Kuzindikiritsa mafayilo opanda mafayilo: kuzindikira makiyi ndi chitetezo

Fayilo yopanda pulogalamu yaumbanda imakhala mukukumbukira ndikuzunza zida zovomerezeka (PowerShell, WMI, LoLBins), zomwe zimapangitsa kuti zikhale zovuta kuzizindikira potengera mafayilo.
Chofunikira ndikuwunika machitidwe: maubwenzi okonza, mizere yolamula, Registry, WMI ndi maukonde, ndikuyankha mwachangu pamapeto.
Chitetezo chosanjikiza chimaphatikiza kuletsa kwa omasulira, kasamalidwe kakang'ono, zigamba, MFA ndi EDR/XDR yokhala ndi telemetry yolemera ndi 24/7 SOC.

Zowukira zomwe zimagwira ntchito osasiya mwatsatanetsatane pa disk zakhala mutu waukulu kwa magulu ambiri achitetezo chifukwa amachita kukumbukira ndikugwiritsa ntchito njira zovomerezeka. Choncho kufunika kodziwa momwe mungadziwire mafayilo opanda fayilo ndi kudziteteza kwa iwo.

Kupitilira mitu yankhani ndi zomwe zikuchitika, kumvetsetsa momwe zimagwirira ntchito, chifukwa chake zimasoweka, ndi zizindikiro ziti zomwe zimatilola kuzizindikira zimapangitsa kusiyana pakati pa kukhala ndi chochitika ndikunong'oneza bondo chifukwa chakuphwanya. M'mizere yotsatirayi, tikusanthula vutoli ndikufunsira zothetsera.

Kodi pulogalamu yaumbanda yopanda fayilo ndi chiyani ndipo chifukwa chiyani ili yofunika?

Fileless pulogalamu yaumbanda si banja lenileni, koma njira yogwirira ntchito: Pewani kulemba zomwe zingatheke pa disk Imagwiritsa ntchito mautumiki ndi ma binaries omwe alipo kale m'dongosolo kuti apereke code yoyipa. M'malo mosiya fayilo yosakanizika mosavuta, wowukirayo amawononga zida zodalirika ndikuyika malingaliro ake mu RAM.

Njira iyi nthawi zambiri imaphatikizidwa mu filosofi ya 'Living Off the Land': owukira zida zida zachilengedwe monga PowerShell, WMI, mshta, rundll32 kapena injini zolembera monga VBScript ndi JScript kuti akwaniritse zolinga zawo ndi phokoso lochepa.

Zina mwa mawonekedwe ake omwe amaimira kwambiri timapeza: ntchito mu kukumbukira kosasintha, kulimbikira pang'ono kapena kusakhalapo pa disk, kugwiritsa ntchito zida zosainidwa ndi dongosolo komanso kuthekera kwakukulu kozemba motsutsana ndi injini zotengera siginecha.

Ngakhale zolipira zambiri zimasowa mukayambiranso, musanyengedwe: adani akhoza kukhazikitsa kulimbikira pogwiritsa ntchito makiyi a Registry, kulembetsa kwa WMI, kapena ntchito zomwe zakonzedwa, zonse popanda kusiya zokayikitsa pa disk.

Zovuta pakuzindikira pulogalamu yaumbanda yopanda mafayilo

N'chifukwa chiyani zimativuta kuzindikira mafayilo opanda mafayilo?

Chotchinga choyamba ndi chodziwikiratu: Palibe mafayilo odabwitsa oti muwunikensoMapulogalamu amtundu wa antivayirasi otengera siginecha ndi kusanthula mafayilo ali ndi mwayi wowongolera pomwe kuphedwa kumakhala m'njira zovomerezeka ndipo malingaliro oyipa amakhala m'mutu.

Yachiwiri ndi yochenjera kwambiri: owukirawo amadzibisa kumbuyo njira zovomerezeka zogwirira ntchitoNgati PowerShell kapena WMI zikugwiritsidwa ntchito tsiku lililonse pakuwongolera, mungasiyanitse bwanji kugwiritsidwa ntchito kwanthawi zonse ndi kugwiritsidwa ntchito koyipa popanda nkhani ndi telemetry yamakhalidwe?

