Chii chinonzi ASR (Attack Surface Reduction) uye inodzivirira sei zvishandiso zvako?

Paunotanga kunyura muWindows kuchengetedza uye zvese Microsoft Defender inofanirwa kupa, iyo temu ASR (Attack Surface Reduction) Zvinoonekwa nguva nenguva. Uye izvi hazvina kuitika: tiri kutaura nezve seti yemitemo uye matekiniki anovavarira kumisa kurwiswa vasati vatombowana mukana wekutanga.

Muchirevo che kuwedzera kutyisidzira kwakaomaIine ransomware, obfuscated scripts, credential kuba, uye kurwisa kusina mafaira, mitemo yeASR yave chinhu chakakosha chekudzivirira kudzivirira. Dambudziko nderekuti ivo vanowanzoonekwa sechimwe chinhu "mashiripiti" uye chakaoma, asi muchokwadi ivo vane pfungwa dzakajeka kana vakatsanangurwa zvakadzikama.

Chii chinonzi ASR (Attack Surface Reduction) uye idambudziko ripi rinogadzirisa?

Attack Surface Reduction, kana kuderedzwa kwenzvimbo yekurwisaASR inzira inosanganisira kudzikisira mapoinzi ese anogona kupinda, kufamba, kana kuita kodhi mukati menzvimbo. Mune iyo chaiyo nyaya yeMicrosoft, ASR inoshandiswa kuburikidza nemitemo inodzora yakakwirira-njodzi yekupedzisira maitiro: script execution, Office macros, maitiro akatangwa kubva ku USB madhiraivha, WMI kushungurudzwa, nezvimwe.

Mumashoko anoshanda, the Microsoft Defender ASR mitemo yekuguma Aya ndiwo marongero anoti: "zvimwe zvinhu zvakangofanana ne malware Iwo haatenderwe, kunyangwe zvikumbiro zviri pamutemo dzimwe nguva zvichizviitawo. Somuenzaniso, Shoko bhutsu PowerShell, iyo a chinyorwa yakatorwa kubva paInternet inotangisa zvinogoneka kana imwe nzira inoedza kuisa kodhi mune imwe.

Pfungwa iri pasi ndere kudzikisa huwandu hwenzira dzekurwiswa dzinogona kutora kukanganisa sisitimu. Nzira shoma dziripo, nzvimbo shoma yepamusoroIzvi zvinopindirana zvakakwana neZero Trust model: tinofungidzira kuti pane imwe nguva pachava nekuputsika, saka tinoderedza "blast radius" yechiitiko zvakanyanya sezvinobvira.

Zvakakosha kusiyanisa pano pakati pepfungwa mbiri dzinowanzosanganiswa: kune rumwe rutivi, iyo kuderedza nzvimbo yekurwisa senzira huru (kubvisa zvisina basa masevhisi, kuvhara zviteshi, kubvisa isina basa software, kumisa mvumo, nezvimwewo), uye kune rumwe rutivi, iyo Microsoft Defender ASR Mitemoayo ari akanyanya kutsanangurwa subset yeiyo zano, yakatarisana nemagumo uye software maitiro.

Nzvimbo yekurwisa: yemuviri, yedhijitari, uye yemunhu

Kana tichitaura nezvenzvimbo yekurwiswa kwesangano, tiri kureva mapoinzi ese apo anorwisa anogona kubatanidzwaZvishandiso, zvikumbiro, masevhisi epamhepo, maakaundi evashandisi, maAPI, network mukati, makore ekunze, nezvimwewo. Haisi nyaya yehunyanzvi chete; kukanganisa kwevanhu kunouyawo.

Muchikamu chedhijitari tinowana mawebhusaiti, maseva, dhatabhesiendpoints, makore masevhisi, uye bhizinesi maapplicationYese isina kurongeka sevhisi, yega yega isina kuvhurika chiteshi, yega yega isina kuvharwa software application inogona kuve yekupinda yekubata. Ndosaka makambani mazhinji achivimba neEASM (External Attack Surface Management) maturusi anogadzirisa kuwanikwa kwezvinhu zvakafumurwa uye kusasimba.

Pamusoro pemuviri, zvinotevera zvinopinda pane-nzvimbo maseva, nzvimbo dzekushandira, network zvishandiso, uye zviteshiPano, njodzi inodzikiswa nekudzora kupinda kwemuviri, makamera, makadhi, makiyi, akavharirwa racks, uye Hardware Yakasimbiswa. Kana paine munhu anogona kuwana iyo data data ne USB drive, hazvina basa kuti yakanaka sei chengetedzo yako.

