Landela iifayile, okanye iifayile zokulanda, bezikho kwiWindows ukusukela kwiXP. Ukusukela ngoko, baye banceda i-digital forensics kunye neengcali zokuphendula ngeziganeko zekhompyuter ukuba zifumane umkhondo wesoftware, kubandakanya ne-malware. Ingcali ekhokelayo kwi-forensics yekhompyuter IQela-IB Oleg Skulkin ikuxelela into onokuyifumana usebenzisa iifayile zePrefetch kunye nendlela yokwenza.
Iifayile zokulanda kwangaphambili zigcinwa kulawulo I-%SystemRoot%Prefetch kunye nokusebenza ukukhawulezisa inkqubo yokuqalisa iinkqubo. Ukuba sijonga nayiphi na yezi fayile, siya kubona ukuba igama layo liqukethe iinxalenye ezimbini: igama lefayile ephunyeziweyo kunye nokukhangela abalinganiswa abasibhozo ukusuka kwindlela eya kuyo.
Iifayile zokulanda kwangaphambili ziqulathe ulwazi oluninzi oluluncedo ukusuka kwindawo yemboniselo yenkundla: igama lefayile ephunyezwayo, inani lamaxesha ephunyeziweyo, uluhlu lweefayile kunye nabalawuli apho ifayile ephunyeziweyo idityanelwe khona, kwaye, kunjalo, izitampu zexesha. Ngokwesiqhelo, izazinzulu zasenkundleni zisebenzisa umhla wokuyilwa kwefayile ethile yokuFakela kwangaphambili ukumisela umhla wokuphehlelelwa kwenkqubo okokuqala. Ukongeza, ezi fayile zigcina umhla wokuphehlelelwa kwayo kokugqibela, kwaye ziqala kwinguqulo 26 (Windows 8.1) - izitampu zexesha zemitsi esixhenxe yamva nje.
Masithathe enye yeefayile zokulanda, sikhuphe idatha kuyo sisebenzisa iPECmd ka-Eric Zimmerman kwaye sijonge indawo nganye yayo. Ukubonisa, ndiya kukhupha idatha kwifayile I-CCLEANER64.EXE-DE05DBE1.pf.
Ngoko masiqale ukusuka phezulu. Ewe kunjalo, sinokudala iifayile, uhlengahlengiso, kunye nesitampu sexesha lokufikelela:
Zilandelwa ligama lefayile ephunyezwayo, i-checksum yendlela eya kuyo, ubungakanani befayile ephunyezwayo, kunye noguqulelo lwefayile yokulanda kwangaphambili:
Kuba sijongene Windows 10, ngokulandelayo siza kubona inani lokuqalisa, umhla kunye nexesha lokuqalisa kokugqibela, kunye nezitampu zamaxesha ezisixhenxe ezibonisa imihla yangaphambili yokuphehlelelwa:
Oku kulandelwa lulwazi malunga nomthamo, kubandakanywa inombolo yothotho kunye nomhla wokudala:
Okokugqibela kodwa kuluhlu lwabalawuli kunye neefayile eziphunyeziweyo ezidityaniswe nazo:
Ke, abalawuli kunye neefayile eziphunyeziweyo ezidityaniswe nazo zizo kanye endifuna ukugxila kuzo namhlanje. Yile datha evumela iingcali kwi-forensics yedijithali, impendulo yezehlo zekhompyutheni, okanye ukuzingela ngokukrakra ukuseka kungekuphela nje inyaniso yokuphunyezwa kwefayile ethile, kodwa kwakhona, kwezinye iimeko, ukwakha kwakhona amaqhinga athile kunye nobuchule babahlaseli. Namhlanje, abahlaseli bahlala besebenzisa izixhobo zokucima ngokusisigxina idatha, umzekelo, i-SDelete, ngoko ke ukukwazi ukubuyisela ubuncinci beendlela zokusetyenziswa kwamaqhinga athile kunye nobuchule buyimfuneko kuye nawuphi na umkhuseli wale mihla - ingcali ye-computer ye-forensics, ingcali yokuphendula isiganeko, i-ThreatHunter. ingcaphephe.
