Challenge 10: Timing Attack

Medium Process Monitoring Bypass Target: Rule Architecture

Objective

Execute a blacklisted command that completes before the EDR’s next polling cycle.

Scanner Behavior

The EDR monitors processes by polling with CreateToolhelp32Snapshot at a fixed interval:

Sleep(DWORD(cfg.pollInterval))  # Default: 500ms

A process that starts AND exits between two polls is never seen by the EDR.

Rules

  • Execute a blacklisted tool or suspicious command
  • The process must complete before the EDR detects it
  • The command must produce output proving it ran
  • Use the default 500ms polling interval

Hints

Hint 1 The default poll interval is 500ms. Any process that starts and exits in under 500ms might slip through.
Hint 2 Simple commands like whoami, ipconfig, net user typically complete in milliseconds.
Hint 3 The key is that CreateToolhelp32Snapshot is a point-in-time snapshot. A short-lived process between snapshots is invisible. Try running commands via cmd /c which exits quickly.