Pulogalamu ya ProHoster > Blog > Ulamuliro > Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Imodzi mwa mitundu yodziwika bwino ya kuukira ndiyo kutulutsa njira yoyipa mumtengo pansi panjira zolemekezeka. Njira yopita ku fayilo yomwe ikuyenera kuchitika ikhoza kukhala yokayikitsa: pulogalamu yaumbanda nthawi zambiri imagwiritsa ntchito zikwatu za AppData kapena Temp, ndipo izi sizowoneka bwino pamapulogalamu ovomerezeka. Kunena zowona, ndiyenera kunena kuti zida zina zosinthira zokha zimachitidwa mu AppData, chifukwa chake kungoyang'ana malo otsegulira sikokwanira kutsimikizira kuti pulogalamuyi ndi yoyipa.

Chinthu chowonjezera chovomerezeka ndi siginecha ya cryptographic: mapulogalamu ambiri oyambirira amalembedwa ndi wogulitsa. Mutha kugwiritsa ntchito mfundo yoti palibe siginecha ngati njira yodziwira zinthu zokayikitsa zoyambira. Koma palinso pulogalamu yaumbanda yomwe imagwiritsa ntchito satifiketi yobedwa kuti isainire yokha.

Mutha kuwonanso mtengo wa MD5 kapena SHA256 cryptographic hashes, zomwe zingafanane ndi pulogalamu yaumbanda yomwe idapezeka kale. Mutha kusanthula mosasunthika poyang'ana ma signature mu pulogalamuyi (pogwiritsa ntchito malamulo a Yara kapena zinthu za antivayirasi). Palinso kusanthula kwamphamvu (kuyendetsa pulogalamu pamalo ena otetezeka ndikuwunika zochita zake) ndikusinthira uinjiniya.

Pakhoza kukhala zizindikiro zambiri za ndondomeko yoyipa. M'nkhaniyi tikuuzani momwe mungathandizire kuwunikira zochitika zofunikira mu Windows, tiwona zizindikiro zomwe lamulo lokhazikitsidwa limadalira. Kudalira kuzindikira njira yokayikitsa. Intrust ndi Chithunzi cha CLM kusonkhanitsa, kusanthula ndi kusunga deta yosalongosoka, yomwe ili kale ndi mazana a machitidwe omwe amawafotokozeratu ku mitundu yosiyanasiyana ya kuukira.

Pulogalamuyo ikayambika, imalowetsedwa mu kukumbukira kwa kompyuta. Fayilo yomwe ingagwiritsidwe ntchito ili ndi malangizo apakompyuta ndi malaibulale othandizira (mwachitsanzo, *.dll). Pamene ndondomeko ikugwira ntchito kale, ikhoza kupanga ulusi wowonjezera. Ulusi umalola njira kuti ipange malangizo osiyanasiyana nthawi imodzi. Pali njira zambiri zopangira code yoyipa kuti ilowe m'makumbukidwe ndikuthamanga, tiyeni tiwone zina mwazo.

Njira yosavuta yopezera njira yoyipa ndikukakamiza wogwiritsa ntchito kuti ayambitse mwachindunji (mwachitsanzo, kuchokera pa imelo), kenako gwiritsani ntchito kiyi ya RunOnce kuti muyiyambitse nthawi iliyonse kompyuta ikayatsidwa. Izi zikuphatikizanso pulogalamu yaumbanda "yopanda fayilo" yomwe imasunga zolemba za PowerShell m'makiyi olembetsa omwe amachitidwa potengera choyambitsa. Pankhaniyi, script ya PowerShell ndi code yoyipa.

Vuto pakuyendetsa pulogalamu yaumbanda ndikuti ndi njira yodziwika yomwe imadziwika mosavuta. Mapulogalamu ena a pulogalamu yaumbanda amachita zinthu zanzeru, monga kugwiritsa ntchito njira ina kuti ayambe kukumbukira. Chifukwa chake, njira imatha kupanga njira ina pogwiritsa ntchito malangizo ena apakompyuta ndikutchula fayilo yotheka (.exe) kuti iyendetse.

Fayilo imatha kufotokozedwa pogwiritsa ntchito njira yonse (mwachitsanzo, C:Windowssystem32cmd.exe) kapena njira yochepa (mwachitsanzo, cmd.exe). Ngati ndondomeko yoyambayo ili yosatetezeka, idzalola kuti mapulogalamu osavomerezeka azigwira ntchito. Kuwukira kumatha kuwoneka motere: njira imayambitsa cmd.exe popanda kufotokoza njira yonse, wowukirayo amayika cmd.exe yake pamalo kuti njirayo ikhazikitse patsogolo yovomerezeka. Pulogalamu yaumbanda ikangotha, imatha kuyambitsa pulogalamu yovomerezeka (monga C:Windowssystem32cmd.exe) kuti pulogalamu yoyambirira ipitilize kugwira ntchito moyenera.

