Menene ASR (Rage Surface Attack) kuma ta yaya yake kare na'urorin ku?

Lokacin da kuka fara shiga cikin tsaro na Windows da duk abin da Microsoft Defender ya bayar, kalmar ASR (Rage Hare-hare) Yana bayyana lokaci da lokaci. Kuma wannan ba daidai ba ne: muna magana ne game da wasu ka'idoji da dabaru waɗanda ke da nufin dakatar da hare-hare kafin su sami damar farawa.

A cikin mahallin barazanar da ke ƙara haɓakaTare da ransomware, rufaffiyar rubutun, sata na sahihanci, da hare-hare marasa fayil, dokokin ASR sun zama maɓalli na kariya na kariya. Matsalar ita ce sau da yawa ana ganin su a matsayin wani abu na "sihiri" kuma mai rikitarwa, yayin da a zahiri suna da ma'ana bayyananne idan an yi bayaninsu cikin nutsuwa.

Menene ASR (Rage Rage Haruffa) kuma wace matsala yake magance?

Rage Haɓaka Sama, ko rage saman harinASR wata hanya ce da ta ƙunshi rage duk wuraren da maharin zai iya shiga, motsawa, ko aiwatar da lamba a cikin yanayi. A cikin takamaiman yanayin Microsoft, ana aiwatar da ASR ta hanyar ƙa'idodi waɗanda ke sarrafa halayen ƙarshen haɗari: aiwatar da rubutun, macros Office, hanyoyin da aka ƙaddamar daga kebul na USB, cin zarafin WMI, da sauransu.

A aikace, da Dokokin Microsoft Defender ASR don ƙarshen ƙarshen Waɗannan manufofi ne da ke cewa: “wasu abubuwan da suka saba da malware Ba za a ƙyale su ba, kodayake aikace-aikacen halal a wasu lokuta ma suna yin su. Misali, Word taya PowerShell, wanda a script zazzagewa daga Intanet yana ƙaddamar da aiwatarwa ko tsari ɗaya yana ƙoƙarin shigar da lamba cikin wani.

Manufar da ke tattare da ita ita ce rage yawan hanyoyin da harin zai iya bi don yin sulhu da tsarin. Ƙananan samuwa hanyoyin, ƙasa da ƙasaWannan ya yi daidai da ƙirar Zero Trust: muna ɗauka cewa a wani lokaci za a sami ɓarna, don haka za mu rage "radius" na abin da ya faru gwargwadon iko.

Yana da mahimmanci a bambanta a nan tsakanin ra'ayoyi guda biyu waɗanda sau da yawa sukan haɗu: a daya hannun, da rage kai hari a matsayin babban dabara (cire ayyukan da ba dole ba, rufe tashoshin jiragen ruwa, cire software mara amfani, iyakance izini, da sauransu), kuma a daya bangaren, Dokokin Microsoft Defender ASRwaxanda suke ƙayyadaddun ƙayyadaddun tsarin wannan dabarun, wanda aka mayar da hankali kan ƙarshen ƙarshen da halayen software.

Fagen harin: na zahiri, dijital, da ɗan adam

Lokacin da muke magana game da harin kungiya, muna nufin duk wuraren da maharin zai iya shiga cikiNa'urori, aikace-aikace, sabis na kan layi, asusun mai amfani, APIs, cibiyoyin sadarwa na ciki, gajimare na waje, da sauransu. Ba batun fasaha ba ne kawai; Kuskuren ɗan adam ma yana shiga cikin wasa.

A cikin sashin dijital mun sami gidajen yanar gizo, sabobin, bayanan bayanaiwuraren ƙarewa, sabis na girgije, da aikace-aikacen kasuwanciKowane sabis ɗin da ba a tsara shi ba, kowane tashar tashar da ba dole ba, kowane aikace-aikacen software da ba a buɗe ba na iya zama wurin shiga don cin gajiyar. Shi ya sa kamfanoni da yawa suka dogara da kayan aikin EASM (Mai sarrafa Surface Management na waje) waɗanda ke sarrafa gano kadarorin da aka fallasa da kuma lahani.

A saman zahiri, waɗannan suna shiga cikin wasa sabobin kan-gida, wuraren aiki, na'urorin cibiyar sadarwa, da tashaAnan, ana rage haɗarin tare da ikon samun damar shiga jiki, kyamarori, katunan, makullai, rukunoni, da hardware An ƙarfafa Idan kowa zai iya shiga cibiyar bayanai tare da kebul na USB, ba komai yadda manufofin tsaro ke da kyau ba.