Gumbo rechitatu inzvimbo yakabatana ne social engineering uye chinhu chevanhuPhishing maemail, pretexting mafoni, kudiridza mawebhusaiti, kana zvikanganiso zvevashandi zvinotungamira mukudhawunirodha zvinhu zvakashata. Ndosaka kuderedza nzvimbo yekurwisa kunosanganisirawo kudzidziswa uye kuziva, kwete tekinoroji chete.

ASR sembiru yekudzivirira kuchengetedza uye Zero Trust

Mune Zero Trust modhi tinofungidzira izvozvo network yakatokanganiswa kana kuti ichaveUye chatiri kuvavarira ndechekudzivirira anorwisa kuti asakurumidza kuwedzera kana kuwana maropafadzo. Mitemo yeASR inokodzera zvakakwana pano nekuti vanoisa zvipingamupinyi kurwisa akanyanya kushandiswa kurwisa mavekita, kunyanya kumagumo.

Mitemo ye ASR inoshandisa musimboti we ropafadzo shoma inoshandiswa kuzvibataHazvisi zvekungobvumira izvo account ine, asi kuti ndezvipi zviito zvinogona kuitwa nechero application. Semuenzaniso, Hofisi inogona kuramba ichigadzirisa magwaro pasina nyaya, asi haichakwanise kuvhura kumashure maitiro kana kugadzira zvinogoneka pa diski zvakasununguka.

Rudzi urwu rwekudzora maitiro runonyanya kusimba pakurwisa polymorphic kutyisidzira uye kurwisa kusina mafairaKunyange zvazvo malware anogara achichinja siginecha kana hashi, vazhinji vachiri kuda kuita zvinhu zvakafanana: mhanyisa zvinyorwa, kupinza kodhi mumaitiro, kushandura LSASS, kushungurudza WMI, kunyora vatyairi vari munjodzi, nezvimwe. ASR inotarisa chaizvo pamaitiro aya.

Uyezve, mitemo inogona kuitwa nenzira dzakasiyana: kuvhara, kuongorora, kana yambiroIzvi zvinobvumira kutorwa kwakapetwa, kutanga nekucherechedza maitiro ayo (audit mode), wozozivisa mushandisi (yambiro), uye pakupedzisira kuivharira zvisina tsitsi kana kusabatanidzwa kwagadziriswa.

Prerequisites uye inoenderana mashandiro masisitimu

Kuti uwane zvakanyanya kubva kumitemo ye ASR muMicrosoft Defender, zvakakosha kuve nehwaro hwakasimba. Mukuita, unofanira Microsoft Defender Antivirus inofanirwa kunge iri yako yekutanga antivirus.inomhanya in active, not passive, mode, uye ne real-time dziviriro yakabatidzwa.

Mitemo mizhinji, kunyanya iyo yepamusoro-soro, inoda kuve nayo Cloud-Delivered Protection Inoshanda uye yakabatana neMicrosoft Cloud services. Iyi ndiyo kiyi yezvimiro zvinovimba nemukurumbira, kuwanda, kana heuristics mugore, senge "zvinoitwa zvisingaenderane nekuwanda, zera, kana runyorwa rwemanyorerwo akavimbika" mutemo kana "advanced ransomware protection".

Kunyangwe iyo ASR mitemo isinganyanyi kuda rezinesi Microsoft 365 E5, hongu ndizvo Kuve neE5 kana marezinesi akaenzana kunokurudzirwa zvakanyanya. Kana iwe uchida kuve nehutungamiriri hwepamberi, kutarisa, kuongorora, kushuma, uye kufambiswa kwebasa kwakabatanidzwa muMicrosoft Defender yeEndpoint uye Microsoft Defender XDR portal.

Kana uri kushanda nemarezinesi akaita seWindows Professional kana Microsoft 365 E3 isina iwo epamberi maficha, unogona kushandisa ASR, asi uchafanira kuvimba zvakanyanya Chiitiko chinotarisa, Microsoft Defender Antivirus matanda, uye proprietary mhinduro kutarisa uye kushuma (kutumira chiitiko, SIEM, nezvimwewo). Muzviitiko zvese, zvakakosha kuongorora rondedzero ye operating systems inotsigirwanekuti iyo mitemo yakasiyana ine zvidiki zvinodiwa Windows 10/11 uye server shanduro.

ASR kutonga modhi uye pre-kuongorora

Mutemo wega wega weASR unogona kugadzirwa mumatunhu mana: isina kugadzirwa / kuremara, block, odhita, kana yambiroIdzi nyika dzinomiririrwawo nenhamba dzenhamba (0, 1, 2 uye 6 zvakateerana) dzinoshandiswa muGPO, MDM, Intune uye PowerShell.

