Challenge 16: Elevated Process Evasion
Objective
Execute a suspicious command as an elevated (administrator) process to prevent the EDR from reading its command line.
Scanner Behavior
The EDR reads command lines by opening target processes with PROCESS_QUERY_INFORMATION | PROCESS_VM_READ and reading their PEB:
let hProc = OpenProcess(
PROCESS_QUERY_INFORMATION or PROCESS_VM_READ,
WINBOOL(0), pid)
if hProc == 0: return # Can't read -> empty command line
If OpenProcess fails (e.g., due to insufficient privileges), the command line is empty, and all command-line-based rules are bypassed.
Rules
- Run the EDR agent as a standard user
- Execute a suspicious command from an elevated (admin) prompt
- Show that command-line-based rules (2, 4, 5) are not triggered
Hints
Hint 1
A standard-user process cannot read the PEB of an elevated (admin) process.Hint 2
WhenOpenProcess fails, getCommandLine returns an empty string. No keywords can match an empty string.
Hint 3
Rule 1 (process name blacklist) still works becauseCreateToolhelp32Snapshot can see all process names regardless of privilege level. But Rules 2, 4, and 5 are blind.
MostShittyEDR