Challenge 06: Caret Insertion
Objective
Execute whoami via cmd.exe without the EDR detecting the keyword in the command line.
Scanner Behavior
Rule 2 uses simple substring matching on the command line:
proc ruleSuspiciousKeywords(info: ProcessInfo): seq[Detection] =
let cmd = info.commandLine.toLowerAscii()
for kw in SuspiciousKeywords:
if kw in cmd: # simple substring search
...
There is no deobfuscation engine. The raw command line string is checked as-is.
Rules
- Execute
whoamiand see the output - The EDR must not trigger a
SUSPICIOUS_CMDLINEdetection for “whoami” - You must use
cmd.exeto execute the command
Hints
Hint 1
The caret character^ is an escape character in cmd.exe that is stripped during execution.
Hint 2
cmd.exe /c who^ami - cmd.exe strips the caret, but the command line string still contains it.
MostShittyEDR