Mode Vimba Inomutsa mutemo uye inomisa zvakananga maitiro ekufungira. The mode Kuongorora Inonyora zviitiko zvingadai zvakavharwa, asi rega chiito chienderere mberi, zvichikubvumidza kuti uongorore maitiro ekushandisa kwebhizinesi usati waomesa chengetedzo.

Mode Yambiro (Yambiro) imhando yepakati pepakati: mutemo unoita semutemo unovharira, asi mushandisi anoona bhokisi rehurukuro rinoratidza kuti zvirimo zvakavharwa uye zvinopihwa sarudzo kiinura kwekanguva kwemaawa makumi maviri nemanaMushure menguva iyoyo, iwo maitiro akafanana achavharwa zvakare kunze kwekunge mushandisi aibvumira zvakare.

Yambiro mode inotsigirwa chete kubva Windows 10 shanduro 1809 (RS5) uye gare gareMune shanduro dzakapfuura, kana iwe ukagadzirisa mutemo mune yambiro modhi, inotoita semutemo weblock. Pamusoro pezvo, mimwe mitemo haitsigire nzira yambiro kana yakagadziriswa kuburikidza neIntune (kunyangwe ichiita kuburikidza neBoka Policy).

Usati wasvika padanho rekuvhara, zvinokurudzirwa zvakanyanya kushandisa maitiro ekuongorora uye kuvimba neiyo Microsoft Defender Vulnerability ManagementPano iwe unogona kuona iyo inotarisirwa kukanganisa kwemutemo wega wega (zana remidziyo yakakanganiswa, inogona kukanganisa vashandisi, nezvimwewo). Zvichienderana nedhata rekuongorora, unogona kusarudza kuti ndeupi mitemo yekumisikidza mukuvharira modhi, mune mapoka evatyairi, uye ndezvipi zvinosarudzika zvaunoda.

ASR inotonga nemhando: mitemo yekudzivirira yakajairwa nemimwe mitemo

Microsoft inoisa mitemo yeASR mumapoka maviri: kune rumwe rutivi, iyo mitemo yekudzivirira yakajairikaAya ndiwo anogaro kurudzirwa kuti ashandiswe nekuti ane zvishoma zvazvinoita pausability, uye nerumwe rutivi, iyo yese mitemo inowanzoda yakanyatso kuyedza chikamu.

Pakati pemitemo yekudzivirira yakajairwa, zvinotevera zvinomira pachena, semuenzaniso: "Dzivisa kushungurudzwa kwevatongi vakasaina vakasaina", "Vharai kubiwa kwezvitupa kubva kunharaunda yekuchengetedza masimba subsystem (lsass.exe)" o "Vimba kushingirira kuburikidza nekunyoreswa kwechiitiko cheWMI"Izvi zvinonongedza zvakananga kune akajairwa matekiniki ekuwedzera ropafadzo, kudzivirira kudzivirira, uye kushingirira.

Mitemo yasara, kunyangwe ine simba kwazvo, inogona kupesana nemashandisirwo emabhizinesi anoshandisa zvakanyanya zvinyorwa, macros, maitiro evana, kana maturusi ekutonga ari kure. Izvi zvinosanganisira zvese zvinokanganisa Hofisi, Adobe Reader, PSExec, kure WMI, obfuscated zvinyorwa, kuuraya kubva ku USB, WebShells, Etc.

Pamutemo wega wega, Microsoft zvinyorwa a Intune zita, rinogoneka zita muConfiguration Manager, yakasarudzika GUID, zvinoenderana (AMSI, Cloud Dziviriro, RPC…) nemhando dzezviitiko zvinogadzirwa mukutsvaga kwepamusoro (semuenzaniso, AsrObfuscatedScriptBlocked, AsrOfficeChildProcessAuditedetc.). Aya maGUID ndiwo auchazoda kushandisa muGPO, MDM, uye PowerShell kugonesa, kudzima, kana kushandura maitiro.

Tsanangudzo yakadzama yemitemo mikuru yeASR

Mitemo yeASR inovhara huwandu hwakawanda hwe kurwisa mavectorPazasi pane pfupiso yeanonyanya kukosha uye chii chaizvo chinovharika chimwe nechimwe, zvichibva pane zviri pamutemo mareferensi uye ruzivo runoshanda.

Dzivirirai kushungurudzwa kwevatyairi vakasaina vasina kudzivirirwa

Mutemo uyu unodzivirira application ine maropafadzo akakwana kubva nyora madhiraivha akasainwa asi asina njodzi kudhisiki izvo vanorwisa vanogona kuzorodha kuti vawane mukana kune kernel uye kudzima kana kunzvenga chengetedzo mhinduro. Iyo haivharidzi kurodha kwevatyairi vasina njodzi vanga vatovepo, asi inocheka imwe yedzakajairika nzira dzekuvasuma.