Kafa na uku shine saman da ke hade da zamantakewa injiniya da kuma mutum factorSaƙonnin imel na phishing, kira na ƙirƙira, gidajen yanar gizo masu ban sha'awa, ko kurakuran ma'aikata masu sauƙi waɗanda ke haifar da zazzage abun ciki mara kyau. Don haka ne ma rage kaifin harin ya shafi horo da wayar da kan jama’a, ba kawai fasahar ba.

ASR a matsayin ginshiƙi na tsaro na rigakafi da Zero Trust

A cikin tsarin Zero Trust muna ɗauka cewa An riga an lalata hanyar sadarwa ko kuma za ta kasanceKuma abin da muke nufi shi ne don hana maharin daga haɓakawa cikin sauƙi ko samun gata. Dokokin ASR sun dace daidai a nan saboda suna sanya shinge a kan mafi yawan amfani da abubuwan da aka yi amfani da su na harin, musamman a ƙarshen ƙarshen.

Dokokin ASR suna amfani da ka'idar mafi ƙarancin gata da aka yi amfani da shi ga ɗabi'aBa wai kawai game da waɗanne izini asusu ke da su ba, amma waɗanne ayyuka takamaiman aikace-aikacen za su iya yi. Misali, Office har yanzu yana iya shirya takardu ba tare da fitowa ba, amma ba zai iya sake ƙaddamar da tsarin baya ba ko ƙirƙirar masu aiwatarwa akan faifai kyauta.

Irin wannan kulawar ɗabi'a yana da ƙarfi musamman a gaba barazanar polymorphic da hare-hare marasa fayilKo da yake malware kullum yana canza sa hannu ko zanta, yawancin suna buƙatar yin abubuwa iri ɗaya: gudanar da rubutun, allurar code cikin matakai, sarrafa LSASS, cin zarafin WMI, rubuta direbobi masu rauni, da sauransu. ASR yana mai da hankali kan waɗannan alamu.

Har ila yau, ana iya aiwatar da dokoki ta hanyoyi daban-daban: toshe, dubawa, ko gargadiWannan yana ba da damar ɗaukar lokaci, farawa ta hanyar lura da tasirinsa (yanayin duba), sannan sanar da mai amfani (gargaɗi), kuma a ƙarshe yana toshe shi ba tare da jin ƙai ba da zarar an daidaita abubuwan.

Abubuwan da ake buƙata da tsarin aiki masu jituwa

Don samun mafi kyawun dokokin ASR a cikin Microsoft Defender, yana da mahimmanci a sami tushe mai ƙarfi. A aikace, kuna buƙatar Microsoft Defender Antivirus yakamata ya zama riga-kafi na farko.yana gudana a cikin aiki, ba m, yanayin ba, kuma tare da kariyar ainihin lokacin da aka kunna.

Yawancin dokoki, musamman ma waɗanda suka ci gaba, suna buƙatar samun Kariyar Bayar da Girgije Mai aiki da haɗin kai tare da ayyukan girgije na Microsoft. Wannan maɓalli ne don fasalulluka waɗanda suka dogara ga suna, yaɗuwa, ko ilimin lissafi a cikin gajimare, kamar "masu aiwatarwa waɗanda ba su dace da yaɗuwa ba, shekaru, ko amintattun ka'idojin jeri" ko tsarin "ƙaddarar kariya ta fansa".

Kodayake dokokin ASR ba su buƙatar lasisi sosai Microsoft 365 E5, iya Samun E5 ko makamancin lasisi ana ba da shawarar sosai. Idan kana son samun ci-gaba na gudanarwa, saka idanu, bincike, bayar da rahoto, da kuma damar tafiyar da aiki da aka haɗa cikin Microsoft Defender for Endpoint da Microsoft Defender XDR portal.

Idan kuna aiki tare da lasisi kamar Windows Professional ko Microsoft 365 E3 ba tare da waɗannan abubuwan ci gaba ba, har yanzu kuna iya amfani da ASR, amma dole ne ku dogara da ƙari. Mai kallon taron, Microsoft Defender Antivirus rajistan ayyukan, da mafita na mallaka saka idanu da bayar da rahoto (gabatar da taron, SIEM, da sauransu). A kowane hali, yana da mahimmanci don duba lissafin tsarin aiki goyon bayasaboda dokoki daban-daban suna da mafi ƙarancin buƙatu don Windows 10/11 da sigogin uwar garken.

Hanyoyin mulki na ASR da pre-kima

Ana iya saita kowace dokar ASR a cikin jihohi huɗu: ba a saita/an kashe, toshe, duba, ko gargadiWaɗannan jihohin kuma ana wakilta su da lambobin lamba (0, 1, 2 da 6 bi da bi) waɗanda ake amfani da su a GPO, MDM, Intune da PowerShell.

