寻找无声的妥协.pdf

1、The Hunt for Silent Compromise Detecting Cloud-Native Persistence Without Malware or AlertsAnkit GuptaShilpi MittalAgendaModern Threat LandscapeAttacker TechniquesHunting StrategiesCase StudiesDefense&TakeawaysThe“Silent Compromise”DefinedSilent Compromise:No alerts triggeredCloud-Native Persistence

2、:Uses legit functionalityAppears as“business as usual”activityOften detected late,if at allCore Persistence Vectors to PrioritizeOAuth app abuse and illicit consentService principals and app credentialsToken replay and gaps in conditional accessAPI keys and long-lived secretsPassive infrastructure a

3、buse rules,connectors,automationOAuth Apps Illicit Consent GrantsConsent Phishing:“Grant access”scamAttackers app gets an OAuth token for the userLong-Lived Access:via refresh tokensNo malware on endpoint;uses legit API callsUnified Hunting and Telemetry FrameworkHunt by layers:identity,apps,mail,an

4、d dataCollect logs from Entra,AWS,Okta,and SaaS appsCorrelate in one SIEM or data lake for full contextBehavioral Indicators That MatterNew app consent with broad scopesToken use from a new geo or impossible travelNon-admin creating admins or adding app secretsSudden bulk read of mail or files by a

5、new principalReady to Deploy Hunts in Sentinel KQL High-risk OAuth consent Abnormal refresh token usageAWS and Okta Hunt Patterns CloudTrail new keys and policy changes Okta admin and token eventsCase Snapshots and LessonsCompromised Cloud Compute Credentials(Unit 42)Commvault Azure Breach&M365 Late

6、ral MovementMicrosoft AI/Azure Data Exposure via SAS MisconfigurationAction Plan and TakeawaysEnable and retain critical logs and protect trailsRestrict consent and disable legacy protocolsShip the sample hunts and tune for your orgAutomate