Indawo yokusebenzela yomsebenzisi yeyona ndawo isengozini kwiziseko ezingundoqo ngokwemigaqo yokhuseleko lolwazi. Abasebenzisi banokufumana ileta kwi-imeyile yabo yomsebenzi ebonakala ngathi ivela kumthombo okhuselekileyo, kodwa ngekhonkco kwindawo eyosulelekileyo. Mhlawumbi umntu uya kukhuphela into eluncedo emsebenzini kwindawo engaziwayo. Ewe, unokuza neemeko ezininzi zendlela i-malware enokungena ngayo kwimithombo yangaphakathi yenkampani ngokusebenzisa abasebenzisi. Ke ngoko, iindawo zokusebenzela zifuna ingqwalasela eyongeziweyo, kwaye kweli nqaku siza kukuxelela apho kwaye zeziphi iziganeko ekufuneka uzithathe ukujonga uhlaselo.
Ukubona uhlaselo kwinqanaba lokuqala elinokwenzeka, i-WIndows inemithombo emithathu yesiganeko esiluncedo: i-Log yeSigigaba soKhuseleko, i-System Monitoring Log, kunye ne-Power Shell Logs.
Ukhuseleko loMnyhadala weLog
Le yeyona ndawo iphambili yokugcina iilogi zokhuseleko lwenkqubo. Oku kuquka iziganeko zokungena/ukuphuma komsebenzisi, ufikelelo kwizinto, utshintsho lomgaqo-nkqubo, kunye neminye imisebenzi enxulumene nokhuseleko. Ngokuqinisekileyo, ukuba umgaqo-nkqubo ofanelekileyo uqwalaselwe.
Ubalo lwabasebenzisi kunye namaqela (iziganeko 4798 kunye ne-4799). Kwasekuqaleni kohlaselo, i-malware ihlala ikhangela kwiiakhawunti zabasebenzisi basekhaya kunye namaqela asekhaya kwindawo yokusebenza ukuze ifumane iziqinisekiso zokusebenzelana kwayo nomthunzi. Ezi ziganeko ziya kunceda ukufumanisa ikhowudi enobungozi ngaphambi kokuba iqhube kwaye, isebenzisa idatha eqokelelweyo, isasazeka kwezinye iinkqubo.
Ukudalwa kweakhawunti yendawo kunye notshintsho kumaqela asekuhlaleni (iziganeko 4720, 4722-4726, 4738, 4740, 4767, 4780, 4781, 4794, 5376 kunye ne-5377). Uhlaselo lunokuqala, umzekelo, ngokongeza umsebenzisi omtsha kwiqela labalawuli bendawo.
Ngena kwimizamo ngeakhawunti yendawo (isiganeko 4624). Abasebenzisi abahloniphekileyo bangena nge-akhawunti yesizinda, kwaye ukuchonga ukungena phantsi kwe-akhawunti yendawo kunokuthetha ukuqala kohlaselo. Isiganeko se-4624 sikwabandakanya ukungena phantsi kwe-akhawunti yesizinda, ngoko xa ulungisa iziganeko, kufuneka ucofe iziganeko apho i-domain ihluke kwigama lendawo yokusebenza.
Inzame yokungena nge-akhawunti ekhankanyiweyo (isiganeko 4648). Oku kwenzeka xa inkqubo isebenza kwimo ye "run as". Oku akufanele kwenzeke ngexesha lokusebenza okuqhelekileyo kweenkqubo, ngoko ke iziganeko ezinjalo kufuneka zilawulwe.
Ukutshixa/ukuvula indawo yokusebenzela (iziganeko 4800-4803). Udidi lweziganeko ezirhanelwayo lubandakanya naziphi na izenzo ezenzeke kwindawo yokusebenzela etshixiweyo.
Utshintsho lokucwangcisa i-Firewall (iziganeko 4944-4958). Ngokucacileyo, xa ufaka isoftware entsha, useto lwe-firewall configuration lunokutshintsha, oluya kubangela iimpembelelo zobuxoki. Kwiimeko ezininzi, akukho mfuneko yokulawula utshintsho olunjalo, kodwa ngokuqinisekileyo akuyi kuba buhlungu ukwazi malunga nabo.
