ProHoster > Pūnaewele > Nā Administration > Hiki iā Sysmon ke kākau i nā maʻiʻo clipboard

Hiki iā Sysmon ke kākau i nā maʻiʻo clipboard

Ua hoʻolaha ʻia ka hoʻokuʻu ʻana o ka mana 12 o Sysmon ma Kepakemapa 17 ma ʻaoʻao Sysinternals. ʻOiaʻiʻo, ua hoʻokuʻu ʻia nā mana hou o Process Monitor a me ProcDump i kēia lā. Ma kēia ʻatikala e kamaʻilio wau e pili ana i ke kī a me ka hoʻopaʻapaʻa hou o ka mana 12 o Sysmon - ke ʻano o nā hanana me Event ID 24, kahi i hoʻopaʻa ʻia ai ka hana me ka clipboard.

Hiki iā Sysmon ke kākau i nā maʻiʻo clipboard

ʻO ka ʻike mai kēia ʻano hanana e wehe i nā manawa hou e nānā i nā hana kānalua (a me nā nāwaliwali hou). No laila, hiki iā ʻoe ke hoʻomaopopo ʻo wai, ma hea a me ka mea maoli a lākou i hoʻāʻo ai e kope. Aia ma lalo iho o ka ʻokiʻoki kahi wehewehe o kekahi mau kahua o ka hanana hou a me nā hihia hoʻohana ʻelua.

Aia i loko o ka hanana hou kēia mau kahua:

Kiʻi kiʻi: ke kaʻina hana i kākau ʻia ai ka ʻikepili i ka papaʻili.
Wā: ke kau i kākau ʻia ai ka clipboard. He ʻōnaehana paha ia (0)
i ka hana ʻana ma ka pūnaewele a i ʻole mamao, etc.
ClientInfo: Loaʻa ka inoa inoa o ka session a, i ka hihia o kahi kau mamao, ka inoa hoʻokipa kumu a me ka helu IP, inā loaʻa.
Hashes: hoʻoholo i ka inoa o ka faila kahi i mālama ʻia ai ka kikokikona i kope ʻia (e like me ka hana ʻana me nā hanana o ke ʻano FileDelete).
Waiho ʻia: ke kūlana, inā paha i mālama ʻia ka kikokikona mai ka papa ʻokiʻoki ma ka papa kuhikuhi waihona Sysmon.

He mea weliweli nā lua hope loa. ʻO ka mea ʻoiaʻiʻo mai ka mana 11 Sysmon hiki (me nā hoʻonohonoho kūpono) ke mālama i nā ʻikepili like ʻole i kāna papa kuhikuhi waihona. No ka laʻana, hoʻopaʻa ʻo Event ID 23 i nā hanana holoi ʻana i nā faila a hiki ke mālama iā lākou āpau i ka papa kuhikuhi waihona hoʻokahi. Hoʻohui ʻia ka tag CLIP i ka inoa o nā faila i hana ʻia ma muli o ka hana ʻana me ka clipboard. Loaʻa i nā faila ka ʻikepili pololei i kope ʻia i ka clipboard.

ʻO kēia ke ʻano o ka faila i mālama ʻia
Hiki iā Sysmon ke kākau i nā maʻiʻo clipboard

Hiki ke mālama ʻia i kahi faila i ka wā e hoʻokomo ai. Hiki iā ʻoe ke hoʻonohonoho i nā papa inoa keʻokeʻo o nā kaʻina hana e mālama ʻole ʻia nā kikokikona.

ʻO kēia ke ʻano o ka hoʻonohonoho Sysmon me nā hoʻonohonoho papa kuhikuhi waihona kūpono:
Hiki iā Sysmon ke kākau i nā maʻiʻo clipboard

Maʻaneʻi, manaʻo wau, pono e hoʻomanaʻo i nā luna ʻōlelo huna e hoʻohana pū ana i ka clipboard. ʻO ka loaʻa ʻana o Sysmon ma kahi ʻōnaehana me kahi luna ʻōlelo huna e ʻae iā ʻoe (a i ʻole ka mea hoʻouka) e hopu i kēlā mau ʻōlelo huna. Ke manaʻo nei ʻoe ua ʻike ʻoe i ke kaʻina hana e hoʻokaʻawale i ka kikokikona i kope ʻia (a ʻaʻole kēia ʻo ke kaʻina hoʻokele password, akā aia paha kekahi svchost), hiki ke hoʻohui ʻia kēia ʻokoʻa i ka papa inoa keʻokeʻo a ʻaʻole mālama ʻia.

