当前位置:首页 > 报告详情

我现在就在你的日志里欺骗你的分析师蒙蔽你的EDR系统.pdf

上传人: 竿*** 编号:981870 2025-11-29 99页 29.13MB

1、#BHUSA BlackHatEventsIm in your logs now,deceiving your analysts and blinding your EDROlaf HartongDetection Engineer and Security Researcher Purple teaming,Threat hunting Security MVPFormer documentary photographerFather of 2 boys“I like warm hugs” is Event Tracing for WindowsTodays topicscan I spoo

2、f events?can I further(ab)use this?What Can you do with/about thisWhy security products use ETWWHAT is event tracing for windows(ETW)What is Event Tracing for Windows (ETW)Event Tracing for Windows(ETW)provides a mechanism to trace and log events that are raised by user-mode applications and kernel-

3、mode drivers.It has been designed for performance monitoring and debugging.ETW is implemented in the Windows operating system and provides a fast,reliable,and versatile set of event tracing features.Its architecture consists of three primary components:The next slides provide a simplified overview o

4、f ETW,only focused on the components Ive abused.*Requires admin privileges,unless explicitly permitted*logical flowCommon ETW attackshttps:/attack.mitre.org/techniques/T1562/006/Patching the ntdll.dll EtwEventWrite function(often AMSI)Tamper with ETL files on disk or disable sessions in the registry

5、Block specific events in one process by function hookingDisable tracing sessions(requires kernel level access)Use ETWWHYsecurity products Providers can be enabled/disabled in a trace session at runtimeDynamic ControlWay more event types can be collected Coverage breathNo hooking or injection require

6、d to all processesLess intrusiveLess code in the kernel is less likely to crashStabilityETW sessions can be consumed filtered by level,keywords,etcFilteringKernel events need to be filtered after collection.ETW Sessions are buffered,callbacks are not.Process PerformanceWHY do security products use E

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
- **ETW (Event Tracing for Windows) 简介**:ETW 是 Windows 操作系统提供的一种机制,用于跟踪和记录用户模式和内核模式驱动程序引发的事件,主要用于性能监控和调试。 - **ETW 组件**:ETW 架构包括三个主要组件:ETW 提供商、ETW 事件和 ETW 消费者。 - **ETW 安全模型**:ETW 提供商可以具有权限分配,默认继承自 WMI 安全模型。 - **ETW 漏洞利用**:攻击者可以利用 ETW 漏洞来欺骗安全产品,例如通过伪造事件或超出事件限制来创建盲点。 - **安全产品使用 ETW**:许多安全产品使用 ETW 来收集遥测数据,例如 Microsoft Defender。 - **ETW 漏洞修复**:微软已修复部分 ETW 漏洞,但其他用于遥测的 ETW 提供商仍然存在风险。 - **ETW 漏洞影响**:攻击者可以利用 ETW 漏洞来绕过安全检测,例如通过伪造事件或耗尽资源。
揭秘安全盲点?" 如何伪造事件?" 信任危机?如何应对?"
客服
商务合作
小程序
服务号
折叠