cnscna23 tracee pipeline.pdf

《cnscna23 tracee pipeline.pdf》由会员分享，可在线阅读，更多相关《cnscna23 tracee pipeline.pdf（28页珍藏版）》请在三个皮匠报告上搜索。

1、 2023 Aqua Security So2ware Ltd.,All Rights Reserved Itay ShakuryJose Donize3Verfiable GitHub Ac0ons using eBPFitayskjosedonize-3Tracee-Run+me Security and Forensics using eBPFContainer startedProcess ExecutedNetwork calledReverse ShellEvasive execu9onOver 500 event typesaquasecurity/traceeitayskCon

2、tainer stopped4“just a couple of years ago”itaysk6First solu+on Tracee in the pipelinehAps:/ New executable Evasion techniques Crypto minersSignatures Spawned shellitayskCustom signatures8Second solu+on-profilehAps:/ Timestamp User ID Binary path Process IDitaysk10Third solu+on-bothReverse shellCode

3、 injec9onCrypto minerSignaturesProfileExecu9onsFiles modifiedNetwork ac9vity Deny Allowitaysk11DEMOtracee-aconjosedonize-12Integra+ongit clonego testgo buildreleasetracee starttracee stopworkflow.yamljosedonize-13Integra+ongit clonego testgo buildreleasetracee starttracee stop CORE/BTFjosedonize-wor

4、kflow.yaml14Wait for initIntegra+ongit clonego testgo buildreleasetracee starttracee stop CORE/BTFjosedonize-workflow.yaml15Integra+ongit clonego testtracee starttracee stop CORE/BTFjosedonize-Wait for init-trace event=execve uid=$(id-u runner)-trace event=execve tree=$(psgrep Runner)workflow.yamldo

5、cker16Integra+ongit clonego testdockertracee starttracee stop CORE/BTFcurllintdockerjosedonize-Wait for initworkflow.yaml17Integra+ongit clonego testtracee starttracee stop CORE/BTFcurllintdockerjosedonize-Wait for initwritessignatureshostdockerworkflow.yaml18Integra+ongit clonego testtracee starttr

6、acee stop CORE/BTFcurllintdockerjosedonize-Wait for initwritessignatureshost Scopesdockerworkflow.yaml19Scopesjosedonize-Scope 1-trace 1:event=fileless_execu3on,hidden_file_created,.HOST20Scopesjosedonize-trace 1:event=fileless_execu3on,hidden_file_created,.-trace 2:event=file_modifica3on-trace 2:fi