Cov ntaub ntawv taug qab, lossis Prefetch cov ntaub ntawv, tau nyob ib puag ncig hauv Windows txij li XP. Txij thaum ntawd los, lawv tau pab digital forensics thiab cov kws paub txog teeb meem hauv computer nrhiav cov cim software, suav nrog malware. Leader specialist in computer forensics Group-IB Oleg Skulkin qhia koj tias koj tuaj yeem nrhiav tau siv Prefetch cov ntaub ntawv thiab yuav ua li cas.
Prefetch cov ntaub ntawv khaws cia rau hauv phau ntawv qhia %SystemRoot% Prefetch thiab ua hauj lwm kom ceev cov txheej txheem ntawm launching cov kev pab cuam. Yog tias peb saib ntawm ib qho ntawm cov ntaub ntawv no, peb yuav pom tias nws lub npe muaj ob ntu: lub npe ntawm cov ntaub ntawv executable thiab yim-tus cim checksum los ntawm txoj kev mus rau nws.
Prefetch cov ntaub ntawv muaj ntau cov ntaub ntawv muaj txiaj ntsig los ntawm qhov kev pom zoo: lub npe ntawm cov ntaub ntawv executable, pes tsawg zaus nws raug tua, cov npe ntawm cov ntaub ntawv thiab cov npe uas cov ntaub ntawv executable interacted, thiab, ntawm chav kawm, timestamps. Feem ntau, cov kws tshawb fawb forensic siv hnub tsim cov ntaub ntawv Prefetch tshwj xeeb los txiav txim siab hnub uas qhov kev pab cuam tau pib ua ntej. Tsis tas li ntawd, cov ntaub ntawv no khaws cov hnub ntawm nws qhov kawg tso tawm, thiab pib los ntawm version 26 (Windows 8.1) - lub sijhawm ua haujlwm ntawm xya qhov kev khiav haujlwm tsis ntev los no.
Cia peb nqa ib qho ntawm Prefetch cov ntaub ntawv, rho tawm cov ntaub ntawv los ntawm nws siv Eric Zimmerman's PECmd thiab saib txhua feem ntawm nws. Ua qauv qhia, kuv yuav rho tawm cov ntaub ntawv los ntawm cov ntaub ntawv CCLEANER64.EXE-DE05DBE1.pf.
Yog li cia peb pib los ntawm sab saum toj. Tau kawg, peb muaj cov ntaub ntawv tsim, hloov kho, thiab nkag sijhawm sijhawm:
Lawv ua raws li lub npe ntawm cov ntaub ntawv executable, checksum ntawm txoj kev mus rau nws, qhov loj ntawm cov ntaub ntawv executable, thiab cov version ntawm Prefetch ntaub ntawv:
Txij li thaum peb tab tom cuam tshuam nrog Windows 10, tom ntej no peb yuav pom cov lej pib, hnub tim thiab lub sijhawm pib kawg, thiab xya lub sijhawm ntxiv qhia txog hnub tso tawm dhau los:
Cov no yog ua raws li cov ntaub ntawv hais txog ntim, suav nrog nws tus lej xov tooj thiab hnub tsim:
Qhov kawg tab sis tsis tsawg kawg yog ib daim ntawv teev npe thiab cov ntaub ntawv uas tus neeg ua haujlwm tau cuam tshuam nrog:
Yog li, cov npe thiab cov ntaub ntawv uas cov kev ua haujlwm tau cuam tshuam nrog yog raws nraim qhov kuv xav tsom rau hnub no. Nws yog cov ntaub ntawv no uas tso cai rau cov kws tshaj lij hauv digital forensics, cov teeb meem hauv computer, lossis kev hem thawj rau kev yos hav zoov los tsim tsis tau tsuas yog qhov tseeb ntawm kev tua cov ntaub ntawv tshwj xeeb, tab sis kuj, qee zaum, rov tsim kho cov tswv yim tshwj xeeb thiab cov tswv yim ntawm cov neeg tawm tsam. Niaj hnub no, cov neeg tawm tsam feem ntau siv cov cuab yeej los tshem tawm cov ntaub ntawv mus tas li, piv txwv li, SDelete, yog li muaj peev xwm rov qab tau yam tsawg kawg ntawm kev siv cov tswv yim thiab cov tswv yim tsuas yog tsim nyog rau txhua tus neeg tiv thaiv niaj hnub no - tus kws tshaj lij hauv computer forensics, tus kws paub txog xwm txheej. , tus kws tshaj lij ThreatHunter.
