I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Manje i-Sysmon ingabhala okuqukethwe kwebhodi lokunamathisela

Manje i-Sysmon ingabhala okuqukethwe kwebhodi lokunamathisela

Ukukhululwa kwenguqulo 12 ye-Sysmon kumenyezelwe ngo-September 17 at Ikhasi le-Sysinternals. Eqinisweni, izinguqulo ezintsha zeProcess Monitor neProcDump nazo zikhishwe ngalolu suku. Kulesi sihloko ngizokhuluma ngokhiye kanye nokuqanjwa okusha okuyimpikiswano kwenguqulo ye-12 ye-Sysmon - uhlobo lwemicimbi ene-ID yomcimbi 24, lapho kungena khona ukusebenza nebhodi lokunamathisela.

Manje i-Sysmon ingabhala okuqukethwe kwebhodi lokunamathisela

Ulwazi oluvela kulolu hlobo lomcimbi luvula amathuba amasha okuqapha umsebenzi osolisayo (kanye nokuba sengozini okusha). Ngakho-ke, ungaqonda ukuthi ubani, kuphi futhi yini ngempela ababezama ukuyikopisha. Ngezansi kokusikiwe kunencazelo yezinye izinkambu zomcimbi omusha kanye nezimo ezimbalwa zokusetshenziswa.

Umcimbi omusha uqukethe izinkambu ezilandelayo:

Isithombe: inqubo okwabhalwa ngayo idatha kubhodi lokunamathisela.
Isifundo: isikhathi lapho kubhalwe khona ibhodi lokunamathisela. Kungaba uhlelo(0)
lapho usebenza ku-inthanethi noma ukude, njll.
ClientInfo: iqukethe igama lomsebenzisi leseshini futhi, esimweni seseshini ekude, igama lomethuleli langempela nekheli le-IP, uma litholakala.
Ama-Hashes: inquma igama lefayela lapho umbhalo okopishiwe ugcinwe khona (okufana nokusebenza ngezehlakalo zohlobo lwe-FileDelete).
Kufakwe kungobo yomlando: isimo, noma ngabe umbhalo ovela ebhodini lokunamathisela ulondolozwe ohlwini lwemibhalo lwengobo yomlando ye-Sysmon.

Izinkambu ezimbalwa zokugcina ziyethusa. Iqiniso liwukuthi njengoba inguqulo ye-11 i-Sysmon ingakwazi (ngezilungiselelo ezifanele) ukulondoloza idatha ehlukahlukene kumkhombandlela wayo wengobo yomlando. Isibonelo, i-ID yomcimbi engu-23 ifaka imicimbi yokususwa kwefayela futhi ingawalondoloza wonke kuhla lwemibhalo olufanayo lwengobo yomlando. Ithegi ye-CLIP yengezwa egameni lamafayela adalwe ngenxa yokusebenza nebhodi lokunamathisela. Amafayela ngokwawo aqukethe idatha enembile ekopishelwe ebhodini lokunamathisela.

Yile ndlela ifayela elilondoloziwe elibukeka ngayo
Manje i-Sysmon ingabhala okuqukethwe kwebhodi lokunamathisela

Ukulondoloza kufayela kunikwe amandla ngesikhathi sokufakwa. Ungasetha uhlu olumhlophe lwezinqubo lapho umbhalo ongeke ulondolozwe khona.

Yile ndlela ukufakwa kwe-Sysmon kubukeka ngayo ngezilungiselelo zomkhombandlela ezifanele zengobo yomlando:
Manje i-Sysmon ingabhala okuqukethwe kwebhodi lokunamathisela

Lapha, ngicabanga, kufanelekile ukukhumbula abaphathi bephasiwedi abasebenzisa ibhodi lokunamathisela. Ukuba ne-Sysmon ohlelweni olunesiphathi sephasiwedi kuzokuvumela (noma umhlaseli) ukuthi uthwebule lawo maphasiwedi. Uma ucabanga ukuthi uyazi ukuthi iyiphi inqubo eyaba umbhalo okopishiwe (futhi lokhu akuyona njalo inqubo yomphathi wephasiwedi, kodwa mhlawumbe i-svchost ethile), lokhu okuhlukile kungangezwa kuhlu olumhlophe futhi kungalondolozwa.

