Yintoni i-ASR (UkuNcitshiswa koMphezulu wokuhlaselwa) kwaye izikhusela njani izixhobo zakho?

Xa uqala ukuphengulula kukhuseleko lweWindows kunye nayo yonke into iMicrosoft Defender inokunikela ngayo, ixesha I-ASR (Ukunciphisa uMphezulu woHlaselo) Kubonakala ixesha kunye nexesha kwakhona. Kwaye akukho nto ngamahloni: sithetha ngeseti yemithetho kunye nobuchule obujolise ekumiseni uhlaselo ngaphambi kokuba babe nethuba lokuqalisa.

Kumxholo we izoyikiso ezintsonkothileyoNge-ransomware, izikripthi ezifihliweyo, ubusela obuqinisekisiweyo, kunye nokuhlaselwa kweefayile, imithetho ye-ASR ibe yinto ephambili yokukhusela ukukhusela. Ingxaki kukuba bahlala bebonwa njengento "yomlingo" kwaye intsonkothile, xa eneneni banengqiqo ecacileyo ukuba ichazwe ngokuzolileyo.

Yintoni i-ASR (UkuNcitshiswa koMphezulu wokuhlaselwa) kwaye yiyiphi ingxaki eyisombululayo?

UkuNcitshiswa koMphezulu wokuhlaselwa, okanye ukunciphisa indawo yokuhlaselwaI-ASR yindlela ebandakanya ukunciphisa onke amanqaku apho umhlaseli angangena, ahambe, okanye enze ikhowudi ngaphakathi kwendawo. Kwimeko ethile ye-Microsoft, i-ASR iphunyezwa ngemigaqo elawula ukuziphatha komngcipheko ophezulu wokuziphatha: ukuphunyezwa kweskripthi, i-Ofisi macros, iinkqubo eziqaliswe kwii-USB drives, ukusetyenziswa kakubi kwe-WMI, njl.

Ngokwezinto eziphathekayo, i Microsoft Defender ASR imithetho yesiphelo Le yimigaqo-nkqubo ethi: “Izinto ezithile eziqhelekileyo ze isoftwe Abayi kuvunyelwa, nangona izicelo ezisemthethweni ngamanye amaxesha ziyazenza nazo. Ngokomzekelo, iLizwi iboot PowerShell, leyo a elishicilelwe ikhutshelwe kwi Internet indulula inkqubo ephunyeziweyo okanye enye inkqubo izama ukufaka ikhowudi kwenye.

Ingcinga esisiseko kukunciphisa inani leendlela ezinokuthi zithathwe uhlaselo ukuthomalalisa inkqubo. Iindlela ezimbalwa ezikhoyo, indawo engaphantsi komhlabaOku kuhambelana ngokugqibeleleyo nomzekelo weZero Trust: sicinga ukuba ngexesha elithile kuya kubakho ukuphulwa, ngoko sinciphisa "i-radius blast" yesiganeko kangangoko kunokwenzeka.

Kubalulekile ukuhlukanisa apha phakathi kweengcamango ezimbini ezihlala zixutywa: kwelinye icala, i ukunciphisa indawo yokuhlaselwa njengeqhinga eliqhelekileyo (ukususa iinkonzo ezingeyomfuneko, ukuvala amazibuko, ukususa isoftware engafunekiyo, ukunciphisa iimvume, njl.njl.), kwaye kwelinye icala, Microsoft Defender ASR Ruleseziyinxalenye ecacileyo kakhulu yeso sicwangciso, sigxile kwisiphelo kunye nokuziphatha kwesoftware.

Umphezulu wohlaselo: ngokomzimba, idijithali kunye nabantu

Xa sithetha ngomphezulu wohlaselo lombutho, sibhekisa kuwo onke amanqaku apho umhlaseli angabandakanyeka khonaIzixhobo, izicelo, iinkonzo ze-intanethi, ii-akhawunti zabasebenzisi, ii-API, uthungelwano lwangaphakathi, amafu angaphandle, njl. Impazamo yomntu nayo iyavela.

Kwicandelo ledijithali sifumana iiwebhusayithi, iiseva, yolwaziisiphelo, iinkonzo zelifu, kunye nezicelo zeshishiniYonke inkonzo engakhange iqwalaselwe kakuhle, yonke izibuko evulekileyo ngokungeyomfuneko, yonke inkqubo yesoftware engapakishwanga inokuba yindawo yokungena kwi-exploit. Yiyo loo nto iinkampani ezininzi zixhomekeke kwi-EASM (Ulawulo loHlaselo lwaNgaphandle) ezenza ngokuzenzekelayo ukufunyanwa kwe-asethi eveziweyo kunye nokuba sesichengeni.

Kumphezulu womzimba, oku kulandelayo kuyangena iiseva ezikwindawo, iindawo zokusebenza, izixhobo zenethiwekhi, kunye neetheminaliApha, umngcipheko uyancitshiswa ngolawulo lokufikelela ngokwasemzimbeni, iikhamera, amakhadi, izitshixo, iiracks ezivaliweyo, kunye hardware Iqinisiwe. Ukuba nabani na unokufikelela kwiziko ledatha nge-USB drive, akukhathaliseki nokuba ulunge kangakanani na umgaqo-nkqubo wakho wokhuseleko.