Komanso, kutsekereza mwakhungu zida zofunikira sikutheka. Kuletsa PowerShell kapena Office macros kudutsa bolodi kumatha kusokoneza ntchito ndi Sichimalepheretsa kuchitidwa nkhanza kotheratuchifukwa pali njira zingapo zophatikizira ndi njira zopewera midadada yosavuta.

Kupitilira apo, kuzindikira kochokera pamtambo kapena pa seva kumachedwa kwambiri kuti tipewe mavuto. Popanda kuwonekera kwenikweni kwanuko pankhaniyi ... mizere yolamula, maubwenzi okonza, ndi zochitika zamalogiWothandizira sangachepetse pa ntchentche kutuluka koyipa komwe sikusiya tsatanetsatane pa disk.

Zapadera - Dinani apa Kodi mamapu amatsekedwa bwanji mu mawonekedwe a Avast?

Momwe kuwukira kopanda mafayilo kumagwirira ntchito kuyambira koyambira mpaka kumapeto

Kulowa koyamba kumachitika ndi ma vector omwewo monga nthawi zonse: chinyengo ndi zikalata zaofesi zomwe zimapempha kuti zitheke, maulalo kumasamba omwe asokonezedwa, kugwiritsa ntchito zowopsa m'mapulogalamu omwe awonetsedwa, kapena kugwiritsa ntchito molakwika mbiri yotsikiridwa kuti ipezeke kudzera pa RDP kapena ntchito zina.

Akalowa mkati, wotsutsa amafuna kuchita popanda kukhudza disc. Kuti achite izi, amagwirizanitsa ntchito za dongosolo: macros kapena DDE muzolemba zomwe zimakhazikitsa malamulo, kugwiritsa ntchito mochulukira kwa RCE, kapena kuyitanitsa ma binaries odalirika omwe amalola kutsitsa ndi kutumiza ma code kukumbukira.

Ngati ntchitoyi ikufunika kupitiliza, kulimbikira kumatha kuchitika popanda kugwiritsa ntchito zatsopano: zoyambira zoyambira mu RegistryKulembetsa kwa WMI komwe kumakhudzidwa ndi zochitika zamakina kapena ntchito zomwe zakonzedwa zomwe zimayambitsa zolemba pansi pamikhalidwe ina.

Ndi kuphedwa kwakhazikitsidwa, cholingacho chimapereka njira zotsatirazi: kusuntha kumbali, exfiltrate dataIzi zikuphatikiza kuba zidziwitso, kutumiza RAT, cryptocurrencies migodi, kapena kuyambitsa kubisa kwamafayilo pankhani ya ransomware. Zonsezi zimachitika, ngati kuli kotheka, pogwiritsa ntchito zida zomwe zilipo kale.

Kuchotsa umboni ndi gawo la dongosolo: mwa kusalemba ma binaries okayikitsa, wowukirayo amachepetsa kwambiri zinthu zomwe zimayenera kufufuzidwa. kusakaniza zochita zawo pakati pa zochitika zachilendo za dongosolo ndikuchotsa zolodza kwakanthawi ngati nkotheka.

zindikirani mafayilo opanda fayilo

Njira ndi zida zomwe amagwiritsa ntchito nthawi zambiri

Kalatayo ndi yotakata, koma nthawi zonse imayang'ana pazithandizo zakubadwa komanso njira zodalirika. Izi ndi zina mwazofala kwambiri, nthawi zonse ndi cholinga cha onjezerani ntchito mu-memory ndi kusokoneza trace:

PowerShellZolemba zamphamvu, kupeza ma API a Windows, ndi makina opangira. Kusinthasintha kwake kumapangitsa kuti ikhale yokondedwa kwa onse oyang'anira komanso nkhanza zokhumudwitsa.
WMI (Windows Management Instrumentation)Zimakupatsani mwayi wofunsa ndikuchitapo kanthu pazochitika zamakina, komanso kuchita zinthu zakutali ndi zakomweko; zothandiza kwa kulimbikira ndi kuyimba.
VBScript ndi JScript: mainjini omwe amapezeka m'malo ambiri omwe amathandizira kukwaniritsidwa kwa malingaliro kudzera pazigawo zamakina.
mshta, rundll32 ndi ma binaries ena odalirika: LoLBins odziwika bwino omwe, atagwirizanitsidwa bwino, angathe gwiritsani ntchito code popanda kutaya zinthu zakale mawonekedwe pa disk.
Zolemba zomwe zili ndi ntchitoMacros kapena DDE mu Office, komanso owerenga PDF omwe ali ndi zida zapamwamba, amatha kukhala ngati choyambira kukhazikitsa malamulo pokumbukira.
Registry ya Windows: makiyi a boot-boot kapena encrypted / zobisika zosungirako zolipira zomwe zimayendetsedwa ndi zigawo zamakina.
Kugwidwa ndi jekeseni mu ndondomeko: kusinthidwa kwa malo okumbukira akuyenda njira za maganizo oipa mkati mwa zovomerezeka.
Zida zogwirira ntchito: kuzindikira zofooka mu dongosolo la wozunzidwa ndi kutumizidwa kwa zochitika zogwirizana kuti akwaniritse kuphedwa popanda kukhudza disk.

Vuto lamakampani (ndipo chifukwa chiyani kuletsa chilichonse sikokwanira)

Njira yopanda nzeru ikuwonetsa njira yayikulu: kutsekereza PowerShell, kuletsa ma macros, kuteteza ma binaries ngati rundll32. Chowonadi ndi chosiyana kwambiri: Zambiri mwa zidazi ndizofunikira. ntchito zatsiku ndi tsiku za IT komanso zowongolera zokha.

Zapadera - Dinani apa Kodi ndimatsegula bwanji ProtonVPN yanga?

Kuphatikiza apo, owukira amayang'ana zolowera: kuyendetsa injini yolembera m'njira zina, gwiritsani ntchito makope enaMutha kuyika malingaliro pazithunzi kapena kugwiritsa ntchito ma LoLBins osayang'aniridwa pang'ono. Kutsekereza kwa Brute pamapeto pake kumayambitsa mikangano popanda kupereka chitetezo chokwanira.

Kusanthula kwenikweni kwa seva kapena mtambo sikuthetsa vuto. Popanda olemera endpoint telemetry komanso opanda kuyankha mwa wothandizira yekhaChigamulocho chimabwera mochedwa ndipo kupewa sikutheka chifukwa tiyenera kuyembekezera chigamulo chakunja.

Pakadali pano, malipoti amsika akhala akuwonetsa kukula kwakukulu m'derali, ndi nsonga zomwe Kuyesa kugwiritsa ntchito molakwika PowerShell pafupifupi kuwirikiza kawiri mu nthawi yochepa, zomwe zimatsimikizira kuti ndi njira yobwerezabwereza komanso yopindulitsa kwa adani.

Kuzindikira kwamakono: kuchokera ku fayilo kupita ku khalidwe

Mfungulo si kuti ndani achite, koma bwanji ndi chifukwa chiyani. Kuwunika ndondomeko ya ntchito ndi mgwirizano wake Ndiwotsimikiza: mzere wolamula, cholowa chokonzekera, mafoni omvera a API, maulumikizidwe otuluka, zosintha za Registry, ndi zochitika za WMI.

Njira iyi imachepetsa kwambiri kuthawa: ngakhale ma binaries omwe akukhudzidwa asintha, a machitidwe owukira amabwerezedwa (zolemba zomwe zimatsitsa ndikukumbukira, kuzunzidwa kwa LoLBins, kupempha omasulira, ndi zina). Kusanthula script, osati 'identity' ya fayilo, kumathandizira kuzindikira.

Mapulatifomu ogwira mtima a EDR/XDR amalumikizana ndi ma sign kuti akonzenso mbiri yonse ya zochitika, kuzindikira choyambitsa M'malo modzudzula ndondomeko yomwe 'yawonekera', nkhaniyi imagwirizanitsa zomata, ma macros, omasulira, malipiro, ndi kulimbikira kuti muchepetse kuyenda konse, osati chidutswa chokha.