Iyo inozivikanwa neGUID 56a863a9-875e-4185-98a7-b882c64b5ce5 uye inogadzira zviitiko zverudzi AsrVulnerableSignedDriverAudited y AsrVulnerableSignedDriverBlocked muMicrosoft Defender's advanced search.

Dzivirira Adobe Reader kubva kugadzira maitiro evana

Chinangwa chemurairo uyu ndechekudzivirira Adobe Reader inoshanda sechitubu kudhawunirodha uye kutanga miripo. Iyo inovharira kugadzirwa kwechipiri maitiro kubva kuReader, kudzivirira kubva kuPDP kushandiswa uye magariro einjiniya maitiro anovimba nemuoni uyu.

GUID yako ndeye 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2cuye anogona kugadzira zviitiko AsrAdobeReaderChildProcessAudited y AsrAdobeReaderChildProcessBlockedIzvo zvinoenderana neMicrosoft Defender Antivirus iri kushanda.

Dzivirira zvese zveHofisi zvikumbiro kubva kugadzira maitiro evana

Mutemo uyu unorambidza Shoko, Excel, PowerPoint, OneNote, uye Access gadzira zvechipiri maitiroIyo inzira yakananga yekumisa akawanda macro-based kurwisa kwakatangwa nePowerShell. CMD kana mamwe maturusi ehurongwa ekuita kodhi yakaipa.

Iyo yakabatana GUID ndeye d4f940ab-401b-4efc-aadc-ad5f3c50688aMuzviitiko zvepasirese, mamwe mabhizinesi ari pamutemo maapplication anoshandisawo iyi pateni (semuenzaniso, kuvhura a. kurumidza kuraira kana kuisa shanduko kuRegistry), saka zvakakosha kuti utange waiyedza mune yekuongorora maitiro.

Vharai LSASS kubiwa kwemagwaro

Mutemo uyu unochengetedza maitiro lass.exe kupokana nekuwana kusingatenderwe kubva kune mamwe maitiro, kuderedza nzvimbo yekurwisa yezvishandiso seMimikatz, iyo inoedza kubvisa hashes, plaintext passwords, kana matikiti eKerberos.

Anogovera huzivi na Microsoft Defender Credential GuardKana iwe uchitova neCredential Guard yakagoneswa, mutemo unowedzera zvishoma, asi unobatsira zvakanyanya munzvimbo dzausingakwanise kuigonesa nekuda kwekusawirirana ne vatyairi kana wechitatu-bato software. GUID yako ndeye 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2.

Vimba zvinogoneka kubva kune email vatengi uye webmail

Pano tinopinda mutemo zvakanyanya kuenderana nekurwiswa kwe phishing. Zvazvinoita kudzivirira... zvinogoneka, zvinyorwa, uye mafaera akadzvanywa akatorwa kana kusungirirwa kubva kune email uye webmail vatengi mhanya wakananga. Inoshanda zvakanyanya kuOutlook, Outlook.com, uye vane mukurumbira webmail vanopa, uye inonyanya kubatsira mukubatana nedzimwe dziviriro yeemail uye ne kuchengetedzwa kwebrowser marongero.

GUID yako ndeye be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 uye inogadzira zviitiko zvakaita se AsrExecutableEmailContentAudited y AsrExecutableEmailContentBlockedInonyanya kubatsira mukubatana nemamwe maemail ekudzivirira.

Dzivirira zvinobatika kubva mukumhanya kana zvisingasangane nehuwandu, zera, kana trust list maitiro.

Mutemo uyu unovharira kuitwa kwemabhinari (.exe, .dll, .scr, etc.) haawanzogara zvakakwana, akura zvakakwana, kana akavimbika Sekureva kweMicrosoft's Cloud reputation data, ine simba kwazvo kurwisa malware nyowani, asi inogona kuve panjodzi munzvimbo dzine yakawanda-mumba kana isina kujairika software.

Iyo GUID iri 01443614-cd74-433a-b99e-2ecdc07bfc25 Uye zvinonyatsoenderana ne Cloud Dziviriro. Zvekare, inyaya yakajeka yemutemo wekuti zvakanakisa kutanga muodhita modhi uye wozoisa zvishoma nezvishoma kuvharira.

Vhara kushandiswa kwezvinyorwa zvinogona kuvharika

Obfuscated kodhi yakajairika kune vese vanorwisa uye, dzimwe nguva, vanogadzira zviri pamutemo. Mutemo uyu unoongorora zvinhu zvinonyumwira muObfuscated PowerShell, VBScript, JavaScript, kana macro script uye inovharira avo vane mukana wakakura wekuva nehutsinye.