Masiqale ngeqhinga loFikelelo lokuqala (TA0001) kunye neyona ndlela idumileyo, iSpearphishing Attachment (T1193). Amanye amaqela e-cybercriminal anobuchule bokukhetha utyalo-mali. Umzekelo, iqela elithi Thulisa lisebenzise iifayile kwi-CHM (uNcedo lwe-HTML oluqokelelweyo lweMicrosoft) kule nto. Ke, sinalo phambi kwethu obunye ubuchule-Ifayile yeHTML ehlanganisiweyo (T1223). Iifayile ezinjalo ziqaliswa kusetyenziswa hh.exe, ke ngoko, ukuba sikhupha idatha kwifayile yayo yokulanda, siya kufumanisa ukuba yeyiphi ifayile eyavulwa lixhoba:
Masiqhubeke sisebenza ngemizekelo evela kwiimeko zokwenyani kwaye sidlulele kwiqhinga elilandelayo lokuSebenza (TA0002) kunye nobuchule be-CSMTP (T1191). IsiFakelo seProfayile yoMphathi woQhagamshelwano lukaMicrosoft (CMSTP.exe) sinokusetyenziswa ngabahlaseli ukuqhuba imibhalo eyingozi. Umzekelo omhle liqela leCobalt. Ukuba sikhupha idatha kwifayile yokulanda kwangaphambili cmstp.exe, emva koko sinokuphinda sifumanise ukuba yintoni kanye kanye eyasungulwa:
Obunye ubuchule obudumileyo yiRegsvr32 (T1117). Regsvr32.exe ikwasetyenziswa rhoqo ngabahlaseli ukuqalisa. Nanku omnye umzekelo osuka kwiqela le-Cobalt: ukuba sikhupha idatha kwifayile ye-Prefetch regsvr32.exe, emva koko kwakhona siza kubona oko kwasungulwa:
Amaqhinga alandelayo yi-Persistence (TA0003) kunye nePrivilege Escalation (TA0004), kunye ne-Application Shimming (T1138) njengobuchule. Obu buchule busetyenziswe yiCarbanak/FIN7 ukuqinisa inkqubo. Ngokuqhelekileyo isetyenziselwa ukusebenza ngogcino lwenkqubo oluhambelanayo (.sdb) sdbinst.exe. Ke ngoko, iFayile yokulanda kwangaphambili yale nto iphunyeziweyo inokusinceda sifumane amagama oovimba beenkcukacha kunye neendawo zabo:
Njengoko unokubona kumzekeliso, asinalo kuphela igama lefayile esetyenziselwa ukufakela, kodwa kunye negama ledatha efakiweyo.
Makhe sijonge omnye wemizekelo eqhelekileyo yosasazo lwenethiwekhi (TA0008), PsExec, usebenzisa izabelo zolawulo (T1077). Inkonzo enegama elithi PSEXECSVC (ewe, naliphi na elinye igama linokusetyenziswa ukuba abahlaseli basebenzise iparamitha -r) iyakwenziwa kwindlela ekujoliswe kuyo, ngoko ke, ukuba sikhupha idatha kwifayile ye-Prefetch, siya kubona oko kwaqaliswa:
Mhlawumbi ndiya kugqiba apho ndiqale khona - ukucima iifayile (T1107). Njengoko sele ndiphawulile, abaninzi abahlaseli basebenzisa i-SDelete ukucima ngokusisigxina iifayile kumanqanaba ahlukeneyo ohlaselo lobomi. Ukuba sijonga idatha evela kwifayile yokulanda kwangaphambili sdelete.exe, emva koko siza kubona ukuba yintoni kanye kanye yacinywayo:
Ewe, olu ayiloluhlu olupheleleyo lweendlela ezinokuthi zifunyanwe ngexesha lokuhlalutywa kweefayile ze-Prefetch, kodwa oku kufanele kwanele ukuqonda ukuba ezo fayile azinakunceda nje ukufumana umkhondo wokuqaliswa, kodwa ziphinde ziphinde zakhe amaqhinga kunye nobuchule bomhlaseli. .
umthombo: www.habr.com