Program Files\Windows Defender—is mirrored into the newly created masqueraded path.
    • A malicious executable, such as “SuperJuicy.exe,” is dropped into the cloned path.
  2. Execution and Deception:
    • Once executed, tools like Sysmon log the event but only display the visual path “C:\Program Files\Windows Defender,” making it nearly indistinguishable from a legitimate execution path.
    • This completely cloaks the attacker’s malicious payload under the guise of legitimate antivirus processes, throwing off investigators.

The potential impact of this attack method is significant. By disguising payloads as legitimate system processes, analysts may be misled to focus investigations on trusted system tools like Windows Defender, as per a report by Zero Salarium.

Fake Defender folder
Fake Defender folder
Real Defender folder
Real Defender folder

This not only delays detection and remediation but also provides attackers with more time to execute their objectives undetected.

To further escalate the attack’s effectiveness, the technique can be combined with DLL hijacking or side-loading, enhancing its ability to bypass defenses.

Defending Against Path Masquerading

Defending against this sophisticated evasion method requires proactive measures by administrators:

  • Enhanced Logging Rules: Monitor paths containing Unicode whitespace characters.
  • Modified Log Display: Adjust log-viewing tools to reveal hidden characters (e.g., “Program[En Quad]Files”).
  • Access Restrictions: Limit folder creation permissions in critical directories such as “C:” to prevent unauthorized file paths.

The discovery of this new evasion technique highlights the evolving tactics used by attackers to bypass EDR solutions.

By leveraging low-privileged access and innovative path manipulation methods, this approach makes detection significantly more challenging.

Organizations must adapt by implementing more advanced monitoring and restricting permissions to critical system paths to protect against such stealthy attacks.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...

Hackers Leveraging Image & Video Attachments to Deliver Malware

Cybercriminals are increasingly exploiting image and video files to deliver malware, leveraging advanced techniques...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Autonomous LLMs Reshaping Pen Testing: Real-World AD Breaches and the Future of Cybersecurity

Large Language Models (LLMs) are transforming penetration testing (pen testing), leveraging their advanced reasoning...

Securing GAI-Driven Semantic Communications: A Novel Defense Against Backdoor Attacks

Semantic communication systems, powered by Generative AI (GAI), are transforming the way information is...

Cybercriminals Target IIS Servers to Spread BadIIS Malware

A recent wave of cyberattacks has revealed the exploitation of Microsoft Internet Information Services...