GUID yako ndeye 5beb7efe-fd9a-4556-801d-275e5ffc04cc Inoshandisa AMSI (Antimalware Scan Interface) uye kuchengetedzwa kwegore kuita sarudzo yayo. Uyu ndiwo mumwe wemitemo inoshanda kwazvo inopesana neazvino mascript-based campaigns.

Dzivirira JavaScript kana VBScript kubva pakutanga kudhawunirodha executable

Uyu mutemo unotarisa pane yakajairwa yekudhawunirodha pateni: a Chinyorwa chiri muJS kana VBS chinodhawunirodha bhinari faira kubva painternet uye woriita.Izvo ASR inoita pano kudzivirira iyo nhanho chaiyo yekutanga iyo yakadhindwa inogoneka.

GUID yako ndeye d3e037e1-3eb8-44c8-a917-57927947596dIyo zvakare inovimba neAMSI uye inonyanya kukosha mumamiriro ezvinhu apo matekinoroji ekare kana zvinyorwa zvichiri kushandiswa mubrowser kana padesktop.

Dzivirira zvikumbiro zveHofisi kubva pakugadzira zvinogoneka

Imwe nzira yakajairika ndeye kushandisa Office ku nyora zvinhu zvakashata kudhisiki izvo zvinoramba zvichienderera mushure mekutangazve (semuenzaniso, inoramba ichiitwa kana DLL). Mutemo uyu unodzivirira Hofisi kuchengetedza kana kuwana iyo mhando yezvinhu zvinogoneka kuti itange.

Iyo GUID iri 3b576869-a4ec-4529-8536-b80a7769e899 Iyo inovimba neMicrosoft Defender Antivirus uye RPC. Inoshanda zvakanyanya pakutyora macro-based infection cheni iyo inodhawunirodha inoramba ichibhadharwa.

Dzivirira zvikumbiro zveHofisi kubva pakuisa kodhi mune mamwe maitiro

Izvi zvinotadzisa Office kushandisa matekiniki e process injectionIzvi zvinosanganisira kupinza kodhi mune mamwe maitiro kuvanza kuita kwakashata. Microsoft haizive chero bhizinesi riri pamutemo rinoshandiswa pateni iyi, saka mutemo wakachengeteka kugonesa munzvimbo zhinji.

GUID yako ndeye 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84Nekudaro, mashandisirwo chaiwo anopesana nemutemo uyu akanyorwa, saka kana ruzha ruchionekwa munharaunda, zvinokurudzirwa kutarisa kuenderana.

Dzivirira Hofisi yekukurukurirana maapplication kubva pakugadzira maitiro evana

Yakanyanya kunanga kuOutlook uye zvimwe zvigadzirwa zveHofisi zvekutaurirana, mutemo uyu unovhara iyo kugadzira yechipiri maitiro kubva kune email mutengikuderedza kurwiswa kunoshandisa kusagadzikana mumitemo yeOutlook, mafomu, kana maimeri ane hutsinye kuti aite kodhi.

GUID yako ndeye 26190899-1602-49e8-8b27-eb1d0a1ce869 uye inobatsira kuvhara vhekita inoyevedza kune yakanangwa phishing mishandirapamwe.

Vimba kushingirira kuburikidza neWMI chiitiko kunyoresa

Mazhinji "asina mafaira" kutyisidzira anovimba nayo WMI kuti uwane kushingirira pasina kusiya mavara akajeka pa diski. Mutemo uyu unovharira kusikwa kwekunyoreswa kwechiitiko cheWMI chakashata chinogona kutangisa kodhi pese kana mamiriro asangana.

GUID yako ndeye e6db77e5-3df2-4cf1-b95a-636979351e5b uye haitenderi kusabatanidzwa kwemafaira kana maforodha, chaizvo kudzivirira kuti vasashungurudzwa.

Vimba maitiro akagadzirwa kubva kuPSExec uye WMI mirairo

PsExec neWMI zviri pamutemo zvekushandisa zvekushandisa, asi zvakare zvinogara zvichishandiswa lateral kufamba uye kuparadzira malwareMutemo uyu unodzivirira maitiro kubva rairo PSExec kana WMI inourayiwa, ichideredza iyo vector.

Iyo GUID iri d1e49aac-8f56-4280-b9ba-993a6d77406cNdiyo imwe yemitemo iyo kurongeka nevatungamiriri uye zvikwata zvekushanda kwakakosha kudzivirira kukanganisa zviri pamutemo zvekutonga kure.