Yanayi An toshe Yana kunna doka kuma kai tsaye yana dakatar da halayen da ake tuhuma. Yanayin Bugawa Yana yin rikodin abubuwan da za a toshe, amma ya bar aikin ya ci gaba, yana ba ku damar tantance tasirin aikace-aikacen kasuwanci kafin tsaurara tsaro.

Yanayi Gargadi (Warn) wani nau'i ne na tsaka-tsaki: ƙa'idar tana aiki kamar dokar toshewa, amma mai amfani yana ganin akwatin maganganu da ke nuna cewa an toshe abun ciki kuma an ba shi zaɓi don buše na ɗan lokaci na awanni 24Bayan wannan lokacin, za a sake toshe wannan tsari sai dai idan mai amfani ya sake ba shi damar.

Yanayin gargaɗi kawai yana goyan bayan daga Windows 10 version 1809 (RS5) da kuma daga bayaA cikin sigar da ta gabata, idan kun saita ƙa'ida a yanayin faɗakarwa, a zahiri za ta kasance azaman tsarin toshewa. Bugu da ƙari, wasu ƙayyadaddun ƙa'idodi ba sa goyan bayan yanayin gargaɗi lokacin da aka saita su ta hanyar Intune (ko da yake suna yin ta hanyar Manufofin Ƙungiya).

Kafin isa wurin kullewa, ana ba da shawarar sosai don amfani da yanayin dubawa kuma a dogara da Gudanar da Rashin Lafiyar Defender MicrosoftAnan zaka iya ganin tasirin da ake tsammanin kowace doka (kashi na na'urorin da abin ya shafa, tasirin tasiri akan masu amfani, da sauransu). Dangane da bayanan duba, zaku iya yanke shawarar waɗanne dokoki don kunnawa a yanayin toshewa, a waɗanne ƙungiyoyin matukin jirgi, da waɗanne keɓancewa kuke buƙata.

Dokokin ASR ta nau'in: daidaitattun ka'idojin kariya da sauran dokoki

Microsoft ya rarraba dokokin ASR zuwa ƙungiyoyi biyu: a gefe ɗaya, da daidaitattun ka'idojin kariyaWaɗannan su ne waɗanda kusan koyaushe ake ba da shawarar a kunna su saboda suna da ɗan tasiri kan amfani, kuma a gefe guda, sauran ƙa'idodin waɗanda galibi suna buƙatar lokacin gwaji na hankali.

Daga cikin daidaitattun ƙa'idodin kariyar, waɗannan sun bambanta, misali: "Katange cin zarafin masu sa hannun masu rauni da aka yi amfani da su", "Katange satar takaddun shaida daga tsarin hukumomin tsaro na gida (lsass.exe)" o "Toshe dagewa ta hanyar biyan kuɗin taron WMI"Waɗannan suna nuni kai tsaye zuwa dabarun gama gari na haɓaka gata, gujewa tsaro, da dagewa.

Sauran ƙa'idodin, yayin da suke da ƙarfi sosai, suna da yuwuwar yin karo da aikace-aikacen kasuwanci waɗanda ke yin amfani da rubutu sosai, macro, tsarin yara, ko kayan aikin gudanarwa na nesa. Wannan ya haɗa da duk waɗanda suka shafi Office, Adobe Reader, PSExec, WMI mai nisa, rufaffiyar rubutun, kisa daga USB, WebShells, Da dai sauransu

Ga kowane ƙa'ida, Microsoft ya rubuta a Sunan intune, sunan mai yiwuwa a cikin Manajan Kanfigareshan, GUID na musamman, abubuwan dogaro (AMSI, Kariyar Cloud, RPC…) da nau'ikan abubuwan da suka faru a cikin bincike na ci gaba (misali, AsrObfuscatedScriptBlocked, AsrOfficeChildProcessAuditedda sauransu). Waɗannan GUIDs sune waɗanda za ku buƙaci amfani da su a cikin GPO, MDM, da PowerShell don kunna, musaki, ko canza yanayin.

Cikakken bayanin manyan dokokin ASR

Dokokin ASR sun ƙunshi nau'i-nau'i masu yawa kai farmaki vectorsDa ke ƙasa akwai taƙaitaccen abubuwan da suka fi dacewa da abin da ainihin kowannensu ya toshe, dangane da nassoshi na hukuma da ƙwarewar aiki.

