Challenge 05: Path Manipulation

Easy Command Line Obfuscation Target: Rule 1

Objective

Execute a blacklisted process using path tricks to confuse the filename extraction.

Scanner Behavior

The EDR gets the process name from PROCESSENTRY32W.szExeFile, which contains only the executable filename (no path). However, the command line (Rule 2) contains the full command as typed.

Rules

  • Execute a blacklisted tool using the full path or UNC path
  • Explore whether the EDR sees the full path or just the filename
  • Document which rules are path-aware and which are not

Hints

Hint 1 szExeFile from Toolhelp32 only contains the filename, not the full path.
Hint 2 The command line (Rule 2) contains whatever was typed. Can you use path syntax to hide keywords?
Hint 3 Try using the full path: C:\Windows\System32\notepad.exe - is "notepad.exe" still extracted?