Open in app

Sign in

Write

Sign in

Detecting EDR Bypass using path masquerading

Rogier Dijkman
3 min readFeb 6, 2025

--

In this article I will provide a detailed KQL query to help identify suspicious behavior that may indicate a defense evasion as described in the research of Zero Salarium.

Introduction:

Recent articles have highlighted the emergence of new cyberattack techniques that enable attackers to bypass EDR solutions even with low privileges. For instance, Zero Salarium discusses a technique to evade detection by Endpoint Detection and Response (EDR) systems.

It explains how to use a Standard User account to disguise the paths of malicious payloads, making them resemble legitimate system files like the Antimalware Service Executable. This method leverages symbolic links to blind EDR tools, enhancing the stealth of the attack.

Creating the spoofing folder:

As explained in this article the attackers begin by creating directory structures with low privileges, such as C:\Program Files 00, where they have full read/write/execute permissions. They then rename the directory to resemble a legitimate system path using Unicode characters, e.g., C:\Program[U+2000] Files.

Instead of renaming a folder it is also possible to directly create a folder with a Unicode character in the name. The following code example creates such a folder using PowerShell.

# Unicode character U+2000 (En Quad) is used to insert a space-like character
$unicodeChar = [char]0x2000

$spoofDir = "C:\Program" + $unicodeChar + "Files"

New-Item -Path $spoofDir -ItemType Directory

# Verify the directory has been created
Get-ChildItem -Path "C:\Program*"

As shown in the image below a duplicate directory with the name Program Files is created.

Detecting folder creation:

To detect the creation of a new directory containing a Unicode character instead of a space character, the following KQL query can be used.

// Custom detection for the creation of spoof directories with Unicode characters
  let unicodeWhitespace = dynamic([
      "\u2000"
      , "\u2001"
      , "\u2002"
      , "\u2003"
      , "\u2004"
      , "\u2005"
      , "\u2006"
      , "\u2007"
      , "\u2008"
      , "\u2009"
      , "\u200A"
  ]);
  let suspiciousProcesses = dynamic([
      "powershell.exe"
      , "cmd.exe"
      , "mshta.exe"
      , "wscript.exe"
      , "cscript.exe"
  ]);
  DeviceFileEvents
  | where Timestamp >= ago(1h)
  // Exclude system-level processes
  | where InitiatingProcessAccountName != "SYSTEM"
  // Filter for known suspicious processes
  | where InitiatingProcessFileName in (suspiciousProcesses)
  | where FolderPath has_any (unicodeWhitespace)
  | extend AccountDomain = tostring(split(InitiatingProcessAccountName, "\\")[0]), AccountName = tostring(split(InitiatingProcessAccountName, "\\")[1])
  // Exclude NT AUTHORITY domain
  | where AccountDomain != "NT AUTHORITY"
  | project 
    Timestamp
    , DeviceName
    , InitiatingProcessAccountName
    , InitiatingProcessAccountUpn
    , FolderPath
    , InitiatingProcessFileName
    , InitiatingProcessCommandLine
  | order by Timestamp

Query Overview

This custom detection query is designed to identify the creation of spoof directories that include Unicode characters in their names. Such directories are often used by attackers to bypass Endpoint Detection and Response (EDR) solutions.

Query Details

The KQL query leverages the DeviceFileEvents table to filter and identify the creation of directories with suspicious names. The key components of the query are:

  • Unicode Whitespace Characters:
    The query checks for the presence of Unicode whitespace characters (e.g., En Quad, Em Quad) in directory names, which are used for path obfuscation.
  • Suspicious Processes:
    The query looks for processes such as powershell , cmd.exe, mshta.exe, wscript.exe, and cscript.exe that are commonly used in these attacks.
  • Exclusions:
    System-level processes and accounts from the NT AUTHORITY domain are excluded to reduce false positives.

Query Breakdown

  • Unicode Whitespace Characters:
    The unicodeWhitespace dynamic array includes various Unicode whitespace characters that may be used in directory names.
  • Suspicious Processes:
    The suspiciousProcesses dynamic array includes processes that are commonly used to create spoof directories.
  • Filtering:
    The query filters out system-level processes and focuses on the specified suspicious processes.
  • Path Check:
    The query checks if the FolderPath contains any of the Unicode whitespace characters.
  • Exclusions:
    The query excludes accounts from the NT AUTHORITY domain to reduce false positives.
  • Projection:
    The query projects relevant fields such as Timestamp, DeviceName, InitiatingProcessAccountName, InitiatingProcessAccountUpn, FolderPath, InitiatingProcessFileName, and InitiatingProcessCommandLine.
  • Ordering:
    The results are ordered by Timestamp in descending order.

Summary:

By using the provided KQL query, you can identify the creation of directories containing Unicode characters indication possible malicious intentions. This technique is used by bad actors to bypass EDR detection.

Happy hunting!

Security
Cybersecurity
Kql
Microsoft

--

--

Rogier Dijkman
Rogier Dijkman

Written by Rogier Dijkman

165 Followers
36 Following

Microsoft Security MVP | Azure | GitHub | Cloud Security Architect | Marathoner | passionate about Microsoft Security

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams