噪音致死：利用警报疲劳绕过安全运营中心（EDR版）.pdf

1、#BHUSA BlackHatEventsDeath by Noise:Abusing Alert Fatigue to Bypass the SOC(EDR Edition)Rex Guo Khang NguyenAlert Fatigue in Enterprise SOC 1K-10K+99%alerts/day false positives https:/ are medium and low severity The Consequences of Alert FatigueIgnore medium/low alerts Shallow investigationsMost ar

2、e medium and low severity Suppress noisy alerts Is Default EDR Detection Sufficient?Many SOC teams rely on default EDR configuration to provide detection4 principles to downgrade or avoid the detectionsRex GuoCEO/Co-Founder Culminate DEFCON 2024 SOC Competition,#1 human efficiencyEngineering Lacewor

3、k,XMCyber,Cisco4th Time BlackhatKhang Nguyen Founding Security Researcher Started in binary analysis&vulnerability research Moved to Fullstack Exploit Dev Playing&hacking FPS gamesAlert Severity in Chosen EDRsCrowdstrike:Critical,high,medium,lowMS Defender:High,medium,lowSentinelOne:Malicious,Suspic

4、iousTargeting Linux Server WorkloadLinux Server Threat LandscapeLinux Target Infrastructure Spring Cloud Function hosted inside a Docker container Vulnerable to CVE-2022-22963 Docker container hosted on an EC2 instance EC2 instance has EDRs installed EC2 instance is connected to other services i.e.,

5、S3 bucketsAWS InfrastructureSpring Cloud FunctionDocker ContainerLinux EC2 InstanceS3 BucketS3 BucketS3 BucketExploit CVE-2022-22963Drop Container Escape ExploitAttack Chain PlanDrop Shell Utility&Establish sessionEscape to HostPersist on HostExfil DataEstablish Shell Session from HostExploit CVE-20

6、22-22963Attack Chain Attempt#1(Cont.)Drop Shell Utility&Establish sessionCVE-2022-22963 Vulnerability Spring Cloud Function is used regularly for API gateways,serverless applications Uncontrolled Spring Expression Language(SpEL)evaluation leading to RCE Provide a crafted SpEL using routing functiona