Kuburitswa kweshanduro 12 yeSysmon yakaziviswa munaGunyana 17 pa . Muchokwadi, mavhezheni matsva eProcess Monitor uye ProcDump akaburitswawo pazuva iri. Muchinyorwa chino ini ndichataura nezve kiyi uye kukakavara kuvandudzwa kwevhezheni 12 yeSysmon - mhando yezviitiko neChiitiko ID 24, iyo inoshanda neiyo clipboard inorodha.
Ruzivo kubva kurudzi urwu rwechiitiko runovhura mikana mitsva yekutarisa chiitiko chekufungidzira (pamwe nekusagadzikana kutsva). Saka, iwe unogona kunzwisisa kuti ndiani, kupi uye chii chaizvo chavakaedza kutevedzera. Pazasi pekuchekwa pane tsananguro yemamwe minda yechiitiko chitsva uye akati wandei ekushandisa kesi.
Chiitiko chitsva chine minda inotevera:
Image: maitiro kubva pakanyorwa data kune clipboard.
Session: chikamu chainyorwa clipboard. Inogona kunge iri system (0)
paunenge uchishanda online kana kure, nezvimwe.
ClientInfo: ine zita rekushandisa rechikamu uye, kana iri chikamu chiri kure, iyo yekutanga hostname uye IP kero, kana iripo.
Hashes: inosarudza zita refaira umo zvinyorwa zvakakopwa zvakachengetwa (zvakafanana nekushanda nezviitiko zveFileDelete type).
Zvakachengetwa mamiriro, angave iwo mameseji kubva pa clipboard akachengetwa mu Sysmon archive dhairekitori.
Minda miviri yekupedzisira inotyisa. Icho chokwadi ndechekuti kubvira vhezheni 11 Sysmon inogona (ine magadzirirwo akakodzera) kuchengetedza akasiyana dhata kune ayo archive dhairekitori. Semuyenzaniso, Chiitiko ID 23 matanda faira kudzima zviitiko uye anogona kuzvichengeta ese mune imwecheteyo archive dhairekitori. Iyo CLIP tag inowedzerwa kuzita remafaira akagadzirwa semhedzisiro yekushanda ne clipboard. Iwo mafaera pachawo ane data chairo iro rakakopwa kune clipboard.
Izvi ndizvo zvinoita faira rakachengetwa
Kuchengetedza kufaira kunogoneswa panguva yekuisa. Iwe unogona kuseta machena rondedzero yemaitiro ayo mavara asingazochengetwa.
Izvi ndizvo zvinotaridzika kuisirwa kweSysmon neakakodzera archive dhairekitori marongero:
Pano, ndinofunga, zvakakodzera kuyeuka password mamaneja anoshandisawo clipboard. Kuve neSysmon pane system ine password maneja inobvumidza iwe (kana anorwisa) kutora iwo mapassword. Tichifunga kuti iwe unoziva kuti ndeipi nzira iri kugovera zvinyorwa zvakakopwa (uye iyi haisi nguva dzose password maneja maitiro, asi pamwe imwe svchost), iyi yakasarudzika inogona kuwedzerwa kune chena runyorwa uye kwete kuchengetwa.
Iwe unogona kunge usiri kuziva, asi iwo mameseji kubva pa clipboard anotorwa neiyo kure server kana iwe uchichinjira kwairi muRDP sesheni modhi. Kana iwe uine chimwe chinhu pa clipboard yako uye ukachinja pakati pezvikamu zveRDP, ruzivo irworwo rwunofamba newe.
Ngatipei muchidimbu kugona kwaSysmon pakushanda neklipboard.
Yakagadziriswa:
- Runyoro kopi yezvinyorwa zvakanamirwa kuburikidza neRDP uye munharaunda;
- Bata data kubva pa clipboard neakasiyana maturusi / maitiro;
- Kopa/namira mavara kubva/kumuchina wepanzvimbo, kunyangwe chinyorwa ichi chisati chanamatwa.
Hazvirekodzwi:
- Kukopa / kunama mafaera kubva / kune yemuno chaiyo muchina;
- Kopa/namira mafaera kuburikidza neRDP
- Iyo malware inobira clipboard yako inongonyora kune clipboard pachayo.
Pasinei nekusanzwisisika kwayo, rudzi urwu rwechiitiko ruchakubvumidza kuti udzorere anorwisa algorithm yezviito uye kubatsira kuona yaimbove isingasvikike data yekugadzira post-mortems mushure mekurwiswa. Kana kunyora zvirimo kuclipboard kuchiri kugoneswa, zvakakosha kurekodha kuwana kwese kudhairekitori uye kuona zvingangove nengozi (zvisina kutangwa nesysmon.exe).
Kurekodha, kuongorora uye kuita kune zviitiko zvakanyorwa pamusoro, unogona kushandisa chishandiso , iyo inosanganisa ese matatu maitiro uye, nekuwedzera, inoshanda yepakati repository yeese akaunganidzwa data mbishi. Isu tinokwanisa kumisikidza kubatanidzwa kwayo neanozivikanwa SIEM masisitimu kuti aderedze mutengo wekupa marezenisi nekuendesa kugadziridzwa uye kuchengetwa kwe data mbishi kuInTrust.
Kuti udzidze zvakawanda nezve InTrust, verenga zvinyorwa zvedu zvakapfuura kana .
(chinyorwa chakakurumbira)
Source: www.habr.com