Umlenze wesithathu ngumphezulu onxulumene ne ubunjineli bezentlalo kunye nemeko yomntuPhishing emails, pretexting call, ukunkcenkceshela websites umngxuma, okanye iimpazamo zabasebenzi ezilula ezikhokelela ukukhuphela umxholo olunya. Yiyo loo nto ukunciphisa indawo yokuhlaselwa kubandakanya uqeqesho kunye nokwazisa, hayi itekhnoloji kuphela.

I-ASR njengentsika yokhuseleko lothintelo kunye neZero Trust

Kwimodeli yeZero Trust sicinga ukuba uthungelwano sele luchaphazelekile okanye luya kubaKwaye into esijolise kuyo kukuthintela umhlaseli ekunyukeni lula okanye ekufumaneni amalungelo. Imithetho ye-ASR ingena ngokugqibeleleyo apha kuba ibeka izithintelo ngokuchasene nezona zihlaselo zixhatshaziweyo, ngakumbi kwisiphelo.

Imithetho ye-ASR isebenzisa umgaqo we Ilungelo eliphantsi elisetyenzisiweyo ekuziphatheniAkukhona nje malunga neemvume zeakhawunti enazo, kodwa zeziphi iintshukumo ezinokwenziwa sisicelo esithile. Umzekelo, iOfisi isenako ukuhlela amaxwebhu ngaphandle kokukhutshwa, kodwa ayisakwazi ukuqalisa iinkqubo zangasemva okanye yenze izinto eziphunyezwayo kwidiski ngokukhululekileyo.

Olu hlobo lolawulo lokuziphatha lunamandla ngakumbi ngokuchasene izoyikiso ze-polymorphic kunye nokuhlaselwa okungenafayileNangona i-malware isoloko itshintsha isiginitsha okanye i-hash, ininzi isafuna ukwenza izinto ezifanayo: ukuqhuba izikripthi, ukufaka ikhowudi kwiinkqubo, ukukhohlisa i-LSASS, ukuxhatshazwa kwe-WMI, ukubhala abaqhubi abasengozini, njl.

Ngapha koko, imithetho inokuphunyezwa ngeendlela ezahlukeneyo: ukuvala, uphicotho, okanye isilumkisoOku kuvumela ukwamkelwa ngezigaba, kuqalwa ngokujonga impembelelo yayo (imowudi yophicotho), emva koko ukwazisa umsebenzisi (isilumkiso), kwaye ekugqibeleni kuthintelwe ngokungenalusini xa ukukhutshelwa kulungisiwe.

Izinto ezifunekayo kunye neenkqubo zokusebenza ezihambelanayo

Ukufumana uninzi lwemithetho ye-ASR kwiMicrosoft Defender, kubalulekile ukuba nesiseko esiluqilima. Ngokwenza, kufuneka I-Microsoft Defender Antivirus kufuneka ibe yi-antivirus yakho yokuqala.esebenzayo, hayi i-passive, indlela, kunye nokhuseleko lwexesha lokwenyani oluvuliweyo.

Imithetho emininzi, ngakumbi eyona iphambili, ifuna ukuba nayo Ukhuseleko olunikezelwa ngamafu Iyasebenza kwaye iqhagamsheleka ngeenkonzo zelifu likaMicrosoft. Oku kungundoqo kwiifitsha ezixhomekeke kudumo, ukuxhaphaka, okanye i-heuristics kwilifu, ezifana "nokuphunyezwa okungafikeleliyo ukuxhaphaka, ubudala, okanye imigaqo yoluhlu oluthembekileyo" umthetho okanye "ukhuseleko oluphezulu lweransomware".

Nangona imithetho ye-ASR ayifuni ngokungqongqo ilayisenisi Microsoft 365 E5, kunjalo Ukuba ne-E5 okanye iilayisensi ezilinganayo kucetyiswa kakhulu. Ukuba ufuna ukuba nolawulo oluphezulu, ukubeka iliso, uhlalutyo, ukunika ingxelo, kunye nesakhono sokuhamba komsebenzi ezidityaniswe kwi-Microsoft Defender ye-Endpoint kunye ne-Microsoft Defender XDR portal.

Ukuba usebenza ngeelayisensi ezifana neWindows Professional okanye iMicrosoft 365 E3 ngaphandle kwezo mpawu ziphambili, usengasebenzisa i-ASR, kodwa kuya kufuneka uthembele ngakumbi kwi. Umbukeli wesiganeko, iilog zeMicrosoft Antivirus, kunye nezisombululo zobunini ukubeka iliso kunye nokunika ingxelo (ukuhanjiswa kwesiganeko, i-SIEM, njl.). Kuzo zonke iimeko, kubalulekile ukuphonononga uluhlu lwe iinkqubo zokusebenza inkxasokuba imithetho eyahlukeneyo ineemfuno ezisezantsi ze Windows 10/11 kunye neenguqulelo zeseva.

