我现在就在你的日志里欺骗你的分析师蒙蔽你的EDR系统.pdf

1、#BHUSA BlackHatEventsIm in your logs now,deceiving your analysts and blinding your EDROlaf HartongDetection Engineer and Security Researcher Purple teaming,Threat hunting Security MVPFormer documentary photographerFather of 2 boys“I like warm hugs” is Event Tracing for WindowsTodays topicscan I spoo

2、f events?can I further(ab)use this?What Can you do with/about thisWhy security products use ETWWHAT is event tracing for windows(ETW)What is Event Tracing for Windows (ETW)Event Tracing for Windows(ETW)provides a mechanism to trace and log events that are raised by user-mode applications and kernel-

3、mode drivers.It has been designed for performance monitoring and debugging.ETW is implemented in the Windows operating system and provides a fast,reliable,and versatile set of event tracing features.Its architecture consists of three primary components:The next slides provide a simplified overview o

4、f ETW,only focused on the components Ive abused.*Requires admin privileges,unless explicitly permitted*logical flowCommon ETW attackshttps:/attack.mitre.org/techniques/T1562/006/Patching the ntdll.dll EtwEventWrite function(often AMSI)Tamper with ETL files on disk or disable sessions in the registry

5、Block specific events in one process by function hookingDisable tracing sessions(requires kernel level access)Use ETWWHYsecurity products Providers can be enabled/disabled in a trace session at runtimeDynamic ControlWay more event types can be collected Coverage breathNo hooking or injection require

6、d to all processesLess intrusiveLess code in the kernel is less likely to crashStabilityETW sessions can be consumed filtered by level,keywords,etcFilteringKernel events need to be filtered after collection.ETW Sessions are buffered,callbacks are not.Process PerformanceWHY do security products use E