Actually, your blue team is red. Stealing your red move from the blue side

中文In-PersonBlue Team

What it looks like when you detect an unknown nuke exploit and even reproduce it successfully from the perspective of blue team? We start by sharing a case study where 🍊 from DEVCORE demonstrated his exploitation from Pwn2Own – ProxyShell at the very first time. We’ll show you how we detected the ProxyShell exploit at that time the 1-day exploit hasn’t published yet, and furthermore reproduced the whole exploit chain at the end by reversing engineering, tons of failed attempt, guessing and even discovering another unknown 1-day exploit during the process with only the help of few logs and materials.

Next we’ll share how we monitor and defend our customer as a MDR service provider to empower them to only focus on the guide in the incident report. We’ll also show how we do that by practical real-world cases.

Last thing we’ll give our point why highly monitoring environment with real experts carefully inspecting alerts such as MDR, is a nightmare for threat actor and red team. We conclude some general techniques and tricks how would you sneak under the radar and hide the track while facing highly monitoring environment.

Outline

  • MDR service provider
  • Case Study (DEVCORE RedTeam & 🍊)
    • Analysis the red team operation
    • Reproduce the unrevealed exploit - ProxyShell
  • Detection Engineering
  • ProxyShell In The Wild
  • Pratical EDR/MDR bypass

• Summary

Charles Yang

Charles Yang

Charles Yang is the principle threat researcher at CoreCloud, where he focuses on reversing engineering ,APT threat analysis and incident response. He loves to steal zero days from threat actor.
Evan Huang

Evan Huang

Evan Huang is the threat analysis researcher at CoreCloud, where he focuses on post-exploitation, detection engineering and threat hunting. What he does for killing time is basically send message through the DNS tunnel owned by threat actor and hopefully get a response.

English interpretations will be provided for all sessions not presented in English.

Agenda Table

Use event local timezone
TimeZone

00:30

  • Attendant Registration Time

01:20

  • Welcome Speech & Event Introduce

02:10

03:00

  • Break

03:15

04:05

  • Lunch

05:00

05:45

  • Break

06:00

06:45

  • Tea Time

07:00

07:25

08:10

  • Break

08:25

09:10

  • Closing