Challenge 02: Case Sensitivity Exploit

Easy Process Name Evasion Target: Rule 1

Objective

Run a blacklisted process by exploiting case-sensitive string comparison.

Scanner Behavior

The blacklist comparison uses == which is case-sensitive in Nim:

if info.exeName == name:  # "Mimikatz.exe" != "mimikatz.exe"

The blacklist contains lowercase entries only: "mimikatz.exe", "procdump.exe", etc.

Rules

  • You must keep a recognizable variant of the original tool name
  • The EDR must not trigger a BLACKLISTED_PROCESS detection
  • Only the casing of the filename may change

Hints

Hint 1 The string comparison is case-sensitive. What's the casing of the blacklist entries?
Hint 2 Windows filesystems are case-insensitive. MIMIKATZ.EXE and mimikatz.exe are the same file.
Hint 3 Try: rename mimikatz.exe Mimikatz.exe and then run Mimikatz.exe