Challenge 07: Environment Variable Substitution

Medium Command Line Obfuscation Target: Rule 2

Objective

Execute a suspicious command by hiding keywords inside environment variables.

Scanner Behavior

Rule 2 checks the raw command line string as it appears in the process’s PEB. Environment variables like %COMSPEC% or %USERNAME% are stored unexpanded in the command line and only resolved at runtime by cmd.exe.

The EDR does not expand environment variables before checking.

Rules

  • Execute whoami or net user using environment variable substitution
  • The command must execute successfully and show output
  • The raw command line must not contain the keyword

Hints

Hint 1 Environment variables in the command line are not expanded when the EDR reads the PEB.
Hint 2 You can build command strings using substrings of environment variables. %COMSPEC% expands to C:\WINDOWS\system32\cmd.exe.
Hint 3 cmd.exe /c %COMSPEC:~-7,1%%COMSPEC:~-6,1%oami constructs "whoami" from substrings at runtime.