Challenge 16: Elevated Process Evasion

Medium Execution Evasion Target: Rule Architecture

Objective

Execute a suspicious command as an elevated (administrator) process to prevent the EDR from reading its command line.

Scanner Behavior

The EDR reads command lines by opening target processes with PROCESS_QUERY_INFORMATION | PROCESS_VM_READ and reading their PEB:

let hProc = OpenProcess(
  PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
  WINBOOL(0), pid)
if hProc == 0: return  # Can't read -> empty command line

If OpenProcess fails (e.g., due to insufficient privileges), the command line is empty, and all command-line-based rules are bypassed.

Rules

  • Run the EDR agent as a standard user
  • Execute a suspicious command from an elevated (admin) prompt
  • Show that command-line-based rules (2, 4, 5) are not triggered

Hints

Hint 1 A standard-user process cannot read the PEB of an elevated (admin) process.
Hint 2 When OpenProcess fails, getCommandLine returns an empty string. No keywords can match an empty string.
Hint 3 Rule 1 (process name blacklist) still works because CreateToolhelp32Snapshot can see all process names regardless of privilege level. But Rules 2, 4, and 5 are blind.