Isu tinogonesa kuunganidzwa kwezviitiko nezve kutangwa kwemaitiro ekufungidzira muWindows uye kuona kutyisidzira uchishandisa Quest InTrust

Imwe yemhando dzakajairika dzekurwiswa ndiko kubereka kwemaitiro akaipa mumuti pasi pemaitiro anoremekedzwa zvachose. Nzira inoenda kune faira inogona kufungidzira: malware inowanzoshandisa AppData kana Temp maforodha, uye izvi hazvifananidzi zvirongwa zviri pamutemo. Kutaura chokwadi, zvinofanirwa kutaura kuti mamwe otomatiki ekugadzirisa zvinoshandiswa anoitwa muAppData, saka kungotarisa nzvimbo yekutangisa hakuna kukwana kuratidza kuti chirongwa chine hutsinye.

Chimwe chekuwedzera chechokwadi ndeye cryptographic siginecha: mazhinji ekutanga mapurogiramu anosainwa nemutengesi. Iwe unogona kushandisa chokwadi chekuti hapana siginecha senzira yekuzivisa zvinhu zvinofungirwa zvekutanga. Asi zvakare kune malware anoshandisa chitupa chakabiwa kuzvisaina.

Iwe unogona zvakare kutarisa kukosha kwe MD5 kana SHA256 cryptographic hashes, iyo inogona kuenderana neimwe yakamboonekwa malware. Iwe unogona kuita static ongororo nekutarisa masiginecha muchirongwa (uchishandisa Yara mitemo kana antivirus zvigadzirwa). Kune zvakare ongororo ine simba (kumhanyisa chirongwa mune imwe nharaunda yakachengeteka uye kutarisa zviito zvayo) uye kudzosera kumashure engineering.

Panogona kuva nezviratidzo zvakawanda zvemaitiro akaipa. Muchikamu chino tichakuudza maitiro ekugonesa kuongororwa kwezviitiko zvakakodzera muWindows, isu tichaongorora zviratidzo izvo mutemo wakavakirwa-mukati unovimba nawo. InTrust kuziva nzira inonyumwira. InTrust ndiyo CLM chikuva yekuunganidza, kuongorora nekuchengetedza data isina kurongeka, iyo inotova nemazana ezvakafanotsanangurwa maitiro kune akasiyana marudzi ekurwiswa.

Kana purogiramu yatangwa, inoiswa mundangariro yekombuta. Iro faira rinoshandiswa rine mirairo yekombiyuta uye mabhuku anotsigira (semuenzaniso, * .dll). Kana maitirwo atove kushanda, anogona kugadzira mamwe tambo. Mathreads anobvumira maitiro kuti aite akasiyana seti yemirairo panguva imwe chete. Kune nzira dzakawanda dzekuti kodhi yakaipa ipinde mundangariro uye kumhanya, ngatitarisei mamwe acho.

Nzira iri nyore yekuvhura nzira yakaipa ndeyekumanikidza mushandisi kuivhura zvakananga (semuenzaniso, kubva kune email yakanamatira), wobva washandisa kiyi yeRunOnce kuivhura pese painobatidzwa komputa. Izvi zvinosanganisirawo "isina faira" malware inochengeta PowerShell zvinyorwa mumakiyi eregistry ayo anourayiwa zvichibva pane inokonzeresa. Mune ino kesi, iyo PowerShell script iine yakaipa kodhi.

Dambudziko rekumhanyisa malware nderekuti inzira inozivikanwa inoonekwa zviri nyore. Imwe malware inoita zvimwe zvinhu zvine hungwaru, sekushandisa imwe nzira kutanga kuita mundangariro. Naizvozvo, maitirwo anogona kugadzira imwe nzira nekumhanyisa chaiyo komputa kuraira uye nekutsanangura faira rinogoneka (.exe) kuti riite.

Iyo faira inogona kutsanangurwa uchishandisa nzira yakazara (semuenzaniso, C: Windowssystem32cmd.exe) kana chidimbu nzira (semuenzaniso, cmd.exe). Kana maitiro ekutanga asina kuchengetedzeka, anobvumira zvirongwa zvisiri pamutemo kuti zvishande. Kurwiswa kunogona kutaridzika seizvi: maitiro anotanga cmd.exe asina kutsanangura nzira yakazara, anorwisa anoisa cmd.exe yake panzvimbo kuitira kuti maitiro aitenga pamberi peiyo yepamutemo. Kana iyo malware yatanga, inogona kuvhura chirongwa chiri pamutemo (senge C: Windowssystem32cmd.exe) kuitira kuti chirongwa chepakutanga chirambe chichishanda nemazvo.