Kugwiritsa ntchito ma frameworks monga MITER AT&CK Zimathandizira mapu amachitidwe ndi njira (TTPs) ndikuwongolera kusaka ziwopsezo kumakhalidwe omwe angasangalatse: kupha, kulimbikira, kuzemba chitetezo, kupeza zidziwitso, kuzindikira, kusuntha motsatira komanso kuthamangitsidwa.

Pomaliza, kuyimba kwa mawu omaliza kuyenera kuchitika nthawi yomweyo: patulani chipangizocho, njira zomaliza kukhudzidwa, bweretsani zosintha mu Registry kapena chokonzera ntchito ndikuletsa kulumikizana kokayikitsa kotuluka popanda kuyembekezera zitsimikizo zakunja.

Telemetry yothandiza: zomwe muyenera kuyang'ana komanso momwe mungakhazikitsire patsogolo

Kuti muwonjezere mwayi wodziwikiratu popanda kukhutitsa dongosolo, ndi bwino kuika patsogolo zizindikiro zamtengo wapatali. Magwero ena ndi maulamuliro omwe amapereka nkhani. zofunika kwa fileless Iwo ndi:

Tsatanetsatane wa PowerShell Log ndi omasulira ena: chipika cha script block, mbiri yakale, ma modules odzaza, ndi zochitika za AMSI, zikapezeka.
WMI RepositoryZolemba ndi chenjezo pakupanga kapena kusinthidwa kwa zosefera zochitika, ogula, ndi maulalo, makamaka m'malo odziwika bwino.
Zochitika zachitetezo ndi Sysmon: kugwirizanitsa ndondomeko, kukhulupirika kwa zithunzi, kukumbukira kukumbukira, jekeseni, ndi kupanga ntchito zomwe zakonzedwa.
Red: maulumikizidwe otuluka modabwitsa, kuwunikira, kutsitsa kwamalipiro, ndikugwiritsa ntchito njira zobisika potulutsa.

Zodzichitira zimathandizira kulekanitsa tirigu ndi mankhusu: malamulo ozindikira machitidwe, zolemba zololeza utsogoleri wovomerezeka ndi kulemeretsa ndi nzeru zowopseza zimachepetsa zabwino zabodza ndikufulumizitsa kuyankha.

Kupewa ndi kuchepetsa pamwamba

Palibe muyeso umodzi wokwanira, koma chitetezo chokhazikika chimachepetsa kwambiri chiopsezo. Kumbali yodzitetezera, njira zingapo zochitirapo zikuwonekera kujambula kwa vector ndikupangitsa moyo kukhala wovuta kwambiri kwa mdani:

Macro management: zimitsani mwachisawawa ndikuloleza pokhapokha ngati kuli kofunikira ndi kusaina; maulamuliro ang'onoang'ono kudzera mu ndondomeko zamagulu.
Kuletsa kwa otanthauzira ndi LoLBins: Ikani AppLocker/WDAC kapena zofananira, kuwongolera zolembedwa ndi ma tempuleti ochitira ndikudula mitengo yonse.
Kuchepetsa ndi kuchepetsa: Tsekani zofooka zomwe zingagwiritsidwe ntchito ndikuyambitsa zoteteza kukumbukira zomwe zimachepetsa RCE ndi jakisoni.
Kutsimikizika kwamphamvuMFA ndi mfundo za zero trust kuti athetse nkhanza zodziwika ndi kuchepetsa lateral kayendedwe.
Kuzindikira ndi kuyerekezeraMaphunziro othandiza pa phishing, zolemba zomwe zimagwira ntchito, ndi zizindikiro zakupha modabwitsa.

Zapadera - Dinani apa Zokonda pazinsinsi pamapulogalamu a mauthenga

Izi zimathandizidwa ndi mayankho omwe amasanthula kuchuluka kwa magalimoto ndi kukumbukira kuti azindikire zoyipa munthawi yeniyeni, komanso ndondomeko za magawo ndi mwayi wocheperako wokhala ndi mphamvu pamene china chake chadutsa.

