当前位置:首页 > 报告详情

噪音致死:利用警报疲劳绕过安全运营中心(EDR版).pdf

上传人: 竿*** 编号:981921 2025-11-29 47页 1.79MB

1、#BHUSA BlackHatEventsDeath by Noise:Abusing Alert Fatigue to Bypass the SOC(EDR Edition)Rex Guo Khang NguyenAlert Fatigue in Enterprise SOC 1K-10K+99%alerts/day false positives https:/ are medium and low severity The Consequences of Alert FatigueIgnore medium/low alerts Shallow investigationsMost ar

2、e medium and low severity Suppress noisy alerts Is Default EDR Detection Sufficient?Many SOC teams rely on default EDR configuration to provide detection4 principles to downgrade or avoid the detectionsRex GuoCEO/Co-Founder Culminate DEFCON 2024 SOC Competition,#1 human efficiencyEngineering Lacewor

3、k,XMCyber,Cisco4th Time BlackhatKhang Nguyen Founding Security Researcher Started in binary analysis&vulnerability research Moved to Fullstack Exploit Dev Playing&hacking FPS gamesAlert Severity in Chosen EDRsCrowdstrike:Critical,high,medium,lowMS Defender:High,medium,lowSentinelOne:Malicious,Suspic

4、iousTargeting Linux Server WorkloadLinux Server Threat LandscapeLinux Target Infrastructure Spring Cloud Function hosted inside a Docker container Vulnerable to CVE-2022-22963 Docker container hosted on an EC2 instance EC2 instance has EDRs installed EC2 instance is connected to other services i.e.,

5、S3 bucketsAWS InfrastructureSpring Cloud FunctionDocker ContainerLinux EC2 InstanceS3 BucketS3 BucketS3 BucketExploit CVE-2022-22963Drop Container Escape ExploitAttack Chain PlanDrop Shell Utility&Establish sessionEscape to HostPersist on HostExfil DataEstablish Shell Session from HostExploit CVE-20

6、22-22963Attack Chain Attempt#1(Cont.)Drop Shell Utility&Establish sessionCVE-2022-22963 Vulnerability Spring Cloud Function is used regularly for API gateways,serverless applications Uncontrolled Spring Expression Language(SpEL)evaluation leading to RCE Provide a crafted SpEL using routing functiona

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据报告的内容,全文主要探讨了企业安全运营中心(SOC)面临的挑战,特别是警报疲劳和默认端点检测响应(EDR)的局限性。以下是关键点: 1. **警报疲劳**:企业SOC每天面临大量警报,其中99%以上为误报,导致警报疲劳,影响调查深度。 2. **EDR检测不足**:许多SOC团队依赖默认EDR配置,存在4个降低或避免检测的原则。 3. **攻击案例**:文章通过Linux和Windows端点攻击案例,展示了攻击者如何利用EDR检测的不足进行攻击。 4. **攻击策略**:攻击者使用“Living-off-the-land”和“Masquerading”策略,减少攻击痕迹,降低检测概率。 5. **检测挑战**:攻击者通过抽象层、减少攻击特征和利用现有工具来降低检测率。 6. **建议**:文章建议SOC团队进行定制化检测,提高检测覆盖率,并利用自动化和AI进行调查。
"EDR如何应对警报疲劳?" "攻击者如何绕过EDR检测?" "如何提升SOC团队检测能力?"
客服
商务合作
小程序
服务号
折叠