Fayilolin ganowa, ko fayilolin Prefetch, sun kasance a cikin Windows tun XP. Tun daga wannan lokacin, sun taimaka masu bincike na dijital da ƙwararrun masu ba da amsa lamarin kwamfuta gano alamun software, gami da malware. Babban ƙwararre a fagen binciken kwamfyuta Group-IB Oleg Skulkin yana gaya muku abin da zaku iya samu ta amfani da fayilolin Prefetch da yadda ake yin su.
Ana adana fayilolin Prefetch a cikin kundin adireshi %SystemRoot%Prefetch da kuma yin hidima don hanzarta aiwatar da ƙaddamar da shirye-shirye. Idan muka kalli ɗayan waɗannan fayiloli, za mu ga cewa sunansa ya ƙunshi sassa biyu: sunan fayil ɗin da za a iya aiwatarwa da kuma adadin haruffa takwas daga hanyar zuwa gare shi.
Fayilolin Prefetch sun ƙunshi bayanai da yawa masu amfani daga mahangar bincike: sunan fayil ɗin da za a iya aiwatarwa, adadin lokutan da aka aiwatar da shi, jerin fayiloli da kundayen adireshi waɗanda fayil ɗin da za a iya aiwatarwa ya yi hulɗa da su, kuma, ba shakka, tambura. Yawanci, masana kimiyya na bincike suna amfani da ranar ƙirƙirar wani takamaiman fayil na Prefetch don tantance ranar da aka fara ƙaddamar da shirin. Bugu da ƙari, waɗannan fayilolin suna adana ranar ƙaddamar da ƙaddamarwa ta ƙarshe, kuma suna farawa daga sigar 26 (Windows 8.1) - tambarin lokutan gudu bakwai na baya-bayan nan.
Bari mu ɗauki ɗaya daga cikin fayilolin Prefetch, cire bayanai daga ciki ta amfani da Eric Zimmerman's PECmd kuma mu kalli kowane ɓangaren sa. Don nunawa, zan cire bayanai daga fayil CCLEANER64.EXE-DE05DBE1.pf.
Don haka bari mu fara daga sama. Tabbas, muna da ƙirƙira fayil, gyare-gyare, da samun dama ga tambura:
Suna biye da sunan fayil ɗin da za a iya aiwatarwa, ƙididdigar hanyar zuwa gare shi, girman fayil ɗin da za a iya aiwatarwa, da sigar fayil ɗin Prefetch:
Tun da muna mu'amala da Windows 10, na gaba za mu ga adadin farawa, kwanan wata da lokacin farkon farawa, da ƙarin tambura bakwai waɗanda ke nuna kwanakin ƙaddamar da baya:
Waɗannan suna biye da bayanin game da ƙarar, gami da lambar serial ɗin sa da kwanan watan ƙirƙira:
Ƙarshe amma ba kalla ba shine jerin kundayen adireshi da fayiloli waɗanda mai aiwatarwa ya yi hulɗa da su:
Don haka, kundayen adireshi da fayilolin da masu aiwatarwa suka yi hulɗa da su sune ainihin abin da nake so in mayar da hankali akai a yau. Wannan bayanan ne ke ba ƙwararrun masana ilimin kimiya na dijital, martani game da abin da ya faru na kwamfuta, ko farautar barazanar farauta don tabbatar ba kawai gaskiyar aiwatar da wani fayil ba, har ma, a wasu lokuta, don sake gina takamaiman dabaru da dabarun maharan. A yau, maharan sau da yawa suna amfani da kayan aikin don share bayanai na dindindin, misali, SDelete, don haka ikon dawo da aƙalla alamun amfani da wasu dabaru da dabaru ya zama dole ga kowane mai karewa na zamani - ƙwararren masani na kwamfuta, ƙwararren mai ba da amsa aukuwa, ThreatHunter gwani.
Bari mu fara da dabara ta Farko (TA0001) da kuma mafi shaharar dabara, Spearphishing Attachment (T1193). Wasu kungiyoyin masu aikata laifukan intanet suna da kirkira a cikin zabin saka hannun jari. Misali, ƙungiyar shiru tayi amfani da fayiloli a cikin tsarin CHM (Microsoft Compiled HTML Help) don wannan. Don haka, muna da wata dabara a gabanmu - Compiled HTML File (T1223). Ana ƙaddamar da irin waɗannan fayilolin ta amfani da su hh.exe, don haka, idan muka ciro bayanai daga fayil ɗin Prefetch, za mu gano wane fayil ɗin wanda aka azabtar ya buɗe:
Bari mu ci gaba da aiki tare da misalai daga shari'o'i na gaske kuma mu matsa zuwa dabarar Kisa ta gaba (TA0002) da fasahar CSMTP (T1191). Mahara na iya amfani da mai saka bayanan martaba na Manajan Haɗin Haɗin Microsoft (CMSTP.exe) don gudanar da rubutun mugunta. Kyakkyawan misali shine ƙungiyar Cobalt. Idan muka cire bayanai daga fayil ɗin Prefetch cmstp.exe, to za mu iya sake gano ainihin abin da aka ƙaddamar:
Wani mashahurin fasaha shine Regsvr32 (T1117). Regsvr32.exe kuma sau da yawa maharan suna amfani da su wajen harbawa. Ga wani misali daga ƙungiyar Cobalt: idan muka ciro bayanai daga fayil ɗin Prefetch regsvr32.exe, sannan kuma za mu ga abin da aka kaddamar:
Dabaru na gaba sune Dagewa (TA0003) da Haɓaka Haɓaka (TA0004), tare da Shimming Application (T1138) azaman dabara. Carbanak/FIN7 ya yi amfani da wannan dabara don ɗaure tsarin. Yawanci ana amfani da su don aiki tare da bayanan dacewa na shirin (.sdb) sdbinst.exe. Don haka, fayil ɗin Prefetch na wannan mai aiwatarwa zai iya taimaka mana gano sunayen irin waɗannan bayanan da wuraren su:
Kamar yadda kake gani a cikin kwatancin, muna da ba kawai sunan fayil ɗin da aka yi amfani da shi don shigarwa ba, har ma da sunan da aka shigar.
Bari mu kalli ɗaya daga cikin misalan mafi yawan gama gari na yaɗa hanyar sadarwa (TA0008), PsExec, ta amfani da hannun jarin gudanarwa (T1077). Sabis mai suna PSEXECSVC (ba shakka, ana iya amfani da kowane suna idan maharan sun yi amfani da siga -r) za a ƙirƙira akan tsarin da aka yi niyya, saboda haka, idan muka cire bayanan daga fayil ɗin Prefetch, za mu ga abin da aka ƙaddamar:
Wataƙila zan ƙare inda na fara - share fayiloli (T1107). Kamar yadda na riga na lura, yawancin maharan suna amfani da SDelete don share fayiloli na dindindin a matakai daban-daban na rayuwar harin. Idan muka kalli bayanan daga fayil ɗin Prefetch sdelete.exe, to za mu ga ainihin abin da aka goge:
Tabbas, wannan ba cikakken jerin dabaru bane waɗanda za'a iya gano su yayin nazarin fayilolin Prefetch, amma wannan yakamata ya isa fahimtar cewa irin waɗannan fayilolin na iya taimakawa ba kawai gano alamun ƙaddamarwa ba, amma har ma da sake gina takamaiman dabarun kai hari. dabaru.
source: www.habr.com