Iindlela zemithetho ye-ASR kunye novavanyo lwangaphambili

Umgaqo ngamnye we-ASR unokumiselwa kwiindawo ezine: ayiqwalaselwanga/ivaliwe, ibhlokhi, uphicotho, okanye isilumkisoEzi ndawo zikwamelwe ngeekhowudi zamanani (0, 1, 2 kunye no-6 ngokulandelelana) ezisetyenziswa kwi-GPO, MDM, Intune kunye ne-PowerShell.

Indlela Vimba Yenza umthetho usebenze kwaye uyeke ngokuthe ngqo ukuziphatha okukrokrisayo. Imowudi Uphicotho Ibhala imisitho ebinokuthi ivalwe, kodwa ivumela isenzo siqhubeke, ikuvumela ukuba uvavanye impembelelo kwizicelo zeshishini ngaphambi kokuqinisa ukhuseleko.

Indlela Isilumkiso (Lumkisa) luhlobo lomhlaba ophakathi: umthetho uziphatha njengomthetho othintelayo, kodwa umsebenzisi ubona ibhokisi yencoko yababini ebonisa ukuba umxholo uvaliwe kwaye unikwe ukhetho ukuvula okwethutyana iiyure ezingama-24Emva kwelo xesha, ipateni efanayo iya kuvalwa kwakhona ngaphandle kokuba umsebenzisi uyayivumela kwakhona.

Imo yesilumkiso ixhaswa kuphela ukusuka Windows 10 inguqulelo 1809 (RS5) nasemva kokoKwiinguqulelo zangaphambili, ukuba uthe waqwalasela umthetho kwimowudi yesilumkiso, uya kuziphatha njengomgaqo webhloko. Ukongeza, eminye imigaqo ethile ayixhasi imo yesilumkiso xa iqwalaselwe nge-Intune (nangona isenziwa ngePolisi yeQela).

Ngaphambi kokufikelela kwindawo yokutshixa, kucetyiswa ngamandla ukuba usebenzise imowudi yophicotho kwaye uthembele kwi Ulawulo loMkhuseli weMicrosoftApha ungabona impembelelo elindelekileyo yomgaqo ngamnye (ipesenti yezixhobo ezichaphazelekayo, impembelelo enokubakho kubasebenzisi, njl.). Ngokusekelwe kwidatha yophicotho-zincwadi, unokugqiba ukuba yeyiphi imigaqo oza kuyenza isebenze kwimodi yokubhloka, ngawaphi amaqela okulinga, kwaye yeyiphi into engabandakanyiyo oyifunayo.

Imithetho ye-ASR ngohlobo: imithetho yokukhusela esemgangathweni kunye neminye imithetho

UMicrosoft uhlela imithetho ye-ASR ibe ngamaqela amabini: kwelinye icala, i imithetho yokhuseleko esemgangathweniEzi zezona zisoloko zicetyiswa ukuba zisebenze ngenxa yokuba zinempembelelo encinci ekusebenziseni, kwaye kwelinye icala, yonke imithetho edla ngokufuna isigaba sokuvavanya ngononophelo.

Phakathi kwemithetho esemgangathweni yokhuseleko, oku kulandelayo kuyabonakala, umzekelo: "Kuthintele ukusetyenziswa kakubi kwabalawuli abasayiniweyo abaxhatshaziweyo", "Vimba ukubiwa kweziqinisekiso kwi-subsystem yolawulo lokhuseleko lwasekhaya (lsass.exe)" o "Vimba ukuzingisa ngobhaliso lomnyhadala weWMI"Ezi zikhomba ngokuthe ngqo kwiindlela eziqhelekileyo zokunyuka kwamalungelo, ukuphepha ukukhusela, kunye nokuzingisa.

Imithetho eseleyo, ngelixa inamandla kakhulu, inokungqubana nezicelo zeshishini ezisebenzisa kakhulu izikripthi, iimacros, iinkqubo zabantwana, okanye izixhobo zolawulo ezikude. Oku kuquka zonke ezo zichaphazelayo I-Ofisi, i-Adobe Reader, i-PSExec, i-WMI ekude, izikripthi ezifihliweyo, ukuphunyezwa kwe-USB, i-WebShells, Njl

Kumgaqo ngamnye, amaxwebhu eMicrosoft a Igama le-Intune, igama elinokwenzeka kuMphathi woLungiselelo, i-GUID ekhethekileyo, abaxhomekeke (AMSI, uKhuseleko lwamafu, i-RPC…) kunye neentlobo zeziganeko ezenziwe kukhangelo oluphambili (umzekelo, AsrObfuscatedScriptBlocked, AsrOfficeChildProcessAuditednjl.). Ezi GUID zezo kuya kufuneka uzisebenzise kwi-GPO, MDM, kunye ne-PowerShell ukwenza, ukukhubaza, okanye ukutshintsha indlela.

Inkcazo eneenkcukacha yemithetho ephambili ye-ASR

Imigaqo ye-ASR ibandakanya uluhlu olubanzi kakhulu lwe uhlaselo lwezixhoboApha ngezantsi kukho isishwankathelo sezona zifanelekileyo kwaye yintoni kanye kanye ibhloko nganye nganye, ngokusekelwe kwiimbekiselo ezisemthethweni kunye namava asebenzayo.

