Masquerading × unnamed major EDR vendor EDR product (Windows sensor)

A publicly-reported instance of Masquerading bypassing unnamed major EDR vendor EDR product (Windows sensor), recorded with its original source. Factual record; no assessment of any specific deployment.

Product

unnamed major EDR vendor EDR product (Windows sensor)

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2024-12-01

Config / version noted

Not stated

Provenance

alertoverload.com
disclosed 2024-12-01 · original source · via exa

Reported as

defeats EDR command-line logging and detection for operations within WSL2

Mechanism

Uses wslapi.h to launch a WSL2 distribution with 'sh' and redirects stdin to pipe base64-encoded commands, which are decoded and executed. The EDR only sees 'wsl.exe <distro> sh' with no command-line arguments, hiding the actual malicious commands. This defeats EDR command-line logging and detection for operations within WSL2, including file interactions with the Windows host.

Detection & mitigation

Monitor for wsl.exe spawning with minimal arguments (e.g., just a distribution name and 'sh') followed by anomalous child processes or network connections from the WSL VM. Mitigate by restricting WSL usage to authorized users via AppLocker or WDAC, and enable advanced logging like Sysmon Event ID 1 with command-line auditing to capture full process creation details, though WSL internals may still be obscured.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot Microsoft nProtect Palo Alto Networks Riot Vanguard

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.