Musiyano wekurwiswa kwekare jekiseni reDLL mukuita kuri pamutemo. Kana maitiro atanga, anowana uye anoremedza maraibhurari anowedzera kushanda kwayo. Uchishandisa jekiseni reDLL, anorwisa anogadzira raibhurari ine hutsinye ine zita rimwechete uye API seiri pamutemo. Iyo purogiramu inotakura raibhurari yakaipa, uye iyo, zvakare, inotakura iri pamutemo, uye, kana zvichidikanwa, inoidaidza kuti iite mashandiro. Raibhurari yakaipa inotanga kuita semumiriri weraibhurari yakanaka.

Imwe nzira yekuisa iyo yakaipa kodhi mundangariro ndeyekuiisa mune isina kuchengetedzeka maitiro ari kutomhanya. Maitiro anogashira mapindiro kubva kwakasiyana masosi - kuverenga kubva kunetiweki kana mafaera. Ivo vanowanzoita cheki kuti vaone kuti iyo yekuisa iri pamutemo. Asi mamwe maitiro haana dziviriro yakakodzera pakuita mirairo. Mukurwiswa uku, hapana raibhurari padhisiki kana faira rinogoneka rine kodhi yakaipa. Zvese zvakachengetwa mundangariro pamwe chete nemaitiro ari kushandiswa.

Zvino ngatitarisei nzira yekugonesa kuunganidzwa kwezviitiko zvakadaro muWindows uye mutemo muInTrust unoshandisa dziviriro kubva mukutyisidzira kwakadaro. Kutanga, ngatiiite kuti iite kuburikidza neInTrust manejimendi console.

Mutemo unoshandisa maitiro ekutevera maitiro eWindows OS. Zvinosuruvarisa, kugonesa kuunganidzwa kwezviitiko zvakadaro hakusi pachena. Pane 3 akasiyana Group Policy marongero aunoda kuchinja:

Kugadzirisa Kombuta> Matemo> Windows Zvirongwa> Chengetedzo Settings> Local Policies> Audit Policy> Audit process tracking

Kugadziriswa kweKombuta> Matemo> Windows Settings> Chengetedzo Settings> Advanced Audit Policy Configuration> Audit Policies> Detailing Tracking> Audit process kugadzirwa

Kugadzirisa Kombuta> Matemu> Administrative Matemplate> Sisitimu> Odhita Maitiro Kusikwa> Sanganisira mutsara wekuraira mune zviitiko zvekugadzira.

Kana yangogoneswa, mitemo yeInTrust inokutendera kuti uone kutyisidzira kwaimbozivikanwa kunoratidza maitiro ekufungira. Somuenzaniso, unogona kuziva zvinotsanangurwa pano Dridex malware. Nekuda kweiyo HP Bromium chirongwa, tinoziva mashandiro anoita kutyisidzira uku.

Muketani yayo yezviito, Dridex inoshandisa schtasks.exe kugadzira basa rakarongwa. Kushandisa iyi chaiyo yekushandisa kubva kumutsara wekuraira inoonekwa seyakanyanya kufungidzira maitiro; kutanga svchost.exe nemaparamita anonongedza kumaforodha evashandisi kana nemaparamita akafanana ne "net view" kana "whoami" mirairo inotaridzika zvakafanana. Heino chidimbu chezvinoenderana SIGMA mitemo:

detection:
    selection1:
        CommandLine: '*svchost.exe C:Users\*Desktop\*'
    selection2:
        ParentImage: '*svchost.exe*'
        CommandLine:
            - '*whoami.exe /all'
            - '*net.exe view'
    condition: 1 of them

MuInTrust, maitiro ese ekufungira anosanganisirwa mumutemo mumwechete, nekuti mazhinji ezviito izvi haana kujeka kune imwe kutyisidzira, asi zviri kufungidzira mune yakaoma uye mu99% yezviitiko zvinoshandiswa kwete zvachose chinangwa. Iyi rondedzero yezviito inosanganisira, asi haina kugumira ku:

• Maitiro anomhanya kubva kunzvimbo dzisina kujairika, senge mushandisi maforodha enguva pfupi.
• Inonyatsozivikanwa system process ine inofungidzira nhaka - kumwe kutyisidzira kunogona kuedza kushandisa zita rehurongwa hwemaitiro kuti urambe usingaonekwe.
• Kufungirwa kuuraya kwezvishandiso zvekutonga zvakaita secmd kana PsExec pavanoshandisa zvitupa zvenzvimbo kana nhaka inofungidzira.
• Suspicious shadow copy operations akajairika maitiro eransomware virus asati avhara system; vanouraya backups:

  - Via vssadmin.exe;
  - Via WMI.