Thintela ukuxhatshazwa kwabaqhubi abasayiniweyo abaxhatshaziweyo

Lo mgaqo uthintela isicelo esinamalungelo awoneleyo ukusuka bhala abaqhubi abasayiniweyo kodwa abasesichengeni kwidiski ukuba abahlaseli banokuthi emva koko balayishe ukufikelela kwi-kernel kwaye bakhubaze okanye badlule izisombululo zokhuseleko. Ayikuthinteli ukulayishwa kwabaqhubi abasesichengeni ababesele bekhona, kodwa iyayinqumla enye yeendlela eziqhelekileyo zokubazisa.

Ichongwa yi-GUID 56a863a9-875e-4185-98a7-b882c64b5ce5 kwaye ivelisa iziganeko zodidi AsrVulnerableSignedDriverAudited y AsrVulnerableSignedDriverBlocked kukhangelo oluphambili lweMicrosoft Defender.

Thintela i-Adobe Reader ekwenzeni iinkqubo zomntwana

Injongo yalo mgaqo kukuthintela I-Adobe Reader isebenza njenge-springboard ukukhuphela kunye nokuqalisa imithwalo ehlawulwayo. Ithintela ukudalwa kweenkqubo zesibini ukusuka kwi-Reader, ukukhusela ngokuchasene nokuxhaphaza kwe-PDF kunye nobuchule bobunjineli bezentlalo ezixhomekeke kulo mkhangeli.

I-GUID yakho 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2ckwaye inokuvelisa iziganeko AsrAdobeReaderChildProcessAudited y AsrAdobeReaderChildProcessBlockedKuxhomekeke ekubeni iMicrosoft Defender Antivirus isebenza.

Thintela zonke izicelo zeOfisi ekwenzeni iinkqubo zomntwana

Lo mgaqo uthintela i-Word, Excel, PowerPoint, OneNote, kunye noFikelelo velisa iinkqubo zesibiniYindlela ethe ngqo yokuyeka uhlaselo oluninzi olusekwe kwi-macro oluqaliswe nguPowerShell. CMD okanye ezinye izixhobo zenkqubo ukwenza ikhowudi engalunganga.

I-GUID enxulumeneyo yi d4f940ab-401b-4efc-aadc-ad5f3c50688aKwiimeko zehlabathi lokwenyani, ezinye izicelo zeshishini ezisemthethweni zikwasebenzisa le pateni (umzekelo, ukuvula isikhawulezisi somyalelo okanye ufake utshintsho kwiRejistri), ngoko ke kubalulekile ukuyivavanya kuqala kwimo yophicotho.

Vala ubusela benkcazi ye-LSASS

Lo mgaqo ukhusela inkqubo sass.exe ngokuchasene nokufikelela okungagunyaziswanga ukusuka kwezinye iinkqubo, ukunciphisa indawo yokuhlaselwa kwezixhobo ezifana neMimikatz, ezama ukukhupha i-hashes, amagama ayimfihlo ayimfihlo, okanye amatikiti eKerberos.

Wabelana ngefilosofi kunye Microsoft Defender Credential GuardUkuba sele uneCredential Guard enikwe amandla, umthetho wongeza kancinci, kodwa uluncedo kakhulu kwiindawo apho ungeke ukwazi ukuwenza ngenxa yokungahambelani abaqhubi okanye isoftware yomntu wesithathu. I-GUID yakho 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2.

Vimba umxholo ophunyeziweyo osuka kubathengi be-imeyile kunye ne-webmail

Apha sifaka umgaqo kakhulu ngokuhambelana nokuhlaselwa kwe-phishing. Into eyenzayo kukuthintela... eziphunyeziweyo, izikripti, kunye neefayile ezicinezelweyo ezikhutshelweyo okanye ezincanyathiselwe kwi-imeyile kunye nabaxhasi bewebhu baleka ngqo. Isebenza ikakhulu kwi-Outlook, i-Outlook.com, kunye nababoneleli be-webmail abaziwayo, kwaye iluncedo ngakumbi ngokudityaniswa nolunye ukhuseleko lwe-imeyile kunye useto lwebrawuza ekhuselekileyo.

I-GUID yakho be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 kwaye ivelisa iziganeko ezifana AsrExecutableEmailContentAudited y AsrExecutableEmailContentBlockedIluncedo ngakumbi ngokudibanisa nolunye ukhuseleko lwe-imeyile.

Thintela izinto eziphunyeziweyo ekusebenzeni ukuba azihlangabezani nokuxhaphaka, ubudala, okanye iinqobo zoluhlu lwentembeko.

Lo mgaqo uvala ukuphunyezwa kokubini (.exe, .dll, .scr, njl.) azixhaphakanga ngokwaneleyo, zindala ngokwaneleyo, okanye azithembekanga Ngokutsho kwedatha yelifu likaMicrosoft, inamandla kakhulu ngokuchasene ne-malware entsha, kodwa inokuba sesichengeni kwiindawo ezinobuninzi besoftware yangaphakathi okanye engaqhelekanga.