Toshe cin zarafi na masu rauni, masu amfani da direbobin sa hannu

Wannan doka ta hana aikace-aikace tare da isassun gata daga rubuta sa hannu amma direbobi masu rauni zuwa faifai wanda maharan zasu iya lodawa don samun damar shiga kwaya kuma su kashe ko ketare hanyoyin tsaro. Ba ya toshe lodin direbobi masu rauni waɗanda tuni sun kasance, amma yana yanke ɗayan hanyoyin da aka saba gabatar dasu.

GUID ce ta gano shi 56a863a9-875e-4185-98a7-b882c64b5ce5 kuma yana haifar da abubuwan da suka faru na nau'in AsrVulnerableSignedDriverAudited y AsrVulnerableSignedDriverBlocked a cikin ci gaban binciken Microsoft Defender.

Hana Adobe Reader ƙirƙirar matakan yara

Manufar wannan doka ita ce hanawa Adobe Reader yana aiki azaman allo don saukewa da kaddamar da kaya. Yana toshe ƙirƙirar matakai na biyu daga Mai karatu, yana ba da kariya daga amfani da PDF da dabarun injiniyan zamantakewa waɗanda suka dogara ga wannan mai kallo.

GUID ɗin ku shine 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2ckuma zai iya haifar da abubuwan da suka faru AsrAdobeReaderChildProcessAudited y AsrAdobeReaderChildProcessBlockedYa dogara da Microsoft Defender Antivirus yana aiki.

Hana duk aikace-aikacen Office ƙirƙira matakan yara

Wannan doka ta haramta Kalma, Excel, PowerPoint, OneNote, da Samun shiga haifar da matakai na biyuHanya ce kai tsaye don dakatar da yawancin hare-haren tushen macro da PowerShell ya ƙaddamar. CMD ko wasu kayan aikin tsarin don aiwatar da lamba mara kyau.

GUID mai alaƙa shine d4f940ab-401b-4efc-aadc-ad5f3c50688aA cikin al'amuran duniya na gaske, wasu halaltattun aikace-aikacen kasuwanci suma suna amfani da wannan tsarin (misali, don buɗewa) umurnin gaggawa ko a yi amfani da canje-canje ga Registry), don haka yana da mahimmanci a gwada shi da farko a yanayin dubawa.

Toshe satar shaidar LSASS

Wannan doka tana kare tsari lsassar.exe a kan hanyar da ba ta da izini daga wasu matakai, rage wuraren kai hari don kayan aiki kamar Mimikatz, waɗanda ke ƙoƙarin cire hashes, kalmomin sirri na fili, ko tikiti na Kerberos.

Yana raba falsafa da Microsoft Defender Credential GuardIdan kun riga kun kunna Guard Guard, ƙa'idar ta ƙara kaɗan, amma yana da amfani sosai a cikin mahallin da ba za ku iya kunna shi ba saboda rashin dacewa da shi. direbobi ko software na ɓangare na uku. GUID ɗin ku shine 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2.

Toshe abun ciki mai aiwatarwa daga abokan cinikin imel da saƙon gidan yanar gizo

Anan mun shigar da doka sosai daidai da hare-haren phishing. Abin da yake hana ... executables, rubutun, da matsatattun fayilolin da aka sauke ko haɗe su daga imel da abokan cinikin gidan yanar gizo gudu kai tsaye. Yana aiki da farko ga Outlook, Outlook.com, da mashahuran masu samar da saƙon gidan yanar gizo, kuma yana da amfani musamman a haɗe tare da wasu kariyar imel da kuma amintattun saitunan burauza.

GUID ɗin ku shine be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 kuma yana haifar da abubuwan da suka faru kamar AsrExecutableEmailContentAudited y AsrExecutableEmailContentBlockedYana da amfani musamman a hade tare da wasu kariyar imel.

Hana masu aiwatarwa yin aiki idan ba su cika ka'idoji, shekaru, ko ma'auni na amintattu ba.

Wannan doka ta toshe aiwatar da binaries (.exe, .dll, .scr, da sauransu) ba su da yawa isa, tsufa, ko abin dogaro Dangane da bayanan martabar gajimare na Microsoft, yana da ƙarfi sosai a kan sabbin malware, amma yana iya zama mai rauni a cikin mahalli da yawa a cikin gida ko software na zamani.

GUID shine 01443614-cd74-433a-b99e-2ecdc07bfc25 Kuma a sarari ya dogara da Kariyar Cloud. Bugu da ƙari, yana da bayyananniyar yanayin ƙa'idar cewa yana da kyau a fara a yanayin duba sannan a hankali aiwatar da toshewa.

Toshe aiwatar da yuwuwar ruɗewar rubutun

Lambar da aka ɓoye ta zama ruwan dare gama gari ga duka maharan da, wani lokacin, halaltattun masu haɓakawa. Wannan doka tana nazari abubuwan da ake tuhuma a cikin rufaffen PowerShell, VBScript, JavaScript, ko rubutun macro kuma yana toshe waɗanda ke da babban yiwuwar zama qeta.