Vhara safe mode reboots yakatangwa nemirairo

En safe modeMazhinji ekuchengetedza mhinduro akaremara kana kuganhurirwa zvakanyanya. Vamwe ransomware abuse mirairo yakadai bcdedit kana bootcfg kuti utangezve mune yakachengeteka mode uye encrypt pasina kupikisa kwakawanda. Mutemo uyu unobvisa mukana iwoyo, uchibvumira kuenderera mberi kwekuwana nzira yakachengeteka chete kuburikidza nenzvimbo yekudzoreredza yemanyorero.

GUID yako ndeye 33ddedf1-c6e0-47cb-833e-de6133960387 uye inogadzira zviitiko zvakaita se AsrSafeModeRebootBlocked o AsrSafeModeRebootWarnBypassed.

Vhara maitiro asina kusaina kana asina kuvimbika kubva ku USB

Pano, nzira yekare yekupinda inodzorwa: iyo USB madhiraivha uye SD makadhiNemutemo uyu, zvisina kusaina kana kusavimbika executables inomhanya kubva kune iyi midhiya inovharwa. Izvi zvinoshanda kumabhinari akadai se .exe, .dll, .scr, nezvimwe.

Iyo GUID iri b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 uye inonyanya kukosha munzvimbo umo kune njodzi yekusadzora kushandiswa kwe USB.

Vhara kushandiswa kweanokopwa kana spoofed system maturusi

Kurwiswa kwakawanda kunoedza kutevedzera kana kutevedzera Windows system zvishandiso (zvakadai cmd.exe, powershell.exe, regsvr32.exe, nezvimwewo) kuita masquerade sezviri pamutemo maitiro. Mutemo uyu unovhara kuitwa kwezvinoitwa zvinoonekwa semakopi kana vanyengeri vezvishandiso izvi.

GUID yako ndeye c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb uye inoburitsa zviitiko zvakaita se AsrAbusedSystemToolBlockedIyo yakanaka mubatsiri kune mamwe mashandisirwo ekudzora maitiro.

Vhara kusikwa kweWebShell pamaseva

WebShells zvinyorwa zvakagadzirirwa chaizvo kupa anorwisa arimote kudzora pane serverkuibvumira kuita mirairo, kurodha mafaera, kuburitsa data, nezvimwewo. Mutemo uyu, wakanangana nemaseva nemabasa akaita seKuchinjana, unovharira kusikwa kwezvinyorwa izvi zvakaipa.

Iyo GUID iri a8f5898e-1dc8-49a9-9878-85004b8a61e6 uye yakagadzirirwa kunyatsoomesa maseva akafumurwa.

Vimba Win32 API kufona kubva kuHofisi macros

Zvichida mumwe wemitemo inoshanda zvikuru inopesana macro malwareIyo inovhara Hofisi VBA kodhi kubva kupinza uye kudaidza Win32 APIs, iyo inowanzo shandiswa kurodha shellcode mundangariro, kushandura maitiro, kuwana ndangariro, nezvimwe.

GUID yako ndeye 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b uye inovimba neAMSI. Mukuita, inopinza mubud akawanda malware matemplate muIzwi neExcel anovimba nemafoni aya kuita zvekupokana kodhi.

Kushandiswa kwe advanced ransomware dziviriro

Mutemo uyu unowedzera imwe nhanho yekudzivirira yakavakirwa pa mutengi uye gore heuristics kuona maitiro anoenderana neransomware. Zvinotora mukufunga zvinhu zvakaita semukurumbira, siginecha yedhijitari, kana kuwanda kuti usarudze kana faira ringangove ransomware pane chirongwa chiri pamutemo.

GUID yako ndeye c1db55ab-c21a-4637-bb3f-a12568109d35Uye kunyangwe ichiyedza kudzikisa zvimiro zvenhema, inowanzokanganisa padivi rekuchenjerera kuti usapotsa cipher chaiyo.

Nzira dzekugadzirisa: Intune, MDM, Configuration Manager, GPO, uye PowerShell

Mitemo yekudzikisa nzvimbo yekurwisa inogona kugadzirwa nenzira dzinoverengeka zvichienderana nemabatiro aunoita ngarava yemudziyo wako. Kurudziro yeMicrosoft ndeye kushandisa bhizinesi-level manejimendi mapuratifomu (Intune kana Configuration Manager), sezvo marongero avo achitungamira pamusoro peGPO kana emuno PowerShell masisitimu kana sisitimu yatanga.

Con Microsoft Intune Iwe une nzira nhatu: iyo ASR-yakananga endpoint yekuchengetedza mutemo, mudziyo configuration profiles (Endpoint Dziviriro), uye tsika profiles vachishandisa OMA-URI kutsanangura mitemo neGUID uye nyika. Muzviitiko zvese, unogona kuwedzera faira uye dhairekitori zvisingabatanidzwe zvakananga kana kuendesa kunze kubva kuCSV faira.

