Bypass Record

Masquerading × Enigma Protector

A publicly-reported instance of Masquerading bypassing Enigma Protector, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Enigma Protector

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2024-05-17

Config / version noted

Not stated

Provenance

github.com
disclosed 2024-05-17 · original source · via exa

Reported as

The patch alters QEMU's emulated device data... to defeat VM detection checks used by anti-cheat and DRM/packer software.

Mechanism

The patch alters QEMU's emulated device data—renaming the QEMU keyboard to 'ASUS keyboard', spoofing SMBIOS fields (manufacturer, product, version), disabling the hypervisor CPUID bit, and modifying UEFI variables—to defeat VM detection checks used by anti-cheat and DRM/packer software. It does not mitigate timing side-channels like RDTSC.

Detection & mitigation

Monitor for anomalies in hardware identifiers (e.g., SMBIOS fields, device names) that deviate from known legitimate patterns, using endpoint telemetry or asset inventory comparisons. Mitigate by enforcing integrity checks on firmware and hardware configurations, and deploying behavior-based detection that does not rely solely on VM presence.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Gepard Shield Mhyprot Microsoft nProtect Palo Alto Networks Riot Vanguard Safegine Shielden

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.