GUID ɗin ku shine 5beb7efe-fd9a-4556-801d-275e5ffc04cc Yana amfani da AMSI (Antimalware Scan Interface) da kariyar gajimare don yanke shawara. Wannan shine ɗayan ƙa'idodi mafi inganci akan kamfen na tushen rubutun zamani.

Hana JavaScript ko VBScript daga ƙaddamar da abubuwan aiwatar da zazzagewa

Wannan doka tana mai da hankali kan ƙirar mai saukewa: a Rubutun a JS ko VBS yana zazzage fayil ɗin binary daga intanet kuma yana aiwatar da shi.Abin da ASR ke yi anan shine hana ainihin matakin ƙaddamar da zazzagewar da za a iya aiwatarwa.

GUID ɗin ku shine d3e037e1-3eb8-44c8-a917-57927947596dHakanan ya dogara da AMSI kuma yana da mahimmanci musamman a yanayin yanayin inda har yanzu ana amfani da tsofaffin fasahohi ko rubutun a cikin mai bincike ko akan tebur.

Hana aikace-aikacen Office ƙirƙira abun ciki mai aiwatarwa

Wani fasaha na yau da kullun shine amfani da Office zuwa rubuta ɓarna abubuwa zuwa faifai wanda ke ci gaba bayan sake farawa (misali, mai dagewa mai aiwatarwa ko DLL). Wannan doka ta hana Office adanawa ko samun damar irin wannan nau'in abun ciki mai aiwatarwa don ƙaddamar da shi.

GUID shine 3b576869-a4ec-4529-8536-b80a7769e899 Ya dogara da Microsoft Defender Antivirus da RPC. Yana da matukar tasiri wajen karya sarƙoƙin kamuwa da cuta na tushen macro waɗanda ke zazzage abubuwan biyan kuɗi na dindindin.

Hana aikace-aikacen Office daga saka lamba cikin wasu matakai

Wannan yana hana Office yin amfani da dabaru na tsari alluraWannan ya haɗa da shigar da lamba cikin wasu matakai don ɓarna ayyukan mugunta. Microsoft bai san duk wani halaltaccen kasuwanci da ake amfani da shi don wannan ƙirar ba, don haka ƙa'ida ce mai aminci don kunnawa a yawancin mahalli.

GUID ɗin ku shine 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84Koyaya, takamaiman aikace-aikacen da ke cin karo da wannan doka an rubuta su, don haka idan hayaniya ta bayyana a cikin yanayi, yana da kyau a duba dacewa.

Hana aikace-aikacen sadarwa na ofis daga ƙirƙirar matakan yara

Da farko an yi niyya ga Outlook da sauran samfuran sadarwa na Office, wannan doka ta toshe hanyoyin ƙirƙirar matakai na biyu daga abokin ciniki na imelrage hare-haren da ke amfani da lahani a cikin dokokin Outlook, fom, ko saƙon imel na ƙeta don aiwatar da lamba.

GUID ɗin ku shine 26190899-1602-49e8-8b27-eb1d0a1ce869 kuma yana taimakawa wajen rufe fage mai ban sha'awa don yaƙin neman zaɓen da aka yi niyya.

Toshe dagewa ta hanyar biyan kuɗin taron WMI

Yawancin barazanar "marasa fayil" sun dogara WMI don cimma juriya ba tare da barin bayyanannun alamomi akan faifai ba. Wannan doka tana toshe ƙirƙirar biyan kuɗin taron WMI na mugunta wanda zai iya sake buɗe lamba a duk lokacin da aka cika sharadi.

GUID ɗin ku shine e6db77e5-3df2-4cf1-b95a-636979351e5b kuma baya bada izinin cire fayiloli ko manyan fayiloli, daidai don hana cin zarafi.

Toshe hanyoyin da aka ƙirƙira daga umarnin PSExec da WMI

PsExec da WMI halal ne kayan aikin gudanarwa na nesa, amma kuma ana amfani dasu akai-akai don motsi na gefe da yaduwar malwareWannan doka ta hana hanyoyin farawa daga umarni PSExec ko WMI ana aiwatar da su, yana rage waɗancan vector.

GUID shine d1e49aac-8f56-4280-b9ba-993a6d77406cYana ɗaya daga cikin waɗannan ƙa'idodin inda haɗin kai tare da masu gudanarwa da ƙungiyoyin ayyuka ke da mahimmanci don guje wa rushe halaltattun hanyoyin gudanarwa na nesa.

