Loaʻa nā faila ʻimi, a i ʻole nā faila Prefetch, ma Windows mai XP. Mai ia manawa mai, ua kōkua lākou i nā forensics kikohoʻe a me ka poʻe loea e pane ana i ka pilikia kamepiula e ʻike i nā ʻāpana o ka polokalamu, me ka malware. He loea alakaʻi ma ka lolouila forensics Group-IB Oleg Skulkin haʻi iā ʻoe i kāu mea e loaʻa ai me ka hoʻohana ʻana i nā faila Prefetch a pehea e hana ai.
Mālama ʻia nā faila prefetch ma ka papa kuhikuhi %SystemRoot%Prefetch a lawelawe i ka wikiwiki o ka hoʻomaka ʻana i nā polokalamu. Inā mākou e nānā i kekahi o kēia mau faila, ʻike mākou he ʻelua ʻāpana kona inoa: ʻo ka inoa o ka faila hiki ke hoʻokō a me kahi checksum ʻewalu mau kikoʻī mai ke ala i laila.
Loaʻa i nā faila Prefetch ka nui o ka ʻike e pono ai mai kahi ʻike forensic: ka inoa o ka faila hiki ke hoʻokō ʻia, ka helu o nā manawa i hoʻokō ʻia ai, nā papa inoa o nā faila a me nā papa kuhikuhi i hui pū ai ka faila hoʻokō, a, ʻoiaʻiʻo, nā timestamp. ʻO ka maʻamau, hoʻohana nā ʻepekema forensic i ka lā hana o kahi faila Prefetch e hoʻoholo ai i ka lā i hoʻomaka mua ʻia ai ka papahana. Eia kekahi, mālama kēia mau faila i ka lā o kāna hoʻomaka hope ʻana, a hoʻomaka mai ka mana 26 (Windows 8.1) - nā timestamp o nā holo hope ʻehiku.
E lawe kāua i kekahi o nā faila Prefetch, e unuhi i ka ʻikepili mai ia mea me ka hoʻohana ʻana iā Eric Zimmerman's PECmd a nānā i kēlā me kēia ʻāpana o ia mea. No ka hōʻike ʻana, e unuhi wau i ka ʻikepili mai kahi faila CCLEANER64.EXE-DE05DBE1.pf.
No laila e hoʻomaka kākou mai luna mai. ʻOiaʻiʻo, loaʻa iā mākou ka hana faila, hoʻololi, a me ke komo ʻana i nā timestamp:
Hoʻopili ʻia lākou e ka inoa o ka faila hiki ke hoʻokō ʻia, ka checksum o ke ala i laila, ka nui o ka faila hiki ke hoʻokō, a me ka mana o ka faila Prefetch:
No ka mea e pili ana mākou Windows 10, aʻe e ʻike mākou i ka helu o nā hoʻomaka, ka lā a me ka manawa o ka hoʻomaka hope, a ʻehiku mau manawa hou e hōʻike ana i nā lā hoʻomaka mua:
Hoʻopili ʻia kēia e ka ʻike e pili ana i ka leo, me kāna helu serial a me ka lā hana:
ʻO ka mea hope akā ʻaʻole ka mea liʻiliʻi he papa inoa o nā papa kuhikuhi a me nā faila i hui pū ʻia e ka mea hoʻokō:
No laila, ʻo nā papa kuhikuhi a me nā faila i hui pū ʻia e ka mea hoʻokō me ka mea aʻu e makemake ai e nānā i kēia lā. ʻO kēia ʻikepili ka mea e hiki ai i nā loea i nā forensics kikohoʻe, pane i ka hanana kamepiula, a i ʻole ka hopu hoʻoweliweli proactive e hoʻokumu ʻaʻole wale i ka ʻoiaʻiʻo o ka hoʻokō ʻana i kahi faila, akā, i kekahi mau hihia, e kūkulu hou i nā loea kūikawā a me nā ʻenehana o nā mea hoʻouka. I kēia lā, hoʻohana pinepine nā mea hoʻouka i nā mea hana e hoʻopau mau ai i ka ʻikepili, no ka laʻana, SDelete, no laila ʻo ka hiki ke hoʻihoʻi i nā ʻāpana liʻiliʻi o ka hoʻohana ʻana i kekahi mau ʻano a me nā ʻenehana he mea pono ia no kekahi mea pale o kēia wā - loea forensics kamepiula, loea pane hanana, ThreatHunter akamai.
