Ukuchonga iifayile ezingenafayili: ukufumanisa okuphambili kunye nokukhusela

I-malware engenafayile ihlala kwimemori kwaye ixhaphaza izixhobo ezisemthethweni (PowerShell, WMI, LoLBins), isenza kube nzima ukuyibona ngokusekwe kwiifayile.
Isitshixo kukubeka iliso kwindlela yokuziphatha: inkqubo yobudlelwane, imigca yomyalelo, iRegistry, i-WMI kunye nenethiwekhi, kunye nokuphendula ngokukhawuleza ekupheleni.
Ukhuseleko olucwangcisiweyo ludibanisa uthintelo lokutolika, ulawulo olukhulu, ukupakisha, i-MFA kunye ne-EDR/XDR ene-telemetry etyebileyo kunye ne-24/7 SOC.

Uhlaselo olusebenza ngaphandle kokushiya umkhondo kwidiski lube yintloko enkulu kumaqela amaninzi okhuseleko ngenxa yokuba aphumeza ngokupheleleyo kwimemori kwaye asebenzise iinkqubo zenkqubo esemthethweni. Kungoko kubalulekile ukwazi indlela yokuchonga iifayile ezingenafayile bazikhusele kubo.

Ngaphandle kwezihloko eziphambili kunye neendlela, ukuqonda indlela ezisebenza ngayo, kutheni zinqabile, kwaye zeziphi iimpawu ezisivumelayo ukuba sizibhaqe kwenza umahluko phakathi kokuqulatha isiganeko kunye nokuzisola ngokophulwa. Kule migca ilandelayo, sihlalutya ingxaki kwaye siphakamise izisombululo.

Yintoni i-malware engenafayile kwaye kutheni ibalulekile?

I-Fileless malware ayilosapho oluthile, kodwa yindlela yokusebenza: Kuphephe ukubhala izinto eziphunyeziweyo kwidiski Isebenzisa iinkonzo kunye nokubini esele ikhona kwinkqubo ukwenza ikhowudi engalunganga. Endaweni yokushiya ifayile enokuskenwa ngokulula, umhlaseli usebenzisa kakubi izixhobo ezithembekileyo kwaye alayishe ingqiqo yakhe ngqo kwi-RAM.

Le ndlela ihlala ibandakanya ifilosofi 'yokuphila ngaphandle koMhlaba': abahlaseli benza izixhobo. izixhobo zomthonyama ezifana PowerShell, WMI, mshta, rundll32 okanye ii-injini zokubhala njengeVBScript kunye ne-JScript ukufezekisa iinjongo zabo ngengxolo encinci.

Phakathi kweempawu zayo ezimele kakhulu sifumana: ukwenziwa kwimemori eguquguqukayo, ukuzingisa okuncinci okanye ukungabikho kwidiski, ukusetyenziswa kwezinto ezisayiniweyo zesistim kunye nomthamo omkhulu wokuphepha ngokuchasene neenjini ezisekwe kwisiginitsha.

Nangona uninzi lwentlawulo lunyamalala emva kokuqalisa ngokutsha, musa ukukhohliswa: abachasi banokumisela ukuzingisa ngokusebenzisa izitshixo zoBhaliso, imirhumo yeWMI, okanye imisebenzi ecwangcisiweyo, zonke ngaphandle kokushiya iibhinari ezikrokrelayo kwidiski.

Ubunzima bokufumana i-malware engenafayile

Kutheni sikufumanisa kunzima kangaka ukuchonga iifayile ezingenafayile?

Umqobo wokuqala ucacile: Akukho zifayile zingaqhelekanga zokuhlolwaIinkqubo ze-antivirus zesiNtu ezisekelwe kwiisayini kunye nohlalutyo lwefayile zinendawo encinci yokulawula xa ukubulawa kuhlala kwiinkqubo ezisebenzayo kunye neengqiqo ezinobungozi zihlala kwimemori.

Okwesibini kunobuqili ngakumbi: abahlaseli bazifihla ngasemva iinkqubo zokusebenza ezisemthethweniUkuba i-PowerShell okanye i-WMI isetyenziswa yonke imihla kulawulo, unokwahlula njani ukusetyenziswa okuqhelekileyo kusetyenziso olubi ngaphandle komxholo kunye ne-telemetry yokuziphatha?