Munzvimbo generic MDMs CSP inoshandiswa ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules Kutsanangura ruzhinji rwemaGUID ane mastatus, akapatsanurwa nemabhawa akatwasuka. Semuenzaniso, unogona kusanganisa mitemo yakati wandei nekupa 0, 1, 2, kana 6 zvichienderana nekuti unoda kudzima, kuvharisa, kuongorora, kana kunyevera. Kusabatanidzwa kunotungamirirwa neCSP. ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions.

Con Microsoft Configuration Manager Iwe unogona kugadzira mitemo ye Windows Defender Exploit Guard yakatarisana ne "Attack surface kuderedzwa", sarudza mitemo yaunoda kuvharisa kana kuongorora uye woiendesa kune chaiyo kuunganidzwa kwemidziyo.

La Boka mutemo Iyo inokutendera kuti ugadzirise ASR kuburikidza nekutonga matemplate nekufamba uchienda kuMicrosoft Defender Antivirus uye "Attack Surface Reduction" node. Ikoko, iwe unogonesa iyo "Gadzirisa kurwisa kwepasi kudzikisa mitemo" mutemo uye isa maGUID ane chimiro chayo chinoenderana. Imwe GPO yekuwedzera inokutendera iwe kutsanangura faira uye nzira yekusabatanidzwa.

Pakupedzisira, PowerShell Ndiyo yakanyanya kunanga uye inobatsira nzira yeimwe-off bvunzo kana otomatiki zvinyorwa. Cmdlets like Set-MpPreference y Add-MpPreference Ivo vanokutendera iwe kugonesa, kuongorora, kunyevera, kana kudzima mitemo yega, pamwe nekugadzirisa rondedzero yekusarudzika nayo -AttackSurfaceReductionOnlyExclusionsNekudaro, kana paine GPO kana Intune inobatanidzwa, marongero avo anotungamira.

Kusabatanidzwa, kupokana kwepolicy, uye zviziviso

Inenge yese ASR mitemo inobvumira kusasanganisa mafaera nemaforodha Izvi zvinodzivirira kuvharika kwezvishandiso zviri pamutemo izvo, nedhizaini, zvinotaridza malware-semaitiro. Icho chishandiso chine simba, asi chinofanirwa kushandiswa nemazvo ekuvhiya: kusabatanidzwa kwakawandisa kunogona kusiya kusazvibata kwakakomba.

Kana mitemo inopokana ichishandiswa kubva kuMDM neIntune, gadziriro ye Gwaro reboka rinokoshesa Kana iripo. Uyezve, mitemo yeASR inotsigira hunhu hwekubatanidza hunhu: superset inovakwa neiyo isingapesane gadziriso, uye zvinopokana zvinopinda zvinosiiwa kune icho chishandiso.

Nguva imwe neimwe mutemo unotangwa mu block mode, mushandisi anoona a system notification achitsanangura kuti oparesheni yakavharwa nekuda kwezvikonzero zvekuchengetedza. Izvi zviziviso zvinogona kugadzirwa nekambani ruzivo uye ruzivo rwekufonera. Kune mimwe mitemo uye zvimiro, zviziviso zveEDR uye zviziviso zvemukati zvinogadzirwa uye zvinoonekwa muMicrosoft Defender portal.

Haisi mitemo yese inoremekedza Microsoft Defender antivirus kusabatanidzwa Uyewo havafungi zviratidzo zvekukanganisa (IOCs) zvakagadzirirwa muDefender ye Endpoint. Semuyenzaniso, iyo LSASS yekuba inovharisa mutemo kana Hofisi kodhi yekuisa inovharisa mutemo hautore mamwe maIOC muakaunti, chaizvo kuchengetedza kusimba kwawo.

ASR Chiitiko Monitoring: Portal, Advanced Search, uye Chiitiko Viewer

Kuongorora kwakakosha pakuona kuti ASR haisi bhokisi dema. Defender for Endpoint inopa yakadzama mishumo yezviitiko uye blockages zvinoenderana nemitemo ye ASR, inogona kubvunzwa zvese paMicrosoft Defender XDR portal uye kuburikidza nekutsvaga kwepamusoro.

Kutsvaga kwepamusoro kunokubvumira kuti utange mibvunzo nezvetafura DeviceEventskusefa nemhando dzekuita dzinotanga ne "Asr". Semuenzaniso, mubvunzo wekutanga DeviceEvents | where ActionType startswith 'Asr' Inokuratidza zviitiko zvine chekuita neASR zvakaunganidzwa nemaitiro uye neawa, sezvo inojairwa kune imwechete muenzaniso paawa kuderedza vhoriyamu.