E hoʻomaka kākou me ka Initial Access tactic (TA0001) a me ka ʻenehana kaulana loa, Spearphishing Attachment (T1193). ʻO kekahi mau hui cybercriminal he mea noʻonoʻo i kā lākou koho ʻana i nā hoʻopukapuka. No ka laʻana, ua hoʻohana ka hui Silence i nā faila ma ke ʻano CHM (Microsoft Compiled HTML Help) no kēia. No laila, aia i mua o mākou kekahi ʻenehana - Compiled HTML File (T1223). Hoʻomaka ʻia kēlā mau faila me ka hoʻohana ʻana hh.exe, no laila, inā e unuhi mākou i ka ʻikepili mai kāna faila Prefetch, e ʻike mākou i ka faila i wehe ʻia e ka mea i pepehi ʻia:
E hoʻomau i ka hana ʻana me nā laʻana mai nā hihia maoli a neʻe i ka hana hoʻokō aʻe (TA0002) a me ka ʻenehana CSMTP (T1191). Hiki ke hoʻohana ʻia ʻo Microsoft Connection Manager Profile Installer (CMSTP.exe) e nā mea hoʻouka e holo i nā palapala hōʻino. ʻO kahi laʻana maikaʻi ka hui Cobalt. Inā lawe mākou i ka ʻikepili mai ka faila Prefetch cmstp.exe, a laila hiki iā mākou ke ʻike hou i ka mea i hoʻokuʻu ʻia:
ʻO kekahi ʻenehana kaulana ʻo Regsvr32 (T1117). Regsvr32.exe hoʻohana pinepine ʻia e nā mea hoʻouka e hoʻomaka. Eia kekahi laʻana mai ka hui Cobalt: inā mākou e unuhi i ka ʻikepili mai kahi faila Prefetch regsvr32.exe, a laila e ʻike hou mākou i ka mea i hoʻokuʻu ʻia:
ʻO nā hana aʻe ʻo Persistence (TA0003) a me Privilege Escalation (TA0004), me Application Shimming (T1138) ma ke ʻano he ʻenehana. Ua hoʻohana ʻia kēia ʻenehana e Carbanak/FIN7 e heleuma i ka ʻōnaehana. Hoʻohana maʻamau no ka hana ʻana me nā ʻikepili hoʻohālikelike papahana (.sdb) sdbinst.exe. No laila, hiki i ka faila Prefetch o kēia mea hoʻokō ke kōkua iā mākou e ʻike i nā inoa o ia ʻikepili a me ko lākou mau wahi:
E like me kāu e ʻike ai ma ke kiʻi, ʻaʻole mākou wale ka inoa o ka faila i hoʻohana ʻia no ka hoʻonohonoho ʻana, akā ʻo ka inoa pū kekahi o ka waihona i hoʻokomo ʻia.
E nānā i kekahi o nā laʻana maʻamau o ka hoʻolaha pūnaewele (TA0008), PsExec, me ka hoʻohana ʻana i nā ʻāpana hoʻokele (T1077). ʻO ka lawelawe i kapa ʻia ʻo PSEXECSVC (ʻoiaʻiʻo, hiki ke hoʻohana ʻia kekahi inoa ʻē aʻe inā hoʻohana nā mea hoʻouka i ka ʻāpana -r) e hana ʻia ma ka ʻōnaehana pahuhopu, no laila, inā e unuhi mākou i ka ʻikepili mai ka faila Prefetch, e ʻike mākou i ka mea i hoʻokuʻu ʻia:
E hoʻopau paha wau i kahi aʻu i hoʻomaka ai - holoi i nā faila (T1107). E like me kaʻu i ʻike mua ai, hoʻohana ka nui o nā mea hoʻouka iā SDelete e hoʻopau mau i nā faila ma nā ʻano like ʻole o ke ola hoʻouka kaua. Inā mākou e nānā i ka ʻikepili mai ka faila Prefetch sdelete.exe, a laila e ʻike mākou i ka mea i holoi ʻia:
ʻOiaʻiʻo, ʻaʻole kēia he papa inoa piha o nā ʻenehana i hiki ke ʻike ʻia i ka wā o ka nānā ʻana i nā faila Prefetch, akā lawa kēia e hoʻomaopopo ai hiki i kēlā mau faila ke kōkua ʻaʻole wale e ʻike i nā ʻāpana o ka hoʻokuʻu ʻana, akā kūkulu hou i nā loea a me nā ʻenehana. .
Source: www.habr.com