Challenge 05: Path Manipulation
Objective
Execute a blacklisted process using path tricks to confuse the filename extraction.
Scanner Behavior
The EDR gets the process name from PROCESSENTRY32W.szExeFile, which contains only the executable filename (no path). However, the command line (Rule 2) contains the full command as typed.
Rules
- Execute a blacklisted tool using the full path or UNC path
- Explore whether the EDR sees the full path or just the filename
- Document which rules are path-aware and which are not
Hints
Hint 1
szExeFile from Toolhelp32 only contains the filename, not the full path.
Hint 2
The command line (Rule 2) contains whatever was typed. Can you use path syntax to hide keywords?Hint 3
Try using the full path:C:\Windows\System32\notepad.exe - is "notepad.exe" still extracted?
MostShittyEDR