Ngaphaya koko, ukuvala ngokumfamekileyo izixhobo ezibalulekileyo akunakwenzeka. Ukukhubaza i-PowerShell okanye iimacros zeOfisi kwibhodi yonke kunokophula imisebenzi kunye Ayikuthinteli ngokupheleleyo ukuxhatshazwakuba kukho iindlela ezininzi ezizezinye ezizezinye kunye neendlela zokuthintela iibhloko ezilula.

Ukuyigqiba yonke into, i-cloud-based okanye i-server-side-side yabonwa emva kwexesha ukukhusela iingxaki. Ngaphandle kokubonakala kwexesha lokwenyani lendawo kulo mba... imigca yomyalelo, inkqubo yobudlelwane, kunye neziganeko zelogI-arhente ayikwazi ukuthomalalisa kwimpukane ukuqukuqela okukhohlakeleyo okungashiyi mkhondo kwidiski.

Umxholo okhethekileyo- Cofa Apha Yeyiphi imida yeBitdefender Antivirus Plus?

Uhlaselo olungenafayile lusebenza njani ukusuka ekuqaleni ukuya ekugqibeleni

Ufikelelo lokuqala ludla ngokubakho ngeevekhtha ezifanayo njengamaxesha onke: phishing ngamaxwebhu eofisi ecela ukunika amandla umxholo osebenzayo, uqhakamshelwano kwiindawo ezisengozini, ukusetyenziswa kobuthathaka kwizicelo eziveziweyo, okanye ukusetyenziswa kakubi kwenkcaza evuzayo ukufikelela ngeRDP okanye ezinye iinkonzo.

Xa sele engaphakathi, umchasi ufuna ukwenza ngaphandle kokuchukumisa idiski. Ukwenza oku, badibanisa imisebenzi yenkqubo: macros okanye DDE kumaxwebhu esungula imiyalelo, ixhaphaza ukuphuphuma kwe-RCE, okanye ibize iibhinari ezithembekileyo ezivumela ukulayisha kunye nokwenza ikhowudi kwinkumbulo.

Ukuba umsebenzi ufuna ukuqhubeka, ukuzingisa kunokuphunyezwa ngaphandle kokuthunyelwa kwezinto ezintsha eziphunyeziweyo: amangeno okuqalisa kwiRejistriImirhumo ye-WMI esabela kwiziganeko zenkqubo okanye imisebenzi ecwangcisiweyo eyenza izikripthi phantsi kweemeko ezithile.

Ngokuphunyezwa okusekiweyo, injongo iyalela la manyathelo alandelayo: hamba ecaleni, khupha idathaOku kuquka ubucukubhede obubambekayo, ukuthumela iRAT, i-cryptocurrencies yezemigodi, okanye ukuvula uguqulelo oluntsonkothileyo lwefayile kwimeko yeransomware. Konke oku kwenziwa, xa kunokwenzeka, ngokusetyenziswa kwemisebenzi ekhoyo.

Ukususa ubungqina yinxalenye yesicwangciso: ngokungabhali iibhinari ezikrokrelayo, umhlaseli unciphisa kakhulu izinto ezicaluliweyo eziza kuhlalutywa. ukuxuba umsebenzi wabo phakathi kweziganeko eziqhelekileyo yenkqubo kunye nokucima imikhondo yethutyana xa kunokwenzeka.

Chonga iifayile ezingenafayile

Ubuchule kunye nezixhobo abaqhele ukuzisebenzisa

Ikhathalogu ibanzi, kodwa iphantse yahlala ijikeleza kwizinto eziluncedo zemveli kunye neendlela ezithembekileyo. Ezi zezinye zezona ziqhelekileyo, zihlala zinenjongo ukwandisa ukwenziwa kwenkumbulo kwaye wenze mnyama umkhondo:

