Tevera mafaera, kana Prefetch mafaera, anga aripo muWindows kubvira XP. Kubva ipapo, vakabatsira forensics yedhijitari uye nyanzvi dzekupindura chiitiko chekombuta kuwana zviteshi zvesoftware, kusanganisira malware. Inotungamira nyanzvi mukombuta forensics Boka-IB Oleg Skulkin inokuudza zvaunogona kuwana uchishandisa Prefetch mafaera uye maitiro ekuzviita.
Prefetch mafaira anochengetwa mudhairekitori %SystemRoot%Prefetch uye kushandira kukurumidzira maitiro ekutangisa zvirongwa. Kana tikatarisa chero ipi zvayo mafaira, tichaona kuti zita rayo rine zvikamu zviviri: zita refaira rinoshandiswa uye cheki chemavara masere kubva munzira inoenda kwairi.
Prefetch mafaera ane ruzivo rwakawanda runobatsira kubva pakuona kwe forensic: zita refaira rinotemerwa, nhamba yenguva yarakaitwa, rondedzero yemafaira uye madhairekitori ayo faira rinogoneka rakabatana, uye, hongu, nguva. Kazhinji, masayendisiti ezvesayenzi anoshandisa zuva rekugadzira reimwe Prefetch faira kuona zuva rakatanga chirongwa. Pamusoro pezvo, mafaera aya anochengeta zuva rekuvhurwa kwayo kwekupedzisira, uye kutanga kubva muvhezheni 26 (Windows 8.1) - zvitambi zvenguva zvezvinomwe zvinomhanya.
Ngatitorei imwe yemafaira ePrefetch, bvisa data kubva mairi tichishandisa Eric Zimmerman's PECmd uye titarise chikamu chimwe nechimwe chayo. Kuti ndiratidze, ini ndichabvisa data kubva mufaira CCLEANER64.EXE-DE05DBE1.pf.
Saka ngatitangei kubva kumusoro. Ehe, isu tine kugadzirwa kwemafaira, kugadziridzwa, uye kuwana timestamps:
Iwo anoteverwa nezita refaira rinoshandiswa, cheki yenzira inoenda kwairi, saizi yefaira rinoitwa, uye vhezheni yePrefetch faira:
Sezvo isu tiri kubata Windows 10, inotevera tichaona nhamba yekutanga, zuva uye nguva yekutanga kwekupedzisira, uye dzimwe nguva nomwe dzinoratidza mazuva ekutanga ekutanga:
Izvi zvinoteverwa neruzivo nezve vhoriyamu, kusanganisira yayo serial nhamba uye zuva rekugadzira:
Chekupedzisira asi chisiri chidiki rondedzero yemadhairekitori uye mafaera ayo anozoitwa akabatana nawo:
Saka, madhairekitori uye mafaera ayo anogonekwa akabatana nawo ndizvo chaizvo zvandinoda kutarisa nhasi. Iri dhata rinobvumira nyanzvi mune zvedigital forensics, mhinduro yemukombuta, kana kuvhima kwekutyisidzira kuti vaone kwete chete chokwadi chekuitwa kweimwe faira, asi zvakare, mune dzimwe nguva, kuvakazve chaiwo matekiniki uye hunyanzvi hwevanorwisa. Nhasi, varwisi vanowanzo shandisa maturusi kudzima zvachose data, semuenzaniso, SDelete, saka kugona kudzoreredza kanenge kadiki kekushandiswa kwemamwe matekiniki uye matekiniki anongodiwa kune chero anodzivirira wemazuva ano - nyanzvi yecomputer forensics, nyanzvi yekupindura chiitiko, ThreatHunter. nyanzvi.
Ngatitangei neInitial Access tactic (TA0001) uye nzira inonyanya kufarirwa, Spearphishing Attachment (T1193). Mamwe mapoka e-cybercriminal anogadzirisa mukusarudza kwavo kwekudyara. Semuenzaniso, boka reKunyarara rakashandisa mafaira ari muCHM (Microsoft Compiled HTML Help) fomati yeizvi. Saka, isu tine pamberi pedu imwe nzira - Yakagadzirwa HTML Faira (T1223). Mafaira akadaro anotangwa pachishandiswa hh.exe, saka, kana tikaburitsa data kubva kune yayo Prefetch faira, isu tichaona kuti ndeipi faira yakavhurwa nemunhu akabatwa:
Ngatirambei tichishanda nemienzaniso kubva kumakesi chaiwo uye tienderere mberi kune inotevera Execution tactic (TA0002) uye CSMTP maitiro (T1191). Microsoft Connection Manager Profile Installer (CMSTP.exe) inogona kushandiswa nevanorwisa kumhanyisa magwaro akashata. Muenzaniso wakanaka iboka reCobalt. Kana tikabvisa data kubva kune Prefetch faira cmstp.exe, saka tinogona zvakare kuona kuti chii chaizvo chakatangwa:
Imwe nzira yakakurumbira ndeye Regsvr32 (T1117). Regsvr32.exe inowanzoshandiswa nevanorwisa kuti vatange. Heano mumwe muenzaniso kubva kuboka reCobalt: kana tikabvisa data kubva kune Prefetch faira regsvr32.exe, tozoona zvakare zvakatangwa:
Matekiniki anotevera ndeeKushingirira (TA0003) uye Ropafadzo Escalation (TA0004), ine Application Shimming (T1138) senzira. Iyi nzira yakashandiswa neCarbanak/FIN7 kumisa sisitimu. Kazhinji inoshandiswa kushanda nepurogiramu inoenderana nedatabase (.sdb) sdbinst.exe. Naizvozvo, iyo Prefetch faira reiyi rinoitwa rinogona kutibatsira kuziva mazita emadhatabhesi akadaro nenzvimbo dzawo:
Sezvaunogona kuona mumufananidzo, isu tine kwete chete zita refaira rinoshandiswa pakugadzirisa, asiwo zita re database yakaiswa.
Ngatitarisei mumwe wemienzaniso yakajairika yekuparadzira network (TA0008), PsExec, uchishandisa migove yekutonga (T1077). Sevhisi inonzi PSEXECSVC (zvechokwadi, chero rimwe zita rinogona kushandiswa kana vanorwisa vakashandisa parameter -r) ichagadzirwa pane inotarirwa sisitimu, saka, kana tikabvisa iyo data kubva kuPrefetch faira, tichaona izvo zvakatangwa:
Ini zvimwe ndichagumira kwandakatanga - kudzima mafaera (T1107). Sezvandatoona, vazhinji vanorwisa vanoshandisa SDelete kudzima zvachose mafaera pamatanho akasiyana ekurwisa lifecycle. Kana tikatarisa iyo data kubva kune Prefetch faira sdelete.exe, tozoona kuti chii chaizvo chakadzimwa:
Ehe, iyi haisi rondedzero inopedza matekiniki anogona kuwanikwa panguva yekuongororwa kwePrefetch mafaera, asi izvi zvinofanirwa kukwana kuti unzwisise kuti mafaera akadaro anogona kubatsira kwete kungotsvaga maratidziro ekutanga, asi zvakare kuvakazve chaiwo ekurwisa maitiro uye matekiniki. .
Source: www.habr.com