Actually, your blue team is red. Stealing your red move from the blue side
time
05:00 ~ 05:45
site
R2
What it looks like when you detect an unknown nuke exploit and even reproduce it successfully from the perspective of blue team? We start by sharing a case study where 🍊 from DEVCORE demonstrated his exploitation from Pwn2Own – ProxyShell at the very first time. We’ll show you how we detected the ProxyShell exploit at that time the 1-day exploit hasn’t published yet, and furthermore reproduced the whole exploit chain at the end by reversing engineering, tons of failed attempt, guessing and even discovering another unknown 1-day exploit during the process with only the help of few logs and materials.
Next we’ll share how we monitor and defend our customer as a MDR service provider to empower them to only focus on the guide in the incident report. We’ll also show how we do that by practical real-world cases.
Last thing we’ll give our point why highly monitoring environment with real experts carefully inspecting alerts such as MDR, is a nightmare for threat actor and red team. We conclude some general techniques and tricks how would you sneak under the radar and hide the track while facing highly monitoring environment.
Outline
- MDR service provider
- Case Study (DEVCORE RedTeam & 🍊)
- Analysis the red team operation
- Reproduce the unrevealed exploit - ProxyShell
- Detection Engineering
- ProxyShell In The Wild
- Pratical EDR/MDR bypass
• Summary
Charles Yang
