A new cyberattack technique has emerged, enabling attackers to bypass Endpoint Detection and Response (EDR) systems while operating under a low-privileged standard user account. This new attack technique to bypass EDR as low privileged standard user is significant. Traditionally, EDR evasion requires elevated privileges, such as administrative or system-level access. However, this innovative approach leverages masquerading and path obfuscation to disguise malicious payloads as legitimate processes, deceiving both automated detection systems and human analysts.

Understanding EDR and SIEM as a Service

Endpoint Detection and Response (EDR) systems are crucial for monitoring and responding to threats on endpoints. They analyze process creation events, which are vital for identifying potential threats. Security Information and Event Management (SIEM) as a Service can enhance EDR capabilities by aggregating and analyzing logs from various sources, providing a comprehensive view of security events.

Core Attack Techniques

Process Creation Events in EDR Monitoring

According to Zero Salarium reports, process creation events are crucial for identifying potential threats. Tools like Sysmon log detailed information about process execution, including fields such as Image, CommandLine, CurrentDirectory, and ParentProcessID. Analysts often prioritize investigating suspicious processes based on their execution paths or filenames. This is particularly relevant considering the new attack technique to bypass EDR as low privileged standard user.

For instance, a process running from C:\Program Files\Windows Defender\MsMpEng.exe might appear legitimate, while a process from %TEMP%\SuperJuicy.exe would raise red flags. EDR solutions rely on kernel-level protection to safeguard directories like C:\Program Files. Without administrative privileges, attackers cannot place payloads in these protected directories. However, this new technique circumvents such restrictions by manipulating the file path itself.

File Masquerading and Path Obfuscation

Masquerading is a well-known tactic in cybersecurity, where attackers disguise malicious files to appear benign. Common methods include:

• Double File Extensions: Naming files like document.pdf.exe.
• Right-to-Left Override (RLO): Reversing file name order using special characters.
• Legitimate Name Imitation: Renaming files to match trusted applications (e.g., svchost.exe).

In this attack, the focus shifts from file names to directory paths. The attacker creates a folder mimicking the legitimate path of antivirus software using Unicode characters that resemble ASCII whitespace. For instance, the attacker creates a folder named C:\Program Files 00 with full write permissions. This folder is renamed to C:\Program[U+2000]Files, where the Unicode character U+2000 (En Quad) visually resembles a space. This is part of the new attack technique to bypass EDR as low privileged standard user.

The attacker copies the contents of C:\Program Files\Windows Defender\ into this new directory and adds their payload (SuperJuicy.exe).

Payload Execution

Once the payload is executed from the spoofed directory, Sysmon logs show a process creation event with an image path resembling C:\Program Files\Windows Defender\SuperJuicy.exe. Without careful inspection or specialized tools to detect Unicode characters, analysts may mistake this for a legitimate process. This highlights the effectiveness of the new attack technique to bypass EDR as low privileged standard user.

Implications for EDR Systems

The use of Unicode-based path obfuscation complicates threat detection in several ways:

• Prolonged Dwell Time: By appearing benign, the malicious payload can persist longer on the target system.
• Confusion in Log Analysis: Analysts may waste valuable time investigating false leads.
• Deceptive Attribution: The attack could be misinterpreted as a compromise of legitimate security software.

Defensive Strategies

To combat this novel EDR evasion technique, security teams should consider the following defensive strategies:

• Improved Logging Rules: Set up Sysmon or SIEM solutions to identify and flag paths that include Unicode whitespace characters.
• Clear Visual Indicators: Adjust log viewers to explicitly display Unicode characters (for example, showing Program[En Quad]Files instead of Program Files).
• Limit Folder Creation Permissions: Restrict standard user access to essential directories, such as C:, to enhance security and mitigate the risk of the new attack technique to bypass EDR as low privileged standard user.

Conclusion

This novel EDR evasion technique highlights the evolving sophistication of cyberattacks. The new attack technique to bypass EDR as low privileged standard user demands that security teams adapt by enhancing visibility into subtle anomalies in logs and strengthening endpoint protections against such deceptive tactics. By staying informed and implementing robust security measures, organizations can better defend against these emerging threats.

---

Ready to strengthen your cybersecurity defenses? Contact us today for your FREE network assessment and take the first step towards safeguarding your business from cyber threats!