PowerShellUkubhalwa okunamandla, ukufikelela kwii-APIs zeWindows, kunye ne-automation. Ukuguquguquka kwayo kwenza ukuba ibe yintandokazi kulawulo kunye nokuxhatshazwa okukhubekisayo.
I-WMI (i-Windows Management Instrumentation)Ikuvumela ukuba ubuze kwaye usabele kwimicimbi yenkqubo, kunye nokwenza iintshukumo ezikude kunye nezasekhaya; luncedo kwi ukuzingisa kunye ne-orchestration.
VBScript kunye neJScript: iinjini ezikhoyo kwiindawo ezininzi eziququzelela ukuphunyezwa kwengqiqo ngokusebenzisa amacandelo enkqubo.
mshta, rundll32 kunye nezinye iibhinari ezithembekileyo: i-LoLBins eyaziwayo, xa idibene ngokufanelekileyo, inakho yenza ikhowudi ngaphandle kokulahla izinto zakudala kubonakala kwidiski.
Amaxwebhu anomxholo osebenzayoIiMacros okanye iDDE kwiOfisi, kunye nabafundi bePDF abaneempawu eziphambili, banokusebenza njengebhodi yokuqalisa imiyalelo kwinkumbulo.
Ubhaliso lweWindows: izitshixo zokuziqalela okanye ukugcinwa okufihliweyo/okufihliweyo komthwalo ohlawulwayo owenziwe ngamacandelo enkqubo.
Ukuxhuzula kunye nokutofa kwiinkqubo: ukulungiswa kwesithuba senkumbulo yeenkqubo ezisebenzayo inginginya ingqiqo ekhohlakeleyo ngaphakathi kophunyezo olusemthethweni.
Izixhobo zokusebenza: ukufumanisa ubuthathaka kwinkqubo yexhoba kunye nokuthunyelwa kweendlela ezilungiselelwe ukufezekisa ukubulawa ngaphandle kokuchukumisa idiski.

Umceli mngeni kwiinkampani (kwaye kutheni ukuvala yonke into akwanelanga)

Indlela yokungabi nangqondo icebisa umlinganiselo ongqongqo: ukuvala i-PowerShell, ukuthintela iimacros, ukuthintela iibhinari ezifana ne-rundll32. Inyani ibaluleke ngakumbi: Uninzi lwezo zixhobo zibalulekile. kwimisebenzi ye-IT yemihla ngemihla kunye ne-automation yolawulo.

Umxholo okhethekileyo- Cofa Apha Indlela yokulandelela idilesi ye-Facebook ye-IP

Ukongeza, abahlaseli bajonga izithuba: ukuqhuba injini yokubhala ngezinye iindlela, sebenzisa ezinye iikopiUngapakisha ingqiqo kwimifanekiso okanye ubhenele kwiiLoLBins ezingajongwanga. Ukuvalwa kweBrute ekugqibeleni kudala ukungqubana ngaphandle kokubonelela ngokhuseleko olupheleleyo.

Ngokuchanekileyo kwicala leseva okanye uhlalutyo olusekwe kwilifu aluyisombululi ingxaki. Ngaphandle kobutyebi be-endpoint telemetry kwaye ngaphandle ukuphendula kwi-arhente ngokwayoIsigqibo siza emva kwexesha kwaye uthintelo alunakwenzeka kuba kufuneka silinde isigwebo sangaphandle.

Ngeli xesha, iingxelo zentengiso kudala zalatha ukukhula okubaluleke kakhulu kule ndawo, kunye neencopho apho Iinzame zokusebenzisa kakubi iPowerShell ziphantse zaphinda kabini ngamaxesha amafutshane, nto leyo eqinisekisa ukuba liqhinga eliphindaphindayo nelinenzuzo kubachasi.

Ukufunyanwa kwangoku: ukusuka kwifayile ukuya kwindlela yokuziphatha

Isitshixo asinguye ophumezayo, kodwa njani kwaye ngoba. Ukubeka iliso kwi inkqubo yokuziphatha kunye nobudlelwane bayo Isigqibo: umgca womyalelo, inkqubo yelifa, iifowuni ze-API ezinovakalelo, uqhagamshelo oluphumayo, ukuguqulwa kweRegistry, kunye neziganeko zeWMI.

Le ndlela inciphisa kakhulu indawo yokuphepha: nokuba iibhinari ezibandakanyekayo ziyatshintsha, i iipateni zokuhlasela ziyaphindwa (izikripthi ezikhuphela kwaye zenze kwimemori, ukusetyenziswa kakubi kwe-LoLBins, ukubizwa kweetoliki, njl.). Ukuhlalutya eso script, hayi 'isazisi' sefayile, siphucula ukubonwa.

Amaqonga asebenzayo e-EDR/XDR anxibelelanisa imiqondiso ukuze akhe kwakhona imbali yesiganeko esipheleleyo, echonga i unobangela weengcambu Endaweni yokugxeka inkqubo 'ethe yavela', eli bali linxibelelanisa izincamathelisi, iimacros, iitoliki, umthwalo ohlawulwayo, kunye nokuzingisa ukuthomalalisa ukuhamba konke, hayi nje iqhekeza elilodwa.