Toshe sake kunna yanayin aminci wanda aka fara ta umarni

En Yanayin aminciYawancin hanyoyin tsaro an kashe su ko kuma suna da iyaka. Wasu ransomware suna cin zarafin umarni kamar bcdedit ko bootcfg don sake yin aiki a cikin yanayin aminci kuma a ɓoye ba tare da juriya da yawa ba. Wannan doka ta kawar da wannan yuwuwar, tana ba da damar ci gaba da samun dama ga yanayin aminci kawai ta wurin yanayin dawo da aikin hannu.

GUID ɗin ku shine 33ddedf1-c6e0-47cb-833e-de6133960387 kuma yana haifar da abubuwan da suka faru kamar AsrSafeModeRebootBlocked o AsrSafeModeRebootWarnBypassed.

Toshe hanyoyin da ba a sanya hannu ba ko rashin amana daga USB

Anan, ana sarrafa hanyar shigarwa ta gargajiya: da Kebul na USB da katunan SDTare da wannan doka, waɗanda ba sa hannu ko amintacce waɗanda za a iya aiwatar da su daga waɗannan kafofin watsa labarai ana toshe su. Wannan ya shafi binaries kamar .exe, .dll, .scr, da sauransu.

GUID shine b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 kuma yana da amfani musamman a wuraren da akwai haɗarin amfani da kebul mara sarrafawa.

Toshe amfani da kayan aikin da aka kwafi ko wanda aka kwafa

Hare-hare da yawa suna ƙoƙarin kwafi ko koyi Kayan aikin tsarin Windows (kamar cmd.exe, powershell.exe, regsvr32.exe, da sauransu) don mayar da su azaman halaltattun matakai. Wannan doka ta toshe aiwatar da hukuncin kisa da aka gano a matsayin kwafi ko masu ruguza waɗannan kayan aikin.

GUID ɗin ku shine c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb kuma yana samar da abubuwan da suka faru kamar AsrAbusedSystemToolBlockedYana da kyau madaidaici ga sauran dabarun sarrafa aikace-aikace.

Toshe ƙirƙirar WebShell akan sabobin

WebShells rubutun ne da aka tsara musamman don don bai wa maharin iko na nesa akan sabarƙyale shi don aiwatar da umarni, loda fayiloli, fitar da bayanai, da sauransu. Wannan doka, wanda ke nufin sabobin da ayyuka kamar Exchange, yana toshe ƙirƙirar waɗannan rubutun qeta.

GUID shine a8f5898e-1dc8-49a9-9878-85004b8a61e6 kuma an ƙera shi musamman don taurare sabar da aka fallasa.

Toshe kiran API na Win32 daga macro na Office

Wataƙila ɗaya daga cikin ƙa'idodi mafi inganci akan macro malwareYana toshe lambar Office VBA daga shigowa da kiran APIs Win32, wanda galibi ana amfani dashi don loda lambar shell cikin ƙwaƙwalwar ajiya, sarrafa matakai, samun damar ƙwaƙwalwar ajiya, da sauransu.

GUID ɗin ku shine 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b kuma ya dogara da AMSI. A aikace, yana ɓoye samfuran malware da yawa a cikin Kalma da Excel waɗanda ke dogara ga waɗannan kiran don aiwatar da lambar sabani.

Amfani da ci-gaba na kariyar ransomware

Wannan doka tana ƙara ƙarin kariya bisa ga abokin ciniki da Cloud heuristics don gano hali daidai da ransomware. Yana yin la'akari da dalilai kamar suna, sa hannun dijital, ko yaɗuwa don yanke shawarar ko fayil ɗin ya fi yuwuwar zama kayan fansa fiye da ingantaccen shirin.

GUID ɗin ku shine c1db55ab-c21a-4637-bb3f-a12568109d35Kuma ko da yake yana ƙoƙarin rage ƙimar ƙarya, yana ƙoƙarin yin kuskure a gefen taka tsantsan don kar a rasa ainihin siffa.

Hanyoyin daidaitawa: Intune, MDM, Manajan Kanfigareshan, GPO, da PowerShell

Za a iya daidaita dokokin rage kai hari ta hanyoyi da yawa dangane da yadda kuke sarrafa jiragen na'urar ku. Babban shawarar Microsoft shine a yi amfani da shi dandamalin sarrafa matakin kasuwanci (Intune ko Kanfigareshan Manager), tun da manufofinsu suna gaba da GPO ko na gida PowerShell saitin lokacin da tsarin ya fara.

con Microsoft Intune Kuna da hanyoyi guda uku: ƙayyadaddun manufofin tsaro na ƙarshen ASR, bayanan martaba na na'ura (Kariyar Ƙarshen), da bayanan martaba na al'ada ta amfani da OMA-URI don ayyana dokoki ta GUID da jiha. A kowane hali, zaku iya ƙara fayiloli da manyan fayiloli kai tsaye ko shigo da su daga fayil ɗin CSV.