Ungase ungazi, kodwa umbhalo osuka ebhodini lokunamathisela uthwetshulwa isiphakeli esikude lapho ushintshela kuso ngemodi yeseshini ye-RDP. Uma unokuthile ebhodini lakho lokunamathisela futhi ushintsha phakathi kwamaseshini e-RDP, lolo lwazi luzohamba nawe.

Ake sifingqe amakhono ka-Sysmon okusebenza nebhodi lokunamathisela.

Kulungisiwe:

  • Ikhophi yombhalo yombhalo onamathiselwe nge-RDP nasendaweni;
  • Thatha idatha ebhodini lokunamathisela ngezinsiza/izinqubo ezahlukahlukene;
  • Kopisha/namathisela umbhalo kusuka/emshinini wendawo wendawo, ngisho noma lo mbhalo awukanamathiselwa.

Akurekhodiwe:

  • Ukukopisha/ukunamathisela amafayela kusuka/kuya emshinini wendawo wendawo;
  • Kopisha/unamathisele amafayela nge-RDP
  • Uhlelo olungayilungele ikhompuyutha oluntshontsha ibhodi lokunamathisela lubhalela ebhodini lokunamathisela kuphela.

Naphezu kokungaqondakali kwayo, lolu hlobo lomcimbi luzokuvumela ukuthi ubuyisele i-algorithm yezenzo zomhlaseli futhi usize ukukhomba idatha ebingafinyeleleki ngaphambilini yokwakhiwa kokuhlolwa kwezidumbu ngemva kokuhlaselwa. Uma ukubhala okuqukethwe ebhodini lokunamathisela kusanikwe amandla, kubalulekile ukurekhoda konke ukufinyelela kumkhombandlela wengobo yomlando futhi uhlonze okungase kube yingozi (akuqalwanga yi-sysmon.exe).

Ukuze urekhode, uhlaziye futhi usabele ezehlakalweni ezibalwe ngenhla, ungasebenzisa ithuluzi Ukuthenjwa, ehlanganisa zonke izindlela ezintathu futhi, ngaphezu kwalokho, iyinqolobane esebenza phakathi nendawo yayo yonke idatha eluhlaza eqoqwe. Singalungiselela ukuhlanganiswa kwayo namasistimu e-SIEM adumile ukuze sinciphise izindleko zokulayisensa kwawo ngokudlulisela ukucutshungulwa nokugcinwa kwedatha eluhlaza ku-InTrust.

Ukuze ufunde kabanzi mayelana ne-InTrust, funda izindatshana zethu ezedlule noma shiya isicelo efomini lempendulo.

Ungazinciphisa kanjani izindleko zobunikazi besistimu ye-SIEM nokuthi kungani udinga i-Central Log Management (CLM)

Sivumela ukuqoqwa kwemicimbi emayelana nokwethulwa kwezinqubo ezisolisayo ku-Windows futhi sihlonze izinsongo sisebenzisa i-Quest InTrust

I-InTrust ingasiza kanjani ukwehlisa izinga lemizamo yokugunyazwa ehlulekile nge-RDP

Sibona ukuhlaselwa kwe-ransomware, sithola ukufinyelela kusilawuli sesizinda futhi sizame ukumelana nalokhu kuhlaselwa

Yiziphi izinto eziwusizo ezingakhishwa ezingodweni ze-Windows-based workstation? (isihloko esidumile)

Ubani okwenzile? Senza ngokuzenzakalelayo ukuhlolwa kokuphepha kolwazi

Source: www.habr.com

Engeza amazwana