Ukusetyenziswa kwezikhokelo ezifana MITER AT&CK Inceda imephu eqwalaselwe amaqhinga kunye nobuchule (TTPs) kunye nesikhokelo sokuzingela kwimikhwa enomdla: ukubulawa, ukuzingisa, ukuphepha ukukhusela, ukufikelela kwiinkcukacha, ukufunyanwa, intshukumo esecaleni kunye nokukhutshelwa ngaphandle.

Ekugqibeleni, i-orchestration ye-endpoint response kufuneka ibe ngoko nangoko: yahlula isixhobo, ukuphelisa iinkqubo ebandakanyekayo, buyisela utshintsho kwiRejistri okanye umcwangcisi wemisebenzi kwaye uvale imidibaniso ephumayo ekrokrisayo ngaphandle kokulinda iziqinisekiso zangaphandle.

I-telemetry eluncedo: yintoni omawuyijonge kunye nendlela yokubeka phambili

Ukwandisa amathuba okufumana ngaphandle kokuhlutha inkqubo, kuyacetyiswa ukuba ubeke phambili iimpawu zexabiso eliphezulu. Eminye imithombo kunye nolawulo olunika umxholo. ibaluleke kakhulu kwi-fileless Zizo:

Ilog yePowerShell eneenkcukacha kunye nabanye abatoliki: ibhloko yebhloko yeskripthi, imbali yomyalelo, iimodyuli ezilayishiwe, kunye neziganeko ze-AMSI, xa zikhona.
Uvimba weWMIUluhlu kunye nesilumkiso malunga nokudalwa okanye ukuguqulwa kwezihluzo zesiganeko, abathengi, kunye namakhonkco, ngakumbi kwiindawo zamagama ezinovakalelo.
Iziganeko zokhuseleko kunye neSysmon: ulungelelwaniso lwenkqubo, ingqibelelo yomfanekiso, ukulayishwa kwememori, inaliti, kunye nokudalwa kwemisebenzi ecwangcisiweyo.
Bomvu: imidibaniso ephuma ngaphandle engaqhelekanga, ukukhanya, iipatheni zokukhuphela umthwalo, kunye nokusetyenziswa kweetshaneli ezifihlakeleyo zokukhutshelwa ngaphandle.

I-automation inceda ukwahlula ingqolowa kumququ: imithetho yokukhangela esekelwe ekuziphatheni, ii- permits for ulawulo olusemthethweni kunye nokutyebisa ngezoyikiso zobuntlola kunciphisa iimpawu zobuxoki kwaye kukhawulezise impendulo.

Ukuthintela kunye nokunciphisa umphezulu

Akukho mlinganiso omnye owaneleyo, kodwa ukukhusela okucwangcisiweyo kunciphisa kakhulu umngcipheko. Kwicala lokuthintela, imigca emininzi yezenzo ivelele iivektha zezityalo kwaye wenze ubomi bube nzima ngakumbi kumchasi:

Ulawulo olukhulu: khubaza ngokungagqibekanga kwaye uvumele kuphela xa kuyimfuneko kwaye usayinwe; ulawulo lwegranular ngemigaqo-nkqubo yeqela.
Ukuthintelwa kweetoliki kunye neLoLBins: Faka isicelo se-AppLocker/WDAC okanye efanayo, ulawulo lwezikripthi kunye neetemplates zokwenza ngokugawulwa kwemithi ngokubanzi.
Ukuchwetheza kunye nokunciphisa: vala ubuthathaka obusebenzisekayo kwaye uvule ukhuseleko lwememori olunciphisa i-RCE kunye neenaliti.
Ungqinisiso olomeleleyoI-MFA kunye nemigaqo ye-zero trust ukunqanda ukuphathwa gadalala kwesiqinisekiso kunye ukunciphisa intshukumo ecaleni.
Ukuqonda kunye nokulinganisaUqeqesho olusebenzayo kubuqhetseba, amaxwebhu anomxholo osebenzayo, kunye neempawu zokubulawa ngendlela engaqhelekanga.

Umxholo okhethekileyo- Cofa Apha Uyisusa njani iNtsholongwane kwiMobile?

La manyathelo axhaswa zizisombululo ezihlalutya i-traffic kunye nememori ukuchonga ukuziphatha okungalunganga ngexesha lokwenyani, kunye imigaqo-nkqubo yokwahlulahlula kunye namalungelo amancinci okuqulatha impembelelo xa kukho into etyibilikayo.