I-GUID i 01443614-cd74-433a-b99e-2ecdc07bfc25 Kwaye kuxhomekeke ngokucacileyo kuKhuseleko lwamafu. Kwakhona, yimeko ecacileyo yomgaqo ukuba kungcono ukuqala kwimowudi yophicotho kwaye ngokuthe ngcembe uphumeze ukuthintela.

Vala ukuphunyezwa kwemibhalo enokuba yi-obfusified

Ikhowudi ye-Obfuscated ixhaphakile kubo bobabini abahlaseli kwaye, ngamanye amaxesha, abaphuhlisi abasemthethweni. Lo mgaqo uhlalutya iimpawu ezikrokrelekayo kwi-Obfuscated PowerShell, VBScript, JavaScript, okanye i-macro scripts kwaye ivalela abo banethuba eliphezulu lokuba nolunya.

I-GUID yakho 5beb7efe-fd9a-4556-801d-275e5ffc04cc Isebenzisa i-AMSI (i-Antimalware Scan Interface) kunye nokukhusela ilifu ukwenza isigqibo sayo. Lo ngomnye weyona mithetho isebenzayo ngokuchasene nemikhankaso yeskripthi yanamhlanje.

Thintela iJavaScript okanye iVBScript ekubeni ikhuphele izinto eziphunyeziweyo

Lo mgaqo ugxininisa kwipatheni yomkhupheli eqhelekileyo: a Isikripthi esikwi-JS okanye i-VBS sikhuphela ifayile yokubini kwi-intanethi kwaye siyenze.Yintoni eyenziwa yi-ASR apha kukuthintela elo nyathelo lichanekileyo lokuphehlelela okukhutshelweyo okuphunyeziweyo.

I-GUID yakho d3e037e1-3eb8-44c8-a917-57927947596dIkwaxhomekeke kwi-AMSI kwaye ibaluleke kakhulu kwiimeko apho itekhnoloji endala okanye izikripthi zisasetyenziswa kwisikhangeli okanye kwidesktop.

Thintela usetyenziso lweOfisi ekwenzeni umxholo ophunyezwayo

Obunye ubuchule obuqhelekileyo kukusebenzisa iOfisi uku bhala izinto ezinobungozi kwidiski eziqhubekayo emva kokuqalisa kwakhona (umzekelo, ukuphunyezwa okuzingileyo okanye iDLL). Lo mgaqo uthintela i-Ofisi ekugcineni okanye ekufikeleleni olo hlobo lwesiqulatho esiphunyezwayo ukusisungula.

I-GUID i 3b576869-a4ec-4529-8536-b80a7769e899 Ixhomekeke kwiMicrosoft Defender Antivirus kunye neRPC. Isebenza kakhulu ekwaphuleni imixokelelwane yosulelo olusekwe kwi-macro ekhuphela ukulayisha okuzingisileyo.

Thintela izicelo zeOfisi ekufakeni ikhowudi kwezinye iinkqubo

Oku kuthintela iOfisi ekusebenziseni ubuchule be Isitofu senkquboOku kubandakanya ukufaka ikhowudi kwezinye iinkqubo ukufihla isenzo esingalunganga. UMicrosoft akazi ngalo naluphi na uhlobo lweshishini olusetyenziswayo kule pateni, ngoko ngumgaqo okhuselekileyo ofanelekileyo wokuvumela kwiindawo ezininzi.

I-GUID yakho 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84Nangona kunjalo, izicelo ezithile eziphikisana nalo mgaqo zibhaliwe, ngoko ke ukuba ingxolo ibonakala kwindawo engqongileyo, kuyacetyiswa ukuba ukhangele ukuhambelana.

Thintela izicelo zonxibelelwano zeOfisi ekudaleni iinkqubo zabantwana

Ijolise ikakhulu kwi-Outlook kunye nezinye iimveliso zonxibelelwano ze-Ofisi, lo mgaqo uthintela ukwenza iinkqubo yesibini kumxhasi we-imeyileukunciphisa uhlaselo olusebenzisa ubuthathaka kwimithetho ye-Outlook, iifom, okanye ii-imeyile ezinobungozi ukwenza ikhowudi.

I-GUID yakho 26190899-1602-49e8-8b27-eb1d0a1ce869 kwaye inceda ukuvala i-vector enomtsalane kakhulu kumaphulo ekujoliswe kuwo.

Vimba ukuzingisa ngokusebenzisa imirhumo isiganeko WMI

Uninzi lwezoyikiso "ezingenafayile" zithembele WMI ukufikelela ukuzingisa ngaphandle kokushiya umkhondo ocacileyo kwidiski. Lo mgaqo uvala ukuyilwa kwesiganeko esiyingozi se-WMI sobhaliso olunokuthi luqalise kwakhona ikhowudi nanini na imeko ifunyenwe.

I-GUID yakho e6db77e5-3df2-4cf1-b95a-636979351e5b kwaye ayikuvumeli ukukhutshelwa ngaphandle kweefayile okanye iifolda, ngokuchanekileyo ukuthintela ukusetyenziswa kakubi.

