Asia-24_Bar-EDREraseDataRemotelyReloaded.pdf

《Asia-24_Bar-EDREraseDataRemotelyReloaded.pdf》由会员分享，可在线阅读，更多相关《Asia-24_Bar-EDREraseDataRemotelyReloaded.pdf（94页珍藏版）》请在三个皮匠报告上搜索。

1、EDR=Erase Data RemotelyTomer BarShmuel CohenThis talk is SafeBreachs 15th talk at Black Hat20 years experience in security researchMain focus in APT and vulnerability researchPresented at many global security conferencesSuch as:Black Hat USA 2020,2023,DEFCON 28-312Tomer BarVP of Security Research Sa

2、feBreach6 years experience in cybersecurityMain focus in vulnerability researchFormer malware researcher specializedIn APT groups3Shmuel CohenSecurity Researcher SafeBreachLABS4Research Goal and approachDiscover the vulnerability CVE-2023-24860Attack vectorsCVE-2023-36010(CVE-2023-24860 bypass)CVE-2

3、023-36010 bypass+special bonus Lessons learned,Vendor response,Github,Q&AAgenda5Research Goal-Trigger False PositivesOMG Its Taylor Swift6Research Goal-Trigger False PositivesIts The Devil!Destroy it7TeaserWhat will you say if we can remotely delete critical filesover the internet,Pre-authentication

4、,Exploit multiple vulnerable Security controlsboth on Windows and Linuxfrom your Fully patched serversByte signature do bites 8The ChallengesFP is a known issue and most were already been fixed3Byte signature engine are considered as the most trusted and accurate layer2Remote Triggering121Step 1Extr

5、acting EDRs Byte-Signatures 10Black Box Approach11Windows Defender signature hunting12How to manually minimize a signature?Example,lets assume entire malicious file content is:“XABCY”Remove“X”,write“ABCY”to disk-detection-“X”is not part of the signatureRemove“A”,write“BCY”to disk-no detection-“A”is

6、part of the signatureRemove“B”,write“ACY”to disk-no detection-“B”is part of the signatureRemove“C”,write“ABY”to disk-no detection-“C”is part of the signatureRemove“Y”,write“ABC”to disk-detection-“Y”is not part of the signatureThe signature is“ABC”Windows Defender Byte Signatures 14Windows Defender -