Iinkonzo kunye neendlela ezisebenzayo

Kwiindawo ezinesiphelo ezininzi kunye nokubaluleke kakhulu, ukubonwa okulawulwayo kunye neenkonzo zokuphendula nge 24/7 esweni Babonakalise ukukhawulezisa isithintelo sesehlo. Ukudityaniswa kwe-SOC, i-EMDR/MDR, kunye ne-EDR/XDR inika amehlo eengcali, i-telemetry etyebileyo, kunye nezakhono zokuphendula ezilungelelanisiweyo.

Abona baboneleli abasebenzayo baye bafakela ngaphakathi utshintsho ekuziphatheni: ii-arhente ezilula ukuba umsebenzi wokulungelelanisa kwinqanaba le-kernelBaphinda bakhe iimbali ezipheleleyo zohlaselo kwaye basebenzise ukuthomalalisa okuzenzekelayo xa bebona amatyathanga akhohlakeleyo, kunye nokukwazi ukuhlehlisa utshintsho.

Ngokunxuseneyo, iisuti zokhuseleko ze-endpoint kunye namaqonga e-XDR adibanisa ukubonakala okuphakathi kunye nolawulo lwezoyikiso kuzo zonke iindawo zokusebenza, iiseva, izazisi, i-imeyile kunye nelifu; injongo kukuqhaqha ikhonkco lokuhlasela nokuba ngaba iifayile ziyabandakanyeka na.

Iimpawu ezisebenzayo zokuzingela isoyikiso

Ukuba kufuneka ubeke phambili iingqikelelo zokukhangela, gxila ekudibaniseni imiqondiso: inkqubo yeofisi esungula itoliki eneparameters ezingaqhelekanga, Ukwenziwa kobhaliso lwe-WMI Emva kokuvula uxwebhu, uhlengahlengiso kwizitshixo zokuqalisa ezilandelwa ludibaniso lwemimandla enegama elibi.

Enye indlela esebenzayo kukuthembela kwiziseko ezisuka kwindawo okuyo: yintoni eqhelekileyo kwiiseva zakho nakwiindawo zokusebenza? Nakuphi na ukutenxa (amabini okubini asandula kusayiniwa avela njengabazali beetoliki, spikes ngesiquphe ekusebenzeni (yemibhalo, imitya yomyalelo ene-obfuscation) ifanele uphando.

Okokugqibela, ungalibali inkumbulo: ukuba unezixhobo ezihlola imimandla esebenzayo okanye zibambe izifinyezo, iziphumo kwi-RAM Zinokuba bubungqina obuqinisekileyo bomsebenzi ongenafayile, ngakumbi xa kungekho zixhobo zokusebenza kwisixokelelwano sefayile.

Indibaniselwano yala maqhinga, ubuchule kunye nolawulo akusiphelisi isoyikiso, kodwa kukubeka kwindawo engcono yokusibona kwangethuba. sika ikhonkco kunye nokunciphisa impembelelo.

Xa konke oku kusetyenziswe ngobuchule-i-endpoint-rich telemetry, ukulungelelaniswa kokuziphatha, impendulo ezenzekelayo, kunye nokuqina okukhethiweyo-iqhinga elingenafayile lilahlekelwa yinto eninzi yalo. Kwaye, nangona iya kuqhubeka nokuvela, ugqaliselo kwiindlela zokuziphatha Kunokuba kwiifayile, inika isiseko esiluqilima sokhuseleko lwakho ukuze uvele nayo.

UDaniel Terrasa

Umhleli okhethekileyo kwitekhnoloji nakwimiba ye-intanethi eneminyaka engaphezu kweshumi yamava kumajelo osasazo edijithali. Ndisebenze njengomhleli kunye nomdali womxholo we-e-commerce, unxibelelwano, ukuthengisa kwi-intanethi kunye neenkampani zentengiso. Ndibhale kwakhona kwiiwebhusayithi zezoqoqosho, ezemali kunye namanye amacandelo. Umsebenzi wam ukwangumnqweno wam. Ngoku, ngamanqaku am kwi Tecnobits, Ndizama ukuhlola zonke iindaba kunye namathuba amatsha ukuba ihlabathi lobuchwepheshe lisinika yonke imihla ukuphucula ubomi bethu.