Iinkqubo zokuvala ezenziwe kwi-PSExec kunye nemiyalelo ye-WMI

I-PsExec kunye ne-WMI zizixhobo ezisemthethweni zolawulo ezikude, kodwa zikwasetyenziswa rhoqo ukunyakaza kwecala kunye nokusasazwa kwe-malwareLo mgaqo uthintela iinkqubo ezisuka kwi imiyalelo I-PSExec okanye i-WMI iyabulawa, inciphisa loo vector.

I-GUID i d1e49aac-8f56-4280-b9ba-993a6d77406cNgomnye wale mithetho apho ulungelelwaniso nabalawuli kunye namaqela okusebenza ngundoqo ukuphepha ukuphazamisa iinkqubo ezisemthethweni zolawulo olukude.

Vimba imowudi ekhuselekileyo iqale ngokutsha ngemiyalelo

En Indlela ekhuselekileyoIzisombululo ezininzi zokhuseleko zikhubazekile okanye zilinganiselwe kakhulu. Ezinye ransomware kakubi imiyalelo ezifana bcdedit okanye i-bootcfg ukuqala kwakhona kwimo ekhuselekileyo kunye nokufihla ngaphandle kokuchasana okukhulu. Lo mgaqo ususa oko kunokwenzeka, ukuvumela ukufikelela okuqhubekayo kwimodi ekhuselekileyo kuphela ngokusingqongileyo kokubuyisela ngesandla.

I-GUID yakho 33ddedf1-c6e0-47cb-833e-de6133960387 kwaye ivelisa iziganeko ezifana AsrSafeModeRebootBlocked o AsrSafeModeRebootWarnBypassed.

Vimba iinkqubo ezingasayinwanga okanye ezingathenjwanga kwi-USB

Apha, indlela yokungena yakudala ilawulwa: i USB drives kunye namakhadi SDNgalo mgaqo, izinto ezingasayinwanga okanye ezingathembekanga eziqhutywa kula majelo eendaba zivaliwe. Oku kusebenza kumabini afana ne.exe, .dll, .scr, njl.

I-GUID i b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 kwaye iluncedo ngakumbi kwiindawo apho kukho umngcipheko wosetyenziso olungalawulwayo lwe-USB.

Vimba ukusetyenziswa kwezixhobo zenkqubo ezikhutshelweyo okanye ezonakeleyo

Uhlaselo oluninzi luzama ukukopa okanye ukuxelisa Izixhobo zenkqubo yeWindows (ezifana ne-cmd.exe, powershell.exe, regsvr32.exe, njl.njl.) ukwenza masquerade njengeenkqubo ezisemthethweni. Lo mgaqo uthintela ukuphunyezwa kwezinto eziphunyeziweyo ezichongwe njengeekopi okanye abakhohlisi bezi zixhobo.

I-GUID yakho c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb kwaye ivelisa iziganeko ezifana AsrAbusedSystemToolBlockedIngumphelelisi olungileyo kwezinye iindlela zolawulo lwesicelo.

Vala ukuyilwa kweWebShell kwiiseva

IiWebShell zizikripthi ezenzelwe ngokukodwa ukunika umhlaseli ulawulo olukude phezu komncedisiukuyivumela ukuba yenze imiyalelo, ilayishe iifayile, ikhuphe idatha, njl. njl

I-GUID i a8f5898e-1dc8-49a9-9878-85004b8a61e6 kwaye yenzelwe ukuba lukhuni ngokukodwa abancedisi abavezwayo.

Block Win32 API iminxeba ukusuka Office macros

Mhlawumbi omnye weyona mithetho isebenzayo ngokuchaseneyo i-malware enkuluIvimba ikhowudi ye-Ofisi ye-VBA ekungeniseni nasekubizeni ii-Win32 APIs, eziqhele ukusetyenziswa ukulayisha i-shellcode kwimemori, ukwenza iinkqubo, ukufikelela kwimemori, njl.

I-GUID yakho 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b kwaye ixhomekeke kwi-AMSI. Ngokwesiqhelo, ifaka kwi-bud iitemplate ezininzi ze-malware kwi-Word kunye ne-Excel ezixhomekeke kwezi fowuni ukwenza ikhowudi engafanelekanga.

Ukusetyenziswa kokhuseleko oluphambili lwe-ransomware

Lo mgaqo wongeza umaleko owongezelelweyo wokukhusela ngokusekelwe umthengi kunye nelifu heuristics ukubona ukuziphatha okuhambelana ne-ransomware. Ithatha ingqalelo kwizinto ezifana nodumo, utyikityo lwedijithali, okanye ukuxhaphaka ukugqiba ukuba ifayile inokuba yi-ransomware kunenkqubo esemthethweni.

I-GUID yakho c1db55ab-c21a-4637-bb3f-a12568109d35Kwaye nangona izama ukunciphisa ii-positives ezingeyonyani, ithanda ukwenza impazamo kwicala lokulumkisa ukuze ungaphoswa yi-cipher yokwenyani.