A cikin muhalli MDMs na yau da kullun Ana amfani da CSP ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules Don ayyana jeri na GUIDs tare da matsayi, rabu da sanduna a tsaye. Misali, zaku iya haɗa dokoki da yawa ta sanya 0, 1, 2, ko 6 ya danganta da ko kuna son musaki, toshewa, dubawa, ko faɗakarwa. Ana sarrafa keɓancewa tare da CSP. ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions.

con Manajan Kanfigareshan Microsoft Kuna iya ƙirƙirar manufofi don Fayil na Windows Exploit Guard ya mai da hankali kan "Rage saman kai hari", zaɓi waɗanne dokokin da kuke son toshewa ko tantancewa da tura su zuwa takamaiman tarin na'urori.

La Manufofin ƙungiya Yana ba ku damar saita ASR ta hanyar samfuran gudanarwa ta hanyar kewayawa zuwa Microsoft Defender Antivirus da kuma nodes "Attack Surface Reduction". A can, kuna kunna manufar "Sanya ƙa'idodin rage girman kai hari" kuma shigar da GUIDs tare da daidai matsayinsu. Ƙarin GPO yana ba ku damar ayyana fayil da keɓance hanyoyin.

A ƙarshe, PowerShell Hanya ce mafi kai tsaye kuma mai fa'ida don gwaje-gwajen lokaci-lokaci ko rubutun atomatik. Cmdlets kamar Set-MpPreference y Add-MpPreference Suna ba ku damar kunnawa, duba, faɗakarwa, ko kashe ƙa'idodin mutum ɗaya, da sarrafa jerin keɓancewa tare da -AttackSurfaceReductionOnlyExclusionsKoyaya, idan akwai GPO ko Intune a ciki, saitin su yana ɗaukar fifiko.

Keɓancewa, rikice-rikice na siyasa, da sanarwa

Kusan duk dokokin ASR sun yarda ware fayiloli da manyan fayiloli Wannan yana hana toshe halaltattun aikace-aikace waɗanda, ta ƙira, ke nuna hali irin na malware. Kayan aiki ne mai ƙarfi, amma dole ne a yi amfani da shi tare da daidaitaccen tiyata: keɓancewa da yawa na iya barin mummunan rauni.

Lokacin da aka yi amfani da manufofin saɓani daga MDM da Intune, daidaitawar Umarnin rukuni yana ɗaukar fifiko Idan akwai. Bugu da ƙari, dokokin ASR suna goyan bayan ɗabi'ar haɗa manufofin: an gina babban saiti tare da tsarin da ba sa rikici, kuma an bar shigarwar masu karo da juna don waccan na'urar.

Duk lokacin da aka kunna ƙa'ida a yanayin toshe, mai amfani yana ganin a tsarin sanarwa yana mai bayanin cewa an tare wani aiki saboda dalilai na tsaro. Ana iya keɓance waɗannan sanarwar tare da bayanan kamfani da bayanin lamba. Don wasu ƙa'idodi da matsayi, ana kuma haifar da faɗakarwar EDR da sanarwar ciki kuma ana iya gani a cikin tashar Microsoft Defender.

Ba duk ka'idoji ba ne suke girmama su Kare riga-kafi na Microsoft Defender Haka kuma ba sa la'akari da alamun sasantawa (IOCs) da aka saita a cikin Defender don Endpoint. Misali, ka'idar toshe bayanan sata na LSASS ko ka'idar toshe lambar ofishin ba sa ɗaukar wasu IOCs cikin lissafi, daidai don kiyaye ƙarfinsu.

Kulawa da Abubuwan ASR: Portal, Babban Bincike, da Mai Kallon Biki

Sa ido shine mabuɗin don tabbatar da ASR ba akwatin baki bane. Defender for Endpoint yana bayarwa cikakkun rahotanni na abubuwan da suka faru da kuma toshewa masu alaƙa da dokokin ASR, waɗanda za a iya tuntuɓar su duka akan tashar Microsoft Defender XDR kuma ta hanyar bincike mai zurfi.

Binciken ci gaba yana ba ku damar ƙaddamarwa tambayoyi game da tebur DeviceEventstacewa ta nau'ikan aikin da suka fara da "Asr". Misali, tambaya ta asali DeviceEvents | where ActionType startswith 'Asr' Yana nuna muku abubuwan da suka shafi ASR da aka haɗa su ta hanyar tsari da ta sa'a, kamar yadda aka daidaita shi zuwa misali guda ɗaya a cikin sa'a don rage ƙarar.