ʻAʻole paha ʻoe i ʻike, akā ua hopu ʻia ka kikokikona mai ka clipboard e ke kikowaena mamao ke hoʻololi ʻoe iā ia i ke ʻano manawa kau RDP. Inā loaʻa iā ʻoe kahi mea ma kāu clipboard a hoʻololi ʻoe ma waena o nā kau RDP, e hele pū kēlā ʻike me ʻoe.

E hōʻuluʻulu mākou i nā mana o Sysmon no ka hana ʻana me ka clipboard.

Paʻa:

  • Kope kikokikona o ka kikokikona i hoʻopili ʻia ma o RDP a ma ka ʻāina;
  • Hopu i ka ʻikepili mai ka clipboard e nā pono hana like ʻole;
  • E kope/paʻi kikokikona mai/i ka mīkini virtual kūloko, ʻoiai inā ʻaʻole i hoʻopili ʻia kēia kikokikona.

ʻAʻole i hoʻopaʻa ʻia:

  • Ke kope a hoʻopili ʻana i nā faila mai/i kahi mīkini virtual kūloko;
  • E kope/paʻi i nā faila ma o RDP
  • ʻO kahi polokalamu hoʻopōʻino e kāʻili ana i kāu clipboard e kākau wale i ka clipboard ponoʻī.

ʻOiai ʻo kona ʻano kānalua, ʻo kēia ʻano hanana e ʻae iā ʻoe e hoʻihoʻi i ka algorithm o nā hana a ka mea hoʻouka a kōkua i ka ʻike ʻana i ka ʻikepili i hiki ʻole ke loaʻa mua no ka hoʻokumu ʻana i nā post-mortems ma hope o nā hoʻouka ʻana. Inā ʻae ʻia ke kākau ʻana i ka ʻike i ka papaʻi, pono e hoʻopaʻa i kēlā me kēia komo i ka papa kuhikuhi waihona a ʻike i nā mea pōʻino (ʻaʻole i hoʻomaka ʻia e sysmon.exe).

No ka hoʻopaʻa ʻana, ka nānā ʻana a me ka pane ʻana i nā hanana i helu ʻia ma luna nei, hiki iā ʻoe ke hoʻohana i ka hāmeʻa InTrust, ka mea e hoʻohui i nā ala ʻekolu a, ʻo ia hoʻi, he waihona kikowaena kūpono o nā ʻikepili maka i hōʻiliʻili ʻia. Hiki iā mākou ke hoʻonohonoho i kona hoʻohui ʻana me nā ʻōnaehana SIEM kaulana e hōʻemi i ke kumukūʻai o kā lākou laikini ma ka hoʻoili ʻana i ka hana a me ka mālama ʻana i ka ʻikepili maka i InTrust.

No ka ʻike hou aku e pili ana iā InTrust, e heluhelu i kā mākou ʻatikala mua a i ʻole waiho i kahi noi ma ka palapala manaʻo.

Pehea e hōʻemi ai i ke kumu kūʻai o kahi ʻōnaehana SIEM a me ke kumu e pono ai ʻoe i ka Central Log Management (CLM)

Hiki iā mākou ke hōʻiliʻili i nā hanana e pili ana i ka hoʻomaka ʻana o nā kaʻina hana kānalua i Windows a ʻike i nā hoʻoweliweli me ka hoʻohana ʻana iā Quest InTrust

Pehea e hiki ai i InTrust ke kōkua i ka hōʻemi ʻana i ka nui o nā hoʻāʻo ʻae ʻole ʻia ma o RDP

ʻIke mākou i kahi hoʻouka kaua ransomware, loaʻa i ka mea hoʻokele domain a hoʻāʻo e pale i kēia mau hoʻouka ʻana

He aha nā mea pono e hiki ke unuhi ʻia mai nā lāʻau o kahi kahua hana Windows? (ʻatikala kaulana)

Na wai i hana? Hoʻokaʻawale mākou i nā loiloi palekana ʻike

Source: www.habr.com

Pākuʻi i ka manaʻo hoʻopuka