当前位置:首页 > 报告详情

寻找无声的妥协.pdf

上传人: 可*** 编号:991793 2025-12-07 14页 1.23MB

1、The Hunt for Silent Compromise Detecting Cloud-Native Persistence Without Malware or AlertsAnkit GuptaShilpi MittalAgendaModern Threat LandscapeAttacker TechniquesHunting StrategiesCase StudiesDefense&TakeawaysThe“Silent Compromise”DefinedSilent Compromise:No alerts triggeredCloud-Native Persistence

2、:Uses legit functionalityAppears as“business as usual”activityOften detected late,if at allCore Persistence Vectors to PrioritizeOAuth app abuse and illicit consentService principals and app credentialsToken replay and gaps in conditional accessAPI keys and long-lived secretsPassive infrastructure a

3、buse rules,connectors,automationOAuth Apps Illicit Consent GrantsConsent Phishing:“Grant access”scamAttackers app gets an OAuth token for the userLong-Lived Access:via refresh tokensNo malware on endpoint;uses legit API callsUnified Hunting and Telemetry FrameworkHunt by layers:identity,apps,mail,an

4、d dataCollect logs from Entra,AWS,Okta,and SaaS appsCorrelate in one SIEM or data lake for full contextBehavioral Indicators That MatterNew app consent with broad scopesToken use from a new geo or impossible travelNon-admin creating admins or adding app secretsSudden bulk read of mail or files by a

5、new principalReady to Deploy Hunts in Sentinel KQL High-risk OAuth consent Abnormal refresh token usageAWS and Okta Hunt Patterns CloudTrail new keys and policy changes Okta admin and token eventsCase Snapshots and LessonsCompromised Cloud Compute Credentials(Unit 42)Commvault Azure Breach&M365 Late

6、ral MovementMicrosoft AI/Azure Data Exposure via SAS MisconfigurationAction Plan and TakeawaysEnable and retain critical logs and protect trailsRestrict consent and disable legacy protocolsShip the sample hunts and tune for your orgAutomate

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
客服
商务合作
小程序
服务号
折叠