EDR 與那些彎繞的技巧 / JohnThunder === Speaker: 姜尚德 * EPP: 用來預防、防護，ex.防毒軟體 * EDR: 包含偵測跟回應、端點偵測、agent錄製、console觀測 user mode hook 觀察行為寫入者等 kernel mode hook 系統權限流程 hook越底層越有用、但是越困難 * hooking 覆寫原本在memory內的ASM code * minifilter kernal mode driver 免費工具 1. sysmon * windows出的 * 需要寫configure * 網路上有但是輸出很多最好挑選過、如錄影機全錄 3. osquery * facebook出的 * support linux, mac, windows(but not the lastist ver always) * 如照相機 要拍才拍 * bypass alert -pcalua(original process) --可以幫你執行其他的program --winword call pcalua call powershell >>bypass alert * how dose EDR detect powershell attack? 1. Loaded Module(Load Specifile.dll) 2. Called API(Will call .net,.lib,if you can hook all API then you know Powershell's behavior) 3. Process param(Suspicios PowerShell Process command-line) 4. Microsofe AMSI * bypass disable ASMI obfuscated powershell command * other trick -修改系統時間>時間戳記跑掉>alert關聯會斷掉 -hijack whitelist object >>白名單不會有log record -WMI ### domo ### 攻擊思路[圖] ###### tags: `HITCONCMT2019`,`HITCONCMT`,`HITCON`