Ukuqhagamshela izixhobo zePlug'n'play (isiganeko 6416 kwaye kuphela kwi-WIndows 10). Kubalulekile ukugcina iliso kule nto ukuba abasebenzisi bahlala bengaqhagamshelanisi izixhobo ezitsha kwindawo yokusebenza, kodwa ngequbuliso baye benza.
IiWindows zibandakanya iindidi ezili-9 zophicotho-zincwadi kunye namacandelwana angama-50 okulungiswa kakuhle. Obona buncinane iseti yamacandelwana ekufuneka evulwe kwizicwangciso:
Logon / Logoff
- Ngena;
- Phuma;
- Ukuvalwa kweAkhawunti;
- Ezinye Izehlo zelogo/zeLogoff.
Ulawulo lweAkhawunti
- Ulawulo lweAkhawunti yoMsebenzisi;
- ULawulo lweQela loKhuseleko.
Utshintsho kuMgaqo-nkqubo
- Utshintsho kuMgaqo-nkqubo woPhicotho-zincwadi;
- Uguqulo loMgaqo-nkqubo woQinisekiso;
- Uguqulo loMgaqo-nkqubo woGunyaziso.
Ujongo lweNkqubo (Sysmon)
I-Sysmon sisixhobo esakhelwe kwiWindows esinokurekhoda iziganeko kwilog yenkqubo. Ngokuqhelekileyo kufuneka uyifake ngokwahlukileyo.
Ezi ziganeko zinye zinokufumaneka, ngokomgaqo, kwilog yokhuseleko (ngokwenza umgaqo-nkqubo wophicotho ofunekayo), kodwa i-Sysmon inika iinkcukacha ezingakumbi. Zeziphi iziganeko ezinokuthatyathwa kuSysmon?
Ukudalwa kwenkqubo (i-ID yesiganeko 1). Ilog yesiganeko sokhuseleko singakuxelela xa i *.exe iqalile kwaye ibonise negama layo kunye nendlela yokuqalisa. Kodwa ngokungafaniyo ne-Sysmon, ayizukwazi ukubonisa i-hash yesicelo. Isoftware enobungozi inokubizwa ngokuba ayinabungozi i-notepad.exe, kodwa yihashi eya kuyizisa ekukhanyeni.
UQhagamshelwano lweNethiwekhi (ID yesiganeko 3). Ngokucacileyo, kukho unxibelelwano oluninzi lwenethiwekhi, kwaye akunakwenzeka ukugcina umkhondo wabo bonke. Kodwa kubalulekile ukuqwalasela ukuba i-Sysmon, ngokungafaniyo neLog yoKhuseleko, inokubophelela uxhulumaniso lomnatha kwiProcessID kunye neProcessGUID amasimi, kwaye ibonisa izibuko kunye needilesi ze-IP zomthombo kunye nendawo yokuya kuyo.
Utshintsho kwirejista yesistim (i-ID yesiganeko 12-14). Indlela elula yokuzongeza kwi-autorun kukubhalisa kwirejista. I-Log yoKhuseleko inokwenza oku, kodwa i-Sysmon ibonisa ukuba ngubani owenze utshintsho, nini, ukusuka phi, inkqubo ye-ID kunye nexabiso eliphambili langaphambili.
Ukudalwa kwefayile (i-ID yesiganeko 11). I-Sysmon, ngokungafaniyo neLog yoKhuseleko, ayiyi kubonisa kuphela indawo yefayile, kodwa kunye negama layo. Kucacile ukuba awukwazi ukugcina umkhondo wayo yonke into, kodwa unokuphicotha abalawuli abathile.
Kwaye ngoku akukho migaqo-nkqubo yeLogi yoKhuseleko, kodwa ikwiSysmon:
Ukutshintsha kwexesha lokudala ifayile (i-ID yesiganeko 2). Enye i-malware inokonakalisa umhla wokwenziwa kwefayile ukuyifihla kwiingxelo zeefayile ezenziwe kutshanje.
Ukulayisha abaqhubi kunye namathala eencwadi aguqukayo (ii-ID zomcimbi 6-7). Ukubeka esweni ukulayishwa kwe-DLLs kunye nabaqhubi besixhobo kwimemori, ukujonga utyikityo lwedijithali kunye nokusebenza kwayo.
Yenza intambo kwinkqubo yokuqhuba (i-ID yesiganeko 8). Olunye uhlobo lohlaselo olukwafuna ukujongwa.