Ntchito ndi njira zomwe zikugwira ntchito

M'madera omwe ali ndi mapeto ambiri komanso ovuta kwambiri, kuyang'anira kuyang'anira ndi kuyankha ntchito ndi 24/7 kuwunika Iwo atsimikizira kuti akufulumizitsa kuletsa zochitika. Kuphatikiza kwa SOC, EMDR/MDR, ndi EDR/XDR kumapereka maso a akatswiri, telemetry yolemera, ndi kuthekera koyankhira kogwirizana.

Othandizira ogwira mtima kwambiri alowetsamo kusintha kwa machitidwe: othandizira opepuka omwe gwirizanitsani ntchito pamlingo wa kernelAmapanganso mbiri yachiwembu ndikugwiritsa ntchito zochepetsera zokha akazindikira maunyolo oyipa, omwe amatha kusintha kusintha.

Mofananamo, ma suti oteteza kumapeto ndi nsanja za XDR zimaphatikiza mawonekedwe apakati komanso kasamalidwe ka ziwopsezo m'malo ogwirira ntchito, ma seva, zidziwitso, maimelo, ndi mtambo; cholinga chake ndikuchotsa unyolo wa kuukira mosasamala kanthu kuti mafayilo akukhudzidwa kapena ayi.

Zizindikiro zothandiza kusaka zoopsa

Ngati mukuyenera kuyika patsogolo malingaliro osakira, yang'anani pakuphatikiza ma siginecha: ntchito yakuofesi yomwe imayambitsa womasulira wokhala ndi magawo achilendo, Kupanga zolembetsa za WMI Pambuyo potsegula chikalata, zosinthidwa pamakiyi oyambira ndikutsatiridwa ndi kulumikizana ndi madambwe omwe ali ndi mbiri yoyipa.

Njira ina yothandiza ndikudalira zoyambira zakumalo anu: zomwe zili zachilendo pamaseva anu ndi malo ogwirira ntchito? Kupatuka kulikonse (mabina omwe angosainidwa kumene akuwoneka ngati makolo a omasulira, spikes mwadzidzidzi mu ntchito (za zolemba, zingwe zolamula zokhala ndi obfuscation) ziyenera kufufuzidwa.

Pomaliza, musaiwale kukumbukira: ngati muli ndi zida zomwe zimayendera madera omwe akuyendetsa kapena kujambula zithunzi, zopezeka mu RAM Atha kukhala umboni wotsimikizirika wa ntchito zopanda mafayilo, makamaka ngati palibe zinthu zakale pamafayilo.

Kuphatikizika kwa machenjerero, njira, ndi kuwongolera sikuchotsa chiwopsezocho, koma kumakupangitsani kuti muzitha kuzizindikira munthawi yake. kudula unyolo ndi kuchepetsa zotsatira zake.

Zonsezi zikagwiritsidwa ntchito mwanzeru - telemetry-rich telemetry, kulumikizana kwamakhalidwe, kuyankha kodziwikiratu, komanso kuumitsa kosankha - njira yopanda mafayilo imataya mwayi wake wambiri. Ndipo, ngakhale ipitilira kusinthika, kuyang'ana pa makhalidwe M'malo mwa mafayilo, imapereka maziko olimba kuti chitetezo chanu chisinthe ndi iwo.

Daniel Terrasa

Mkonzi wokhazikika pazaukadaulo komanso nkhani zapaintaneti yemwe ali ndi zaka zopitilira khumi pazama media osiyanasiyana. Ndagwira ntchito ngati mkonzi komanso wopanga zinthu pa e-commerce, kulumikizana, kutsatsa pa intaneti ndi makampani otsatsa. Ndalembanso pamawebusayiti azachuma, azachuma ndi magawo ena. Ntchito yanga ndi chidwi changanso. Tsopano, kudzera mu zolemba zanga mu Tecnobits, Ndimayesetsa kufufuza nkhani zonse ndi mwayi watsopano umene dziko laukadaulo limatipatsa tsiku lililonse kuti tisinthe miyoyo yathu.