Iindlela zokucwangcisa: Intune, MDM, uMphathi woLungiso, iGPO, kunye nePowerShell

Imithetho yokunciphisa umphezulu wohlaselo inokumiselwa ngeendlela ezininzi ngokuxhomekeke kwindlela oyilawula ngayo inqwelo yesixhobo sakho. Isindululo sikaMicrosoft jikelele kukusebenzisa amaqonga olawulo lwenqanaba loshishino (Intune okanye uMphathi woLungiselelo), kuba imigaqo-nkqubo yabo ithatha indawo yokuqala kwi-GPO okanye kuqwalaselo lwePowerShell yasekhaya xa inkqubo iqala.

Con Intetho yeMicrosoft Uneendlela ezintathu: i-ASR-specific endpoint policy yokhuseleko, iiprofayili zokucwangciswa kwesixhobo (i-Endpoint Protection), kunye neeprofayili eziqhelekileyo usebenzisa i-OMA-URI ukuchaza imithetho nge-GUID kunye nelizwe. Kuzo zonke iimeko, unokongeza ukukhutshwa kwefayile kunye nefolda ngokuthe ngqo okanye uzingenise kwifayile ye-CSV.

Kwiindawo ezingqongileyo iiMDMs eziqhelekileyo I-CSP isetyenziswa ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules Ukuchaza uluhlu lwee GUIDs ezinemigangatho, ezahlulwe ngeebar ezithe nkqo. Umzekelo, unokudibanisa imithetho emininzi ngokunikezela u-0, 1, 2, okanye 6 ngokuxhomekeke ekubeni ufuna ukucisha, ukubhloka, ukuphicothwa, okanye ukulumkisa. Okushiyiweyo kulawulwa nge-CSP. ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions.

Con Microsoft Configuration Manager Unokwenza imigaqo-nkqubo ye Windows Defender I-Exploit Guard igxile "kukunciphisa umphezulu wokuhlaselwa", khetha ukuba yeyiphi imigaqo ofuna ukuyivimba okanye ukuyiphicotha kwaye uyibeke kwingqokelela ethile yezixhobo.

La Umgaqo-nkqubo weqela Ikuvumela ukuba uqwalasele i-ASR ngokusebenzisa iitemplates zolawulo ngokuzulazula kwi-Microsoft Defender Antivirus kunye ne "Attack Surface Reduction" nodes. Apho, wenza ukuba "Qwalasela imithetho yohlaselo lomhlaba" kwaye ungenise ii-GUID kunye nobume bazo obuhambelanayo. I-GPO eyongezelelweyo ikuvumela ukuba uchaze ukukhutshwa kwefayile kunye nendlela.

Ekugqibeleni, PowerShell Yeyona ndlela ithe ngqo kwaye iluncedo yovavanyo olunye-off okanye izikripthi ezizenzekelayo. Cmdlets like Set-MpPreference y Add-MpPreference Bakuvumela ukuba wenze, uphicothe, ulumkise, okanye ukhubaze imithetho yomntu ngamnye, kunye nokulawula uluhlu lokukhutshelwa ngaphandle -AttackSurfaceReductionOnlyExclusionsNangona kunjalo, ukuba kukho i-GPO okanye i-Intune ebandakanyekayo, iisetingi zabo zithatha indawo yokuqala.

Okungabandakanywanga, ukungquzulana komgaqo-nkqubo, kunye nezaziso

Phantse yonke imithetho ye-ASR ivumela ngaphandle kweefayile kunye neefolda Oku kuthintela ukuthintelwa kwezicelo ezisemthethweni ezithi, ngoyilo, zibonise ukuziphatha okufana ne-malware. Sisixhobo esinamandla, kodwa kufuneka sisetyenziswe ngokuchanekileyo ngotyando: ukukhutshwa okubanzi kakhulu kunokushiya ubuthathaka obukhulu.

Xa imigaqo-nkqubo ephikisanayo isetyenziswa kwi-MDM kunye ne-Intune, uqwalaselo lwe Umyalelo weqela ubaluleke kakhulu Ukuba ikhona. Ngaphezu koko, imithetho ye-ASR ixhasa ukuziphatha kokudibanisa umgaqo-nkqubo: i-superset yakhiwe kunye noqwalaselo olungangqubaniyo, kunye namangeno aphikisanayo ashiywe kweso sixhobo.

Ngalo lonke ixesha umgaqo uqaliswa kwimodi yebhloko, umsebenzisi ubona a isaziso senkqubo echaza ukuba umsebenzi uvaliwe ngenxa yezizathu zokhuseleko. Ezi zaziso zinokwenziwa ngokwezifiso kunye neenkcukacha zenkampani kunye neenkcukacha zoqhagamshelwano. Kweminye imithetho kunye nemigangatho, izilumkiso zeEDR kunye nezaziso zangaphakathi nazo zenziwe kwaye ziyabonakala kwi-Microsoft Defender portal.

Ayiyiyo yonke imithetho ehloniphayo Microsoft Defender antivirus okungabandakanywayo Kananjalo abaqwalaseli izikhombisi ze-compromise (IOCs) ezilungiselelwe kwi-Defender ye-Endpoint. Umzekelo, umgaqo we-LSASS wokuthintela ubusela okanye umgaqo wokuvalela ikhowudi ye-Ofisi ayithatheli ngqalelo ii-IOC ezithile, ngokuchanekileyo ukugcina ukomelela kwazo.