• Nyoresa marara emikoko yese yekunyoresa.
• Kufamba kwakachinjika kwekodhi yakaipa kana maitiro avhurwa kure uchishandisa mirairo senge at.exe.
• Kufungidzira mashandiro eboka renzvimbo uye mashandiro edomasi uchishandisa net.exe.
• Inofungidzira firewall chiitiko uchishandisa netsh.exe.
• Kufungidzira kunyengedza kwe ACL.
• Kushandisa BITS kuburitsa data.
• Kufungira manipulations neWMI.
• Mirairo yemanyorero anofungidzirwa.
• Kuedza kurasa mafaera akachengeteka ehurongwa.

Mutemo wakabatanidzwa unoshanda chaizvo kuona kutyisidzira kwakadai seRUYK, LockerGoga uye imwe ransomware, malware uye cybercrime toolkits. Mutemo wakaedzwa nemutengesi munzvimbo dzekugadzira kuti uderedze zvibodzwa zvenhema. Uye nekuda kweSIGMA purojekiti, mazhinji ezviratidzo izvi anoburitsa huwandu hushoma hwezviitiko zveruzha.

Nokuti MuInTrust uyu mutemo wekutarisa, unogona kuita script yekupindura sekuita kune kutyisidzira. Iwe unogona kushandisa imwe yeakavakirwa-mukati zvinyorwa kana kugadzira yako uye InTrust inozozvigovanisa otomatiki.

Uye zvakare, unogona kuongorora ese ane chekuita nechiitiko telemetry: PowerShell zvinyorwa, maitiro ekuita, akarongwa basa manipulations, WMI administrative chiitiko, uye uzvishandise kune post-mortems panguva yekuchengetedza zviitiko.

InTrust ine mazana emamwe mitemo, mamwe acho:

• Kuona PowerShell downgrade kurwisa ndipo kana mumwe munhu akashandisa nemaune vhezheni yekare yePowerShell nekuti... mushanduro yekare pakanga pasina nzira yekuongorora zvaiitika.
• Kuonekwa kwenzvimbo yepamusoro-soro ndeye apo maakaundi ari nhengo dzerimwe boka rakasarudzika (senge domain administrator) achipinda munzvimbo dzekushandira netsaona kana nekuda kwezviitiko zvekuchengetedza.

InTrust inokutendera kuti ushandise zvakanakisa kuchengetedza maitiro nenzira yekufanotsanangurwa yekuona uye kuita mitemo. Uye kana iwe uchifunga kuti chimwe chinhu chinofanira kushanda zvakasiyana, iwe unogona kuita yako kopi yekutonga uye kuigadzirisa sezvinodiwa. Unogona kuendesa chikumbiro chekuitisa mutyairi wendege kana kuwana makiti ekugovera nemarezinesi enguva pfupi kuburikidza fomu rekupindura pane yedu webhusaiti.

Nyorera kune yedu Facebook peji, tinobudisa zvinyorwa zvipfupi uye zvinofadza zvinongedzo ipapo.

Verenga zvimwe zvinyorwa zvedu nezvekuchengetedza ruzivo:

Iyo InTrust inogona kubatsira sei kudzikisa mwero wekutadza kubvumidzwa kuedza kuburikidza neRDP

Isu tinoona kurwiswa kwaransomware, kuwana mukana wekutonga domain uye edza kuramba kurwiswa uku

Ndezvipi zvinhu zvinobatsira zvinogona kutorwa kubva mumatanda eWindows-based workstation? (chinyorwa chakakurumbira)

Kutsvaga hupenyu hwevashandisi pasina pliers kana duct tepi

Ndiani akazviita? Isu tinogadzirisa ruzivo rwekuchengetedza ongororo

Maitiro ekudzikisa mutengo wemuridzi weSIEM system uye nei uchida Central Log Management (CLM)

Source: www.habr.com