Path masquerading: Hide in plain sight

Posted by on
Path Masquerading logo

I. INTRODUCTION

With low privileges as a normal user, how will you fly under the radar of Endpoint Detection and Response (EDR)?

EDR evasion techniques often require the user to have high privileges (Admin, System, etc.). Therefore, when operating under a normal user account, the focus of bypassing EDR is primarily on executing actions in the most innocuous manner possible.

In this article, with a Standard User account, I will implement the masquerading attack technique to disguise the paths of payloads to closely resemble the path of the Antimalware Service Executable file.

II. CORE

1. Process creation event

One of the most important pieces of information for Security information and event management (SIEM) to monitor and assess whether an activity is malicious is the process creation event. It provides extended information about a newly created process. The full command line offers context on the process execution.

Below is an example of a process creation event monitored by Sysmon.

sample sysmon process creation event log

Some important data that is always monitored includes: Image, CommandLine, CurrentDirectory, ParentProcessID, and so on.

If it were you, upon receiving two process creation events with the images "C:\Program Files\Windows Defender\MsMpEng.exe" and "%TEMP%\SuperJuicy.exe". Which case would you be more suspicious of?

As an experienced analyst, you would know that the operational directories of antivirus and EDR solutions are always protected at the kernel level. Unless an attacker can escalate privileges to the kernel (through BYOVD or kernel exploits), they will not be able to drop payloads into these folders for execution.

Therefore, returning to the two images above, I would pay more attention to "SuperJuicy.exe" first. Not because of its name, but because I know that "MsMpEng.exe" resides in the protected folder of Windows Defender. Of course, in the case of a thorough investigation, both cases would be analyzed carefully.

2. File masquerading attack used in phishing

A file masquerading attack is a specific type of cyber attack where an attacker disguises a malicious file as something harmless, tricking users into opening it. This is commonly achieved by manipulating the file extension or name to make it appear trustworthy.

  • Double file extension: For example, naming a file "document.pdf.exe" to trick users into thinking it is a PDF
  • Masquerading file types: Altering the file's metadata to misidentify its type.
  • Right-to-left override: Using special characters to reverse the file name’s order, e.g., “txt.exe” becomes “exe.txt”.
  • Matching legitimate names or locations: Renaming malicious files to match names of trusted applications, like "svchost.exe," or placing them in trusted directories like "C:\\Windows\\System32".
  • Invalid code signature: Copying valid code signatures and metadata to evade signature-based defenses.

I will exploit the technique of matching legitimate names or locations and apply it to the path of the image file. The goal is to disguise the image to keep a low profile in the SIEM log data.

3. Path Masquerading: This is NOT the “Program Files” you are looking for

Unlike the masquerading attack used in phishing, my goal is to use masquerading to lay low and avoid the attention of SIEM, rather than to create enticing files for users to click on.

Next, I will use the Path Masquerading technique to disguise my payload as "C:\Program Files\Windows Defender\MsMpEng.exe". My goal is to make my process appear identical to the antimalware service executable when viewed from SysMon logs or from process monitoring tools such as Process Monitor, Process Explorer, and others.

This technique relies on using Unicode characters that resemble the "whitespace" character in ASCII.

Unicode characters that resemble whitespace include:

U+2000: En Quad

U+2001: Em Quad

U+2002: En Space

U+200A: Hair Space

First, with low privileges, we need to find a location in the path "C:\Program Files\Windows Defender\MsMpEng.exe" where we can create a folder or write a file.

If you agree with me, then in the above path, the location "C:\" is the most feasible. At "C:\", a Standard User is likely to have the permission to create a new folder here. I am experimenting on Windows 11 and can create a folder. This depends on the organizational policies within different networks.

Next, I will create a folder named "Program Files 00" at "C:\". After successfully creating it, I will have the path "C:\Program Files 00" where the current user has full read/write/execute permissions.

After creating "Program Files 00" I will proceed to rename it to "Program[U+2000: En Quad]Files" You could directly create the name like that from the beginning, but I wanted to clarify the issue of folder creation permissions, which is why I separated it into two steps.

masquerading path of Program Files folder

After renaming, with the "dir" command as shown above, can you distinguish which "Program Files" is the location where software is typically installed and which one is the newly created folder?

The next step, I will copy the entire folder "C:\Program Files\Windows Defender\" to the location "C:\Program[U+2000: En Quad]Files\Windows Defender\" and drop "SuperJuicy.exe" into this new location.

masquerading path spoof windows defender folder

To enhance the level of masquerading, after successfully spoofing the Windows Defender path, you can further implement DLL Hijacking or DLL Side-Loading techniques with the executable files of Windows Defender in this new folder.

Returning to the POC above, I will execute "TheJuicyOne.exe" and check the process creation event with Sysmon.

path masquerading fake defender folder
Fake Defender folder

path masquerading real defender folder
Real Defender folder

With the two SysMon record logs above, can you identify the differences between the two events? Based on the information collected from the process creation event, I will know that a file in the path "C:\Program Files\Windows Defender\" has been executed. And if I only look at the log, I won't be able to distinguish that "TheJuicyOne.exe" is actually located in a completely different path from "MpCmdRun.exe".

Masquerading the path of Windows Defender or other Antivirus/EDR solutions can have several effects:

  1. It can confuse log analysts, slowing down the tracing process.
  2. It can mislead the investigation direction. For example, in the case above, the Administrator is likely to think that Windows Defender has been compromised and will probably analyze it from this perspective.
  3. Of course, the main goal here is to make the payload appear very legitimate and proper.

4. Defending against Path Masquerading technique

Administrators can implement several methods to counter Path Masquerading, such as:

  • Creating additional rules to monitor paths that contain Unicode characters representing whitespace.
  • Modifying log viewers to display whitespace characters. For example, instead of showing "Program Files", it would change to "Program[En Quad]Files".
  • Restricting folder creation permissions at the location "C:\".

III. SUMMARY

Attackers always seek ways to evade EDR in order to keep a low profile and maintain their presence on the target system for as long as possible.

When lacking sufficient privileges to execute advanced EDR evasion techniques such as blindfold EDR, tampering with log collection agents, or obstructing interactions between the kernel and user mode of the EDR, the attackers' objective is to disguise themselves to appear as benign as possible.

With the Path Masquerading technique, attackers can disguise their payloads to closely resemble antivirus/EDR programs in the log data collected by the EDR. This will create confusion and complicate the tracking and analysis of activities on a machine. Worse yet, it can mislead analysts, resulting in the oversight of active threats on the system.

Comments

Post a Comment