Cia peb pib nrog Initial Access tactic (TA0001) thiab cov txheej txheem nrov tshaj plaws, Spearphishing Attachment (T1193). Qee pawg cybercriminal muaj tswv yim heev hauv lawv cov kev xaiv ntawm kev nqis peev. Piv txwv li, pawg Silence siv cov ntaub ntawv hauv CHM (Microsoft Compiled HTML Help) hom ntawv rau qhov no. Yog li, peb muaj ua ntej peb lwm cov txheej txheem - Compiled HTML File (T1223). Cov ntaub ntawv zoo li no tau pib siv hwm exe, yog li ntawd, yog tias peb rho tawm cov ntaub ntawv los ntawm nws cov ntaub ntawv Prefetch, peb yuav pom tias cov ntaub ntawv twg tau qhib los ntawm tus neeg raug tsim txom:
Cia peb txuas ntxiv ua haujlwm nrog piv txwv los ntawm cov xwm txheej tiag tiag thiab txav mus rau tom ntej Kev Ua Haujlwm Tactic (TA0002) thiab CSMTP txheej txheem (T1191). Microsoft Connection Manager Profile Installer (CMSTP.exe) tuaj yeem siv los ntawm cov neeg tawm tsam los khiav cov ntawv tsis zoo. Ib qho piv txwv zoo yog pab pawg Cobalt. Yog tias peb rho tawm cov ntaub ntawv los ntawm Prefetch cov ntaub ntawv cmstp.exe ua, tom qab ntawd peb tuaj yeem tshawb xyuas qhov tseeb tau pib:
Lwm cov txheej txheem nrov yog Regsvr32 (T1117). Regsvr32.exe kuj feem ntau siv los ntawm cov neeg tawm tsam los tua. Nov yog lwm qhov piv txwv los ntawm pawg Cobalt: yog tias peb rho tawm cov ntaub ntawv los ntawm Prefetch cov ntaub ntawv regsvr32.exe ua, ces dua peb yuav pom dab tsi launched:
Cov tactics tom ntej no yog Persistence (TA0003) thiab Privilege Escalation (TA0004), nrog rau Daim Ntawv Thov Shimming (T1138) raws li cov txheej txheem. Cov txheej txheem no tau siv los ntawm Carbanak / FIN7 los thauj cov kab ke. Feem ntau siv los ua haujlwm nrog cov program compatibility databases (.sdb) sdbinst.exe ua. Yog li ntawd, Prefetch cov ntaub ntawv ntawm qhov kev ua tiav no tuaj yeem pab peb nrhiav cov npe ntawm cov ntaub ntawv khaws cia thiab lawv qhov chaw nyob:
Raws li koj tuaj yeem pom hauv qhov piv txwv, peb tsis tsuas yog lub npe ntawm cov ntaub ntawv siv rau kev teeb tsa, tab sis kuj yog lub npe ntawm cov ntaub ntawv teeb tsa.
Cia peb saib ntawm ib qho piv txwv feem ntau ntawm kev tshaj tawm network (TA0008), PsExec, siv cov thawj coj sib koom (T1077). Kev pabcuam npe hu ua PSEXECSVC (tau kawg, lwm lub npe tuaj yeem siv tau yog tias cov neeg tawm tsam siv qhov ntsuas -r) yuav raug tsim rau ntawm lub hom phiaj system, yog li ntawd, yog tias peb rho tawm cov ntaub ntawv los ntawm Prefetch cov ntaub ntawv, peb yuav pom dab tsi tau pib:
Kuv yuav zaum kawg qhov kuv pib - rho tawm cov ntaub ntawv (T1107). Raws li kuv twb tau sau tseg lawm, ntau tus neeg tawm tsam siv SDelete kom tshem tawm cov ntaub ntawv mus tas li ntawm ntau theem ntawm kev tawm tsam lub neej. Yog tias peb saib cov ntaub ntawv los ntawm Prefetch cov ntaub ntawv sdelete.exe ua, ces peb yuav pom dab tsi raws nraim deleted:
Tau kawg, qhov no tsis yog ib daim ntawv teev tag nrho ntawm cov tswv yim uas tuaj yeem tshawb pom thaum lub sij hawm tsom xam ntawm Prefetch cov ntaub ntawv, tab sis qhov no yuav tsum txaus kom nkag siab tias cov ntaub ntawv no tuaj yeem pab tsis tau tsuas yog nrhiav cov cim ntawm lub community launch, tab sis kuj rov tsim kho cov kev tawm tsam tshwj xeeb thiab cov tswv yim. .
Tau qhov twg los: www.hab.com