A cikin mahalli ba tare da E5 ba ko kuma ba tare da samun damar yin amfani da waɗannan damar ba, koyaushe akwai zaɓi na bita Windows rajistan ayyukan a cikin Event ViewerMicrosoft yana ba da ra'ayoyi na al'ada (kamar fayil ɗin cfa-events.xml) waɗanda ke tace abubuwan da suka dace, tare da masu ganowa kamar 5007 (canje-canjen daidaitawa), 1121 (ƙa'ida a yanayin toshewa) da 1122 (ƙa'ida a yanayin dubawa).

Don tura kayan aiki, ya zama ruwan dare don tura waɗannan abubuwan zuwa ga SIEM ko dandalin shiga tsakani, daidaita su tare da wasu alamomi kuma haifar da faɗakarwar al'ada lokacin da wasu dokoki suka fara haifar da abubuwa da yawa a cikin wani yanki na cibiyar sadarwa.

Rage saman harin sama da ASR: dabaru, fasaha da kalubale

Kodayake dokokin ASR suna da mahimmancin mahimmanci, rage girman kai hari kamar yadda dabarun duniya ya wuce ƙarshen ƙarshen. Ya ƙunshi taswirar duk kadarori da wuraren shigaKawar da ayyukan da ba dole ba, cibiyoyin sadarwa na yanki, yi amfani da tsauraran matakan samun dama, taurare tsarin, kiyaye amintattun jeri, da kare gajimare da APIs.

Ƙungiyoyi yawanci suna farawa da cikakkun bayanai na na'urori, software, asusun ajiya da haɗin kaiBayan haka, ana gano ayyuka da aikace-aikacen da ba a yi amfani da su ba kuma an cire su, an rufe tashoshin sadarwa, kuma an kashe fasalulluka waɗanda ba su ƙara ƙima ba. Wannan yana sauƙaƙa yanayi kuma yana rage adadin "ƙofofin" waɗanda ke buƙatar kulawa.

Bangaren ikon sarrafawa Yana da mahimmanci: aikace-aikacen ƙa'idar mafi ƙarancin gata, kalmomin sirri masu ƙarfi, tabbatar da abubuwa da yawa, saurin soke damar shiga lokacin da wani ya canza matsayi ko barin ƙungiyar, da sa ido kan yunƙurin shiga da ake tuhuma.

A cikin gajimare, saman harin yana girma tare da kowane sabon sabis, API, ko haɗin kai. Ba daidai ba a cikin ajiyaMatsalolin da suka wuce gona da iri, asusun marayu, ko rashin tsaro na asali matsaloli ne na gama gari. Wannan shine inda binciken daidaitawa na yau da kullun, boye-boye na bayanai a hutawa da wucewa, rarrabuwar hanyar sadarwa, da ci gaba da bitar izini ke shiga cikin wasa.

Don tallafawa duk waɗannan, fasahar kamar gano kadara da kayan aikin taswira, na'urori masu lahani, tsarin sarrafa damar shiga, dandamalin sarrafa tsari, da kayan aikin tsaro na cibiyar sadarwa (Firewalls, IDS/IPS, NDR, da dai sauransu). Magani kamar SentinelOne, alal misali, haɗa kariya ta ƙarshe, nazarin ɗabi'a, da amsa ta atomatik don ƙara rage tasirin harin.

Kalubalen suna da yawa: hadaddun dogara tsakanin tsarinKasancewar aikace-aikacen gado waɗanda ba sa goyan bayan matakan zamani, saurin canjin fasaha, ƙarancin albarkatu, da rikice-rikice na dindindin tsakanin tsaro da haɓaka duk suna ba da gudummawa ga wannan ƙalubale. Nemo ma'auni daidai yana buƙatar zurfin fahimtar kasuwanci da ba da fifiko ga dukiya da matakai masu mahimmanci.

Ganin wannan mahallin, dokokin ASR sun zama ɗayan ingantattun kayan aiki don iyakance filin wasan maharin a ƙarshen ƙarshen. Shirye-shiryen da aka tsara (farawa tare da dubawa), daidaitawa tare da ƙayyadaddun keɓancewa, kuma ana lura da su a hankali, suna hana kuskuren mai amfani, amfani guda ɗaya, ko na'urar kebul na ƙeta daga haɓaka kai tsaye zuwa wani lamari mai mahimmanci, yana taimakawa wajen kula da ƙarami, mafi sauƙin sarrafawa, kuma, sama da duka, mafi inganci saman harin. da wuya a yi amfani da su.