Tsatani mafayilo, kapena mafayilo a Prefetch, akhala ali mu Windows kuyambira XP. Kuyambira pamenepo, athandiza akatswiri azachipatala komanso akatswiri oyankha zochitika pakompyuta kuti apeze mapulogalamu, kuphatikiza pulogalamu yaumbanda. Katswiri wotsogola pazambiri zamakompyuta Gulu-IB Oleg Skulkin imakuuzani zomwe mungapeze pogwiritsa ntchito mafayilo a Prefetch ndi momwe mungachitire.
Mafayilo a Prefetch amasungidwa m'ndandanda %SystemRoot%Prefetch ndikuthandizira kufulumizitsa ntchito yoyambitsa mapulogalamu. Ngati tiyang'ana pa fayilo iliyonseyi, tidzawona kuti dzina lake lili ndi magawo awiri: dzina la fayilo yomwe ingathe kuchitidwa ndi checksum ya zilembo zisanu ndi zitatu kuchokera panjira yopitako.
Mafayilo a Prefetch ali ndi zidziwitso zambiri zothandiza kuchokera kumawonedwe azamalamulo: dzina la fayilo yomwe ingathe kuchitidwa, kuchuluka kwa nthawi yomwe idachitidwa, mndandanda wamafayilo ndi zolemba zomwe fayilo yomwe ingagwiritsidwe ntchito idalumikizana, komanso, zowonera nthawi. Nthawi zambiri, asayansi azamalamulo amagwiritsa ntchito tsiku lopanga fayilo inayake ya Prefetch kuti adziwe tsiku lomwe pulogalamuyo idakhazikitsidwa koyamba. Kuphatikiza apo, mafayilowa amasunga tsiku lomwe adakhazikitsa komaliza, komanso kuyambira mtundu 26 (Windows 8.1) - masitampu anthawi zisanu ndi ziwiri zaposachedwa kwambiri.
Tiyeni titenge imodzi mwamafayilo a Prefetch, chotsani deta kuchokera pamenepo pogwiritsa ntchito PECmd ya Eric Zimmerman ndikuyang'ana gawo lililonse. Kuti muwonetse, ndikuchotsa deta kuchokera ku fayilo Chithunzi cha CCLEANER64.EXE-DE05DBE1.pf.
Ndiye tiyeni tiyambire pamwamba. Zachidziwikire, tili ndi zopanga mafayilo, zosintha, ndi zowonera nthawi:
Amatsatiridwa ndi dzina la fayilo yomwe ingagwiritsidwe ntchito, cheke cha njira yopitako, kukula kwa fayilo yomwe ingathe kuchitika, ndi mtundu wa fayilo ya Prefetch:
Popeza tikuchita nawo Windows 10, kenako tiwona kuchuluka kwa zoyambira, tsiku ndi nthawi yoyambira komaliza, ndi masitampu ena asanu ndi awiri osonyeza masiku oyambitsira am'mbuyomu:
Izi zimatsatiridwa ndi zambiri za voliyumu, kuphatikiza nambala yake ndi tsiku lopangidwa:
Chomaliza koma chocheperako ndi mndandanda wazolozera ndi mafayilo omwe omwe angathe kuchita adalumikizana nawo:
Chifukwa chake, zolemba ndi mafayilo omwe omwe atha kuphedwa adalumikizana nawo ndendende zomwe ndikufuna kuyang'ana lero. Izi ndizomwe zimalola akatswiri azamalamulo a digito, kuyankha pazochitika zamakompyuta, kapena kusaka ziwopsezo kuti atsimikizire osati kungopereka fayilo inayake, komanso, nthawi zina, kukonzanso njira ndi njira za omwe akuukira. Masiku ano, owukira nthawi zambiri amagwiritsa ntchito zida kuti achotseretu deta, mwachitsanzo, SDelete, kotero kuthekera kobwezeretsanso pang'onopang'ono kugwiritsa ntchito njira ndi njira zina kumangofunika kwa woteteza aliyense wamakono - katswiri wodziwa zamakompyuta, katswiri woyankha zochitika, ThreatHunter. katswiri.
