当前位置:首页 > 报告详情

EDR旁路测试:验证端点防御的系统方法.pdf

上传人: 竿*** 编号:982116 2025-11-29 46页 2.24MB

1、#SECTORCA BlackHatEventsEDR Bypass Testing#SECTORCA BlackHatEventsWHOAMI#SECTORCA BlackHatEventsMotivation EDR is effective EDR is vulnerable EDR is a target Bypass attempts are a high-fidelity signal#SECTORCA BlackHatEventsQuick DistinctionAV Evasion/Pre-Execution Evasion Defeat signature/static/dy

2、namic AV scanners Most often tied to initial access techniquesEDR Bypass/Detection Evasion Defeat behavioral,telemetry,or runtime monitoring Once execution begins or attacker has foothold#SECTORCA BlackHatEventsAssumptionsAttacker has:Initial foothold(remote)Local admin privileges Interactive GUI/re

3、mote shell/admin tools#SECTORCA BlackHatEventsSecurity BoundariesUser to kernel(enforced by OS)PPL(enforced by OS)Tamper protection(enforced by EDR)Local admin to kernel NOT a security boundary#SECTORCA BlackHatEventsStopping EDR KillersSecure BootHVCISigned WDAC PolicyMicrosoft Recommended Driver B

4、lock Rules#SECTORCA BlackHatEventsWhats Next?#SECTORCA BlackHatEventsEDR Attack Surface&Surveyor Tool#SECTORCA BlackHatEventsEDR Attack SurfaceLarge attack surface across various componentsUser mode/kernel modeServices,Drivers,GUI Applications#SECTORCA BlackHatEvents13 Core Data Collection Categorie

5、s#SECTORCA BlackHatEventsProcess EnumerationCollection Methods Basic Enumeration:CreateToolhelp32Snapshot()+Process32FirstW/NextW()Enhanced with Driver:Kernel-level process enumeration for accurate PPL detection WMI Integration:Command line arguments,session IDs,performance counters Module Analysis:

6、EnumProcessModules()+GetModuleFileNameExW()EDR Attack Surface Relevance PPL Bypass Requirements:Critical for understanding which processes are protected Injection Target Analysis:Identifies suitable processes for code injection Signature Validation:Understanding trust chains and unsigned process det

word格式文档无特别注明外均可编辑修改,预览文件经过压缩,下载原文更清晰!
三个皮匠报告文库所有资源均是客户上传分享,仅供网友学习交流,未经上传用户书面授权,请勿作商用。
根据标记内容,全文主要围绕EDR(端点检测与响应)的绕过测试展开。以下是关键点: 1. **EDR Bypass Testing Motivation**:EDR虽有效,但存在漏洞,攻击者会尝试绕过。 2. **EDR Bypass/Detection Evasion**:绕过行为监测、遥测或运行时监控。 3. **Stopping EDR Killers**:使用安全启动、HVCI、签名WDAC策略等。 4. **EDR Attack Surface**:涵盖用户模式/内核模式、服务、驱动程序、GUI应用程序等。 5. **13 Core Data Collection Categories**:包括进程枚举、驱动程序分析、内核回调、ETW分析、网络分析、注册表分析、AMSI提供者分析、服务分析、用户上下文与权限分析、安全功能评估等。 6. **Surveyor Tool Value Proposition**:提供全面侦察、EDR情报、攻击面映射、防御姿态评估。 7. **Critical Insights**:内核回调是EDR检测的主要机制,ETW提供广泛的行为监控能力,进程保护影响安全边界,注册表配置揭示重要安全设置,驱动程序分析提供系统安全架构的见解。 8. **EDR Bypass Matrix**:涵盖多种绕过技术,如BootExecute Bypass、WDAC Bypass等。 9. **Key Takeaways**:EDR是攻击者的主要目标,攻击面大且复杂,需要持续更新防御策略。
如何绕过?" 安全边界在哪?" 攻击者如何行动?"
客服
商务合作
小程序
服务号
折叠