EDR旁路测试:验证端点防御的系统方法.pdf

编号:982116 PDF 46页 2.24MB 下载积分:VIP专享
下载报告请您先登录!

1、#SECTORCA BlackHatEventsEDR Bypass Testing#SECTORCA BlackHatEventsWHOAMI#SECTORCA BlackHatEventsMotivation EDR is effective EDR is vulnerable EDR is a target Bypass attempts are a high-fidelity signal#SECTORCA BlackHatEventsQuick DistinctionAV Evasion/Pre-Execution Evasion Defeat signature/static/dy

2、namic AV scanners Most often tied to initial access techniquesEDR Bypass/Detection Evasion Defeat behavioral,telemetry,or runtime monitoring Once execution begins or attacker has foothold#SECTORCA BlackHatEventsAssumptionsAttacker has:Initial foothold(remote)Local admin privileges Interactive GUI/re

3、mote shell/admin tools#SECTORCA BlackHatEventsSecurity BoundariesUser to kernel(enforced by OS)PPL(enforced by OS)Tamper protection(enforced by EDR)Local admin to kernel NOT a security boundary#SECTORCA BlackHatEventsStopping EDR KillersSecure BootHVCISigned WDAC PolicyMicrosoft Recommended Driver B

4、lock Rules#SECTORCA BlackHatEventsWhats Next?#SECTORCA BlackHatEventsEDR Attack Surface&Surveyor Tool#SECTORCA BlackHatEventsEDR Attack SurfaceLarge attack surface across various componentsUser mode/kernel modeServices,Drivers,GUI Applications#SECTORCA BlackHatEvents13 Core Data Collection Categorie

5、s#SECTORCA BlackHatEventsProcess EnumerationCollection Methods Basic Enumeration:CreateToolhelp32Snapshot()+Process32FirstW/NextW()Enhanced with Driver:Kernel-level process enumeration for accurate PPL detection WMI Integration:Command line arguments,session IDs,performance counters Module Analysis:

6、EnumProcessModules()+GetModuleFileNameExW()EDR Attack Surface Relevance PPL Bypass Requirements:Critical for understanding which processes are protected Injection Target Analysis:Identifies suitable processes for code injection Signature Validation:Understanding trust chains and unsigned process det

友情提示

1、下载报告失败解决办法
2、PDF文件下载后,可能会被浏览器默认打开,此种情况可以点击浏览器菜单,保存网页到桌面,就可以正常下载了。
3、本站不支持迅雷下载,请使用电脑自带的IE浏览器,或者360浏览器、谷歌浏览器下载即可。
4、本站报告下载后的文档和图纸-无水印,预览文档经过压缩,下载后原文更清晰。

本文(EDR旁路测试:验证端点防御的系统方法.pdf)为本站 (竿头日上) 主动上传,三个皮匠报告文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知三个皮匠报告文库(点击联系客服),我们立即给予删除!

温馨提示:如果因为网速或其他原因下载失败请重新下载,重复下载不扣分。
客服
商务合作
小程序
服务号
折叠