Ukujongwa koMnyhadala we-ASR: I-Portal, uPhando oluPhezulu, kunye noMboni weMnyhadala

Ukubeka iliso ngundoqo ekuqinisekiseni ukuba i-ASR ayisiyobhokisi emnyama. I-Defender ye-Endpoint ibonelela iingxelo ezineenkcukacha zeziganeko kunye nezithintelo enxulumene nemithetho ye-ASR, ekunokuboniswana kuyo zombini kwi-Microsoft Defender XDR portal nangophendlo oluphambili.

Ukukhangela okuphezulu kukuvumela ukuba uqalise Imibuzo malunga netafile DeviceEventsukuhluza ngeentlobo zentshukumo eziqala ngo "Asr". Umzekelo, umbuzo osisiseko DeviceEvents | where ActionType startswith 'Asr' Ikubonisa iziganeko ezinxulumene ne-ASR ezidityaniswe ngokwenkqubo nangeyure, njengoko iqhelekile kumzekelo omnye ngeyure ukunciphisa umthamo.

Kwiindawo ngaphandle kwe-E5 okanye ngaphandle kokufikelela kwezi zakhono, kusoloko kukho ukhetho lokuphonononga Iilogi zeWindows kwiSijongi seMsithoI-Microsoft ibonelela ngezimvo zesiko (ezifana nefayile ye-cfa-events.xml) ehluza iziganeko ezifanelekileyo, kunye nezinto zokufanisa ezifana ne-5007 (utshintsho lwenkqubo), 1121 (umgaqo okwimo yokuthintela) kunye ne-1122 (umthetho kwimowudi yophicotho).

Ukusasazwa okuxutyiweyo, kuqhelekile ukuhambisa ezi ziganeko ku I-SIEM okanye iqonga lokungena eliphakathi, zidibanise nezinye izikhombisi kwaye ziqalise izilumkiso zesiko xa imithetho ethile iqala ukuvelisa iziganeko ezininzi kakhulu kwicandelo elithile lenethiwekhi.

Ukunciphisa indawo yokuhlaselwa ngaphaya kwe-ASR: izicwangciso, iteknoloji kunye nemingeni

Nangona imithetho ye-ASR iyinxalenye ebaluleke kakhulu, ukunciphisa indawo yokuhlaselwa njengeqhinga lehlabathi liphela ngaphaya kokuphela. Ibandakanya mephu zonke ii-asethi kunye neendawo zokungenaUkuphelisa iinkonzo ezingadingekile, iinethiwekhi zecandelo, sebenzisa ulawulo olungqongqo lokufikelela, ukuqina kweenkqubo, ukugcina ukucwangciswa okukhuselekileyo, nokukhusela ifu kunye ne-APIs.

Imibutho idla ngokuqala ngoluhlu olupheleleyo lwe izixhobo, isoftwe, ii-akhawunti kunye noqhagamshelwanoOkulandelayo, iinkonzo ezingasetyenziswanga kunye nezicelo zichongiwe kwaye zikhutshiwe, izibuko zenethiwekhi zivaliwe, kwaye iimpawu ezingafaki ixabiso zivaliwe. Oku kwenza lula okusingqongileyo kwaye kunciphise inani "leengcango" ezifuna ukubekwa esweni.

Inxalenye ye- ulawulo lofikelelo Kubaluleke kakhulu: ukusetyenziswa komgaqo welona lungelo lincinci, amagama ayimfihlo anamandla, uqinisekiso lwezinto ezininzi, ukurhoxiswa ngokukhawuleza kofikelelo xa umntu etshintsha iindima okanye eshiya umbutho, kunye nokubeka iliso kwiinzame zokungena ezikrokrisayo.

Kwilifu, indawo yokuhlaselwa ikhula ngenkonzo entsha nganye, i-API, okanye ukudibanisa. Ulungelelwaniso kwi ukugcinwaIindima ezibanzi ngokugqithisileyo, iiakhawunti zeenkedama, okanye amaxabiso angakhuselekanga ziingxaki eziqhelekileyo. Apha kulapho uphicotho lolungelelwaniso oluqhelekileyo, uguqulelo oluntsonkothileyo lwedatha xa uphumle kwaye usendleleni, ulwahlulo lothungelwano olubonakalayo, kunye nophononongo lwemvume oluqhubekayo.

Ukuxhasa konke oku, iteknoloji ezifana ukufunyanwa kwe-asethi kunye nezixhobo zokwenza imephu, izikena zobuthathaka, iinkqubo zolawulo lofikelelo, amaqonga olawulo loqwalaselo, kunye nezixhobo zokhuseleko lwenethiwekhi. (i-firewalls, i-IDS/IPS, i-NDR, njl.). Izisombululo ezifana ne-SentinelOne, umzekelo, ukudibanisa ukukhuselwa kokugqibela, uhlalutyo lokuziphatha, kunye nokuphendula okuzenzekelayo ukuze kuncitshiswe ngakumbi indawo yokuhlasela esebenzayo.

Imingeni mininzi: ukuxhