EDR evasion using Path masquerading

Endpoint Detection and Response (EDR) plays a crucial role in identifying and responding to security threats. Attackers may attempt to evade EDR by using low-privilege user accounts. One of the essential components of Security Information and Event Management (SIEM) is monitoring process creation events.

When a process is created, we monitor the following data:

• Image: The executable file associated with the process.
• Command Line: The command line arguments used to start the process.
• Current Directory: The directory from which the process was initiated.
• Parent Process ID: The ID of the process that started the new process.

File Masquerading Attack Techniques

• Double File Extension: For example, document.pdf.exe – misleading users into thinking it’s a harmless PDF file.

• Metadata Manipulation: Altering file metadata to masquerade the file type.

• Right-to-Left Override: Reversing the order of characters in the file name to conceal its true extension.

• Matching Legitimate Names or Locations: Renaming malicious files to match trusted applications (e.g., svchost.exe).

• Invalid Code Signatures: Copying valid code signatures and metadata to appear authentic.

The most common way attackers bypass Endpoint Detection and Response (EDR) using these techniques is through masquerading paths

Stay safe and always check for these.