Kusiyanasiyana kwa kuukira koyambirira ndi jakisoni wa DLL munjira yovomerezeka. Ntchito ikayamba, imapeza ndikuyika malaibulale omwe amakulitsa magwiridwe antchito ake. Pogwiritsa ntchito jakisoni wa DLL, wowukira amapanga laibulale yoyipa yokhala ndi dzina lomwelo ndi API ngati yovomerezeka. Pulogalamuyi imadzaza laibulale yoyipa, ndipo imanyamula yovomerezeka, ndipo, ngati kuli kofunikira, imayitcha kuti igwire ntchito. Laibulale yoyipa imayamba kukhala ngati projekiti ya laibulale yabwino.

Njira inanso yoyika code yoyipa m'mtima ndikuyiyika munjira yosatetezeka yomwe ikuyenda kale. Njira zimalandira zolowa kuchokera kuzinthu zosiyanasiyana - kuwerenga kuchokera pa netiweki kapena mafayilo. Nthawi zambiri amachita cheke kuti atsimikizire kuti zomwe zalembedwazo ndi zovomerezeka. Koma njira zina zilibe chitetezo choyenera popereka malangizo. Pachiwopsezo ichi, palibe laibulale pa disk kapena fayilo yotheka yomwe ili ndi code yoyipa. Zonse zimasungidwa mu kukumbukira pamodzi ndi ndondomeko yomwe ikugwiritsidwa ntchito.

Tsopano tiyeni tiwone njira yothandizira kusonkhanitsa zochitika zotere mu Windows ndi lamulo la InTrust lomwe limagwiritsa ntchito chitetezo ku ziwopsezo zotere. Choyamba, tiyeni tiyitsegule kudzera pa InTrust management console.

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Lamuloli limagwiritsa ntchito luso lotsata njira za Windows OS. Tsoka ilo, kuloleza kusonkhanitsa zochitika zotere sikukuwonekeratu. Pali makonda atatu osiyanasiyana a Gulu la Policy omwe muyenera kusintha:

Kusintha Pakompyuta> Ndondomeko> Zikhazikiko za Windows> Zikhazikiko zachitetezo> Mfundo Zam'deralo> Mfundo za Audit> Kutsata ndondomeko ya Audit

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Kusintha Pakompyuta> Ndondomeko> Zikhazikiko za Windows> Zikhazikiko zachitetezo> Kusintha kwa Mfundo Zazikulu za Audit> Mfundo Zowerengera> Kutsata mwatsatanetsatane> Kupanga njira zowerengera

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Kukonzekera kwa Pakompyuta> Ndondomeko> Ma templates Oyang'anira> Dongosolo> Kupanga Njira Zowunika> Phatikizani mzere wamalamulo pakupanga zochitika

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Akayatsidwa, malamulo a InTrust amakulolani kuti muwone ziwopsezo zomwe zidadziwika kale zomwe zimawonetsa zokayikitsa. Mwachitsanzo, mukhoza kuzindikira zafotokozedwa apa Dridex pulogalamu yaumbanda. Chifukwa cha polojekiti ya HP Bromium, tikudziwa momwe chiwopsezochi chimagwirira ntchito.

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Pazochita zake zambiri, Dridex amagwiritsa ntchito schtasks.exe kupanga ntchito yomwe idakonzedwa. Kugwiritsa ntchito chida ichi kuchokera pamzere wamalamulo kumawonedwa ngati kokayikitsa kwambiri; kuyambitsa svchost.exe ndi magawo omwe amalozera ku zikwatu za ogwiritsa ntchito kapena ndi magawo ofanana ndi malamulo a "net view" kapena "whoami" amawoneka ofanana. Pano pali kachidutswa kolingana SIGMA malamulo:

detection:
    selection1:
        CommandLine: '*svchost.exe C:Users\*Desktop\*'
    selection2:
        ParentImage: '*svchost.exe*'
        CommandLine:
            - '*whoami.exe /all'
            - '*net.exe view'
    condition: 1 of them

Mu InTrust, machitidwe onse okayikitsa akuphatikizidwa mu lamulo limodzi, chifukwa zambiri mwazochitazi sizowopsa kwenikweni, koma zimakhala zokayikitsa muzovuta ndipo mu 99% ya milandu imagwiritsidwa ntchito osati zolinga zabwino. Mndandanda wa zochita umaphatikizapo, koma osati ku:

  • Njira zomwe zimachokera kumalo osazolowereka, monga mafoda osakhalitsa ogwiritsa ntchito.
  • Odziwika bwino dongosolo ndondomeko ndi zokayikitsa cholowa - zoopseza ena angayesere kugwiritsa ntchito dzina la dongosolo ndondomeko kukhala osadziwika.
  • Kupha mokayikitsa kwa zida zoyang'anira monga cmd kapena PsExec akamagwiritsa ntchito zidziwitso zamakina kapena cholowa chokayikitsa.
  • Ntchito zokayikitsa zokopera mthunzi ndizomwe zimachitika ma virus a ransomware asanalembe dongosolo; amapha zosunga zobwezeretsera:

    - kudzera vssadmin.exe;
    - Pogwiritsa ntchito WMI.