Munzvimbo dzisina E5 kana pasina mukana kune izvi zvinogoneka, pane nguva dzose sarudzo yekuongorora iyo Windows matanda mukati Chiitiko ViewerMicrosoft inopa maonero echivanhu (akadai se cfa-events.xml faira) inosefa zviitiko zvinoenderana, nezviziviso zvakaita se5007 (magadzirirwo ekuchinja), 1121 (mutemo uri mukuvharisa) uye 1122 (mutemo uri muodhita mode).

Kune mahybrid deployments, zvakajairika kutumira zviitiko izvi kune a SIEM kana centralized matanda chikuva, zvibatanidze nezvimwe zviratidzo uye tanga ziviso dzetsika apo mimwe mitemo inotanga kuburitsa zviitiko zvakawandisa mune chimwe chikamu chetiweki.

Kuderedza nzvimbo yekurwisa kupfuura ASR: mazano, matekinoroji uye matambudziko

Kunyange zvazvo mitemo yeASR iri chinhu chakakosha zvikuru, kuderedza nzvimbo yekurwisa sechirongwa chepasi rose chinoenda kure nekuguma. Zvinosanganisira mepu zvese zvemidziyo nenzvimbo dzekupindaBvisa masevhisi asina kufanira, segment network, shandisa zvidzoreso zvekupinda, kuomesa masisitimu, chengetedza zvigadziriso zvakachengeteka, uye chengetedza gore uye maAPI.

Masangano anowanzo tanga neinventory yakazara ye zvishandiso, software, maakaunti uye zvinongedzoTevere, masevhisi asina kushandiswa uye maapplication anoonekwa uye asina kuburitswa, network ports inovharwa, uye maficha asingawedze kukosha anovharwa. Izvi zvinorerutsa nharaunda uye kuderedza huwandu hwe "magonhi" anoda kuongororwa.

Chikamu che kupinda control Izvo zvakakosha: kushandiswa kwemusimboti werombo rombo, mapassword akasimba, multi-factor authentication, kukurumidza kubviswa kwekuwana kana mumwe munhu achinja mabasa kana kusiya sangano, uye kutarisa kwekufungira kuedza kupinda.

Mugore, nzvimbo yekurwisa inokura neimwe sevhisi nyowani, API, kana kubatanidzwa. Misconfigurations in kuchengetedzaYakawandisa mabasa akafara, nherera maakaundi, kana kusachengeteka default value ndiwo matambudziko akajairika. Apa ndipo panowanikwa ongororo yenguva dzose, encryption yedata pakuzorora uye mukufamba, virtual network segmentation, uye ongororo yemvumo inoenderera mberi.

Kutsigira zvese izvi, matekinoroji akadai kuwanikwa kweasset uye maturusi emepu, vulnerability scanners, kupinda kwekutonga masisitimu, kumisikidza manejimendi mapuratifomu, uye network kuchengetedza maturusi. (firewalls, IDS/IPS, NDR, nezvimwewo). Mhinduro senge SentinelOne, semuenzaniso, inosanganisa endpoint kuchengetedza, maitiro ekuongorora, uye otomatiki mhinduro kuti uwedzere kudzikisa inoshanda yekurwisa nzvimbo.

Matambudziko acho akawanda: kutsamira kwakaoma pakati pehurongwaKuvapo kwezvishandiso zvenhaka zvisingatsigire matanho echizvino-zvino, kukurumidza kukurumidza kwekuchinja kwetekinoroji, kushomeka kwezvishandiso, uye kusawirirana kusingagumi pakati pekuchengetedza uye kugadzira zvese zvinopa dambudziko iri. Kuwana chiyero chakakodzera kunoda kunzwisisa kwakadzama kwebhizinesi uye kukoshesa zvinhu zvakakosha uye maitiro.

Tichifunga nezvechirevo ichi, mitemo yeASR inova imwe yezvishandiso zvinonyanya kushanda zvekudzikamisa nhandare yeanorwisa pamagumo. Yakanyatso kurongwa (kutanga nekuongorora), yakanyatsogadziriswa nekusabatanidzwa, uye kunyatsotariswa, inodzivirira kukanganisa kwemushandisi, kushandiswa kumwe chete, kana hutsinye USB dhiraivha kubva pakungokwira kuita chiitiko chakakosha, ichibatsira kuchengetedza chidiki, chinogoneka, uye, pamusoro pezvose, zvakanyanya kurwisa nzvimbo. zvakaoma zvikuru kushandisa.