Tiyeni tiyambe ndi njira Yoyambira Yofikira (TA0001) ndi njira yotchuka kwambiri, Spearphishing Attachment (T1193). Magulu ena ophwanya malamulo apakompyuta ali ndi luso pakusankha kwawo ndalama. Mwachitsanzo, gulu la Silence limagwiritsa ntchito mafayilo amtundu wa CHM (Microsoft Compiled HTML Help) pa izi. Chifukwa chake, tili ndi njira ina - Yophatikiza Fayilo ya HTML (T1223). Mafayilo oterowo amayambitsidwa pogwiritsa ntchito hh.exe, chifukwa chake, ngati tichotsa deta mufayilo yake ya Prefetch, tipeza kuti ndi fayilo iti yomwe idatsegulidwa ndi wozunzidwayo:
Tiyeni tipitirize kugwira ntchito ndi zitsanzo kuchokera kuzochitika zenizeni ndikupita ku njira yotsatira ya Kupha (TA0002) ndi njira ya CSMTP (T1191). Microsoft Connection Manager Profile Installer (CMSTP.exe) itha kugwiritsidwa ntchito ndi owukira kuyendetsa zolemba zoyipa. Chitsanzo chabwino ndi gulu la Cobalt. Ngati tichotsa deta ku Prefetch file cmstp.exe, ndiye titha kudziwanso zomwe zidakhazikitsidwa:
Njira ina yotchuka ndi Regsvr32 (T1117). Regsvr32.exe imagwiritsidwanso ntchito nthawi zambiri ndi owukira kuti ayambitse. Nachi chitsanzo china kuchokera ku gulu la Cobalt: ngati tichotsa deta kuchokera pafayilo ya Prefetch regsvr32.exe, ndiyenso tiwona zomwe zidakhazikitsidwa:
Njira zotsatirazi ndi Kulimbikira (TA0003) ndi Privilege Escalation (TA0004), ndi Application Shimming (T1138) ngati njira. Njirayi idagwiritsidwa ntchito ndi Carbanak/FIN7 kuyika makinawo. Nthawi zambiri amagwiritsidwa ntchito ndi nkhokwe zamapulogalamu (.sdb) sdbinst.exe. Chifukwa chake, fayilo ya Prefetch ya izi zitha kutithandiza kudziwa mayina a nkhokwe ndi malo awo:
Monga mukuwonera m'fanizoli, tilibe dzina la fayilo yomwe imagwiritsidwa ntchito poika, komanso dzina la database yomwe idayikidwa.
Tiyeni tiwone chitsanzo chimodzi chodziwika bwino cha kufalitsa maukonde (TA0008), PsExec, pogwiritsa ntchito magawo oyang'anira (T1077). Service yotchedwa PSEXECSVC (zowona, dzina lina lililonse lingagwiritsidwe ntchito ngati owukira agwiritsa ntchito parameter -r) zidzapangidwa pa dongosolo lomwe mukufuna, choncho, ngati tichotsa deta kuchokera pa fayilo ya Prefetch, tidzawona zomwe zinayambitsidwa:
Mwina ndithera pomwe ndinayambira - kuchotsa mafayilo (T1107). Monga ndawonera kale, owukira ambiri amagwiritsa ntchito SDelete kuchotsa mafayilo pamagawo osiyanasiyana akuwukira. Ngati tiyang'ana deta kuchokera ku Prefetch file sdelete.exe, ndiye tiwona zomwe zidachotsedwa:
Zachidziwikire, uwu si mndandanda wokwanira wa njira zomwe zitha kupezeka pakuwunika mafayilo a Prefetch, koma izi ziyenera kukhala zokwanira kumvetsetsa kuti mafayilo oterowo angathandize osati kungopeza zoyambira, komanso kukonzanso njira ndi njira zowukira. .
Source: www.habr.com