RawAccessRead Events (I-ID yoMsitho 9). Imisebenzi yokufunda idiski usebenzisa ".". Kwiimeko ezininzi, umsebenzi onjalo kufuneka uthathwe njengento engaqhelekanga.
Yenza umjelo wefayile enegama (i-ID yesiganeko 15). Isiganeko sifakiwe xa kusenziwa umjelo wefayile ogama likhuphe iziganeko nge hash yemixholo yefayile.
Ukudala umbhobho ogama kunye nokudibanisa (i-ID yesiganeko 17-18). Ukulandelela ikhowudi enobungozi enxibelelana namanye amalungu ngombhobho onikwe igama.
Umsebenzi we-WMI (i-ID yesiganeko esiyi-19). Ukubhaliswa kweziganeko eziveliswayo xa ufikelela kwinkqubo ngeprotocol yeWMI.
Ukukhusela iSysmon ngokwayo, kufuneka ubeke iliso kwiziganeko nge-ID 4 (ukumiswa kweSysmon kunye nokuqalisa) kunye ne-ID 16 (utshintsho kwi-Sysmon configuration).
Izigodo zeShell zamandla
I-Power Shell sisixhobo esinamandla sokulawula iziseko zeWindows, ngoko ke amathuba aphezulu okuba umhlaseli angayikhetha. Kukho imithombo emibini onokuyisebenzisa ukufumana idatha yesiganeko seShell yamandla: Ilog yeWindows PowerShell kunye neMicrosoft-WindowsPowerShell/log log.
Ilog yeWindows PowerShell
Umboneleli wedatha ulayishiwe (i-ID yesiganeko 600). Ababoneleli bePowerShell ziinkqubo ezibonelela ngomthombo wedatha yePowerShell ukujonga nokulawula. Umzekelo, ababoneleli bakhelwe ngaphakathi banokuba ziinguqu zemo yeWindows okanye ubhaliso lwesistim. Ukuvela kwababoneleli abatsha kufuneka kubekwe esweni ukuze kuqatshelwe umsebenzi ongalunganga kwangethuba. Umzekelo, ukuba ubona i-WSMan ivela phakathi kwababoneleli, emva koko iseshoni ye-PowerShell ekude iqalisiwe.
IMicrosoft-WindowsPowerShell / ilog yokuSebenza (okanye iMicrosoftWindows-PowerShellCore / iSebenzisa kwiPowerShell 6)
Ukungena kwimodyuli (i-ID yesiganeko 4103). Iziganeko zigcina ulwazi malunga nomyalelo ngamnye owenziweyo kunye neeparameters apho ibizwe khona.
I-Script blocking loggging (i-ID yesiganeko 4104). Ukuloga okushicilelweyo kubonisa yonke ibhloko yekhowudi yePowerShell eyenziweyo. Nokuba umhlaseli uzama ukufihla umyalelo, olu hlobo lwesiganeko luya kubonisa umyalelo we-PowerShell owenziwe ngokwenene. Olu hlobo lomnyhadala lunokuphinda lubhale umnxeba ophantsi we-API owenziweyo, ezi ziganeko zihlala zirekhodwa njenge-Verbose, kodwa ukuba umyalelo okrokrelayo okanye iskripthi sisetyenziswe kwibhloko yekhowudi, iya kufakwa njengobungqongqo beSilumkiso.
Nceda uqaphele ukuba xa isixhobo siqwalaselwe ukuqokelela kunye nokuhlalutya ezi ziganeko, ixesha elongezelelweyo lokulungisa liya kufuneka ukunciphisa inani leempembelelo zobuxoki.
Sixelele kumagqabaza ukuba zeziphi iilogi oziqokelelayo zophicotho lokhuseleko lolwazi kwaye zeziphi izixhobo ozisebenzisayo koku. Enye yeendawo esijolise kuzo zizisombululo zophicotho lweziganeko zokhuseleko lolwazi. Ukusombulula ingxaki yokuqokelela kunye nokuhlalutya iilogi, sinokucebisa ukuba sihlolisise , enokucinezela idatha egciniweyo kunye nomlinganiselo we-20: 1, kunye nomzekelo omnye ofakiweyo okwaziyo ukuqhubela phambili ukuya kwii-60000 iziganeko ngesekhondi ukusuka kwimithombo ye-10000.
umthombo: www.habr.com