  • Lembani ming'oma yonse ya kaundula.
  • Kusuntha kopingasa kwa code yoyipa ikakhazikitsidwa patali pogwiritsa ntchito malamulo monga at.exe.
  • Zokayikitsa zamagulu am'deralo ndi magwiridwe antchito pogwiritsa ntchito net.exe.
  • Zokayikitsa zozimitsa moto pogwiritsa ntchito netsh.exe.
  • Kusokoneza kokayikitsa kwa ACL.
  • Kugwiritsa ntchito BITS pakuchotsa deta.
  • Zosokoneza zokayikitsa ndi WMI.
  • Malamulo okayikitsa a script.
  • Kuyesa kutaya mafayilo otetezedwa adongosolo.

Lamulo lophatikizana limagwira ntchito bwino kwambiri pozindikira zowopseza monga RUYK, LockerGoga ndi zida zina zowombolera, pulogalamu yaumbanda komanso zida zapaintaneti. Lamuloli layesedwa ndi wogulitsa m'malo opanga kuti achepetse zabwino zabodza. Ndipo chifukwa cha pulojekiti ya SIGMA, zambiri mwa zizindikirozi zimapanga chiwerengero chochepa cha zochitika zaphokoso.

Chifukwa Mu InTrust ili ndi lamulo lowunikira, mutha kuyankha poyankha ngati chowopseza. Mutha kugwiritsa ntchito imodzi mwazolemba zomangidwira kapena kupanga zanu ndipo InTrust idzazigawa zokha.

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

Kuphatikiza apo, mutha kuyang'ana ma telemetry onse okhudzana ndi zochitika: zolemba za PowerShell, machitidwe, kusintha kwantchito, ntchito yoyang'anira WMI, ndikuzigwiritsa ntchito poika imfa panthawi yachitetezo.

Timathandizira kusonkhanitsa zochitika zokhudzana ndi kukhazikitsidwa kwa njira zokayikitsa mu Windows ndikuzindikira zowopseza pogwiritsa ntchito Quest InTrust

InTrust ili ndi malamulo ena mazana, ena mwa iwo:

  • Kuzindikira kuwukira kwa PowerShell ndipamene wina amagwiritsa ntchito dala PowerShell chifukwa ... mu Baibulo lakale panalibe njira yowunikira zomwe zikuchitika.
  • Kuzindikira kwa ma logon apamwamba kwambiri ndi pamene maakaunti omwe ali mamembala a gulu linalake lamwayi (monga ma domain administrator) amalowa kumalo ogwirira ntchito mwangozi kapena chifukwa chachitetezo.

InTrust imakupatsani mwayi wogwiritsa ntchito njira zabwino zotetezera m'njira zodziwikiratu ndikuyankha. Ndipo ngati mukuganiza kuti chinachake chiyenera kugwira ntchito mosiyana, mukhoza kupanga kope lanu la lamulo ndikulikonza ngati pakufunika. Mutha kutumiza fomu yofunsira oyendetsa ndege kapena kupeza zida zogawa ndi zilolezo zosakhalitsa mawonekedwe a mayankho patsamba lathu.

Lembani ku wathu Tsamba la Facebook, timasindikiza zolemba zazifupi ndi maulalo osangalatsa kumeneko.

Werengani zolemba zathu zina zokhudzana ndi chitetezo chazidziwitso:

Momwe InTrust ingathandizire kuchepetsa kuchuluka kwa zoyeserera zomwe zidalephera kudzera pa RDP

Timazindikira kuwukira kwa ransomware, kupeza mwayi wowongolera domain ndikuyesera kukana izi

Ndi zinthu ziti zothandiza zomwe zitha kuchotsedwa pazipika za Windows-based workstation? (nkhani yotchuka)

Kutsata moyo wa ogwiritsa ntchito popanda pliers kapena tepi yolumikizira

Ndani anachita izo? Timakonza zofufuza zachitetezo chazidziwitso

Momwe mungachepetsere mtengo wa umwini wa SIEM system ndi chifukwa chake mukufunikira Central Log Management (CLM)

Source: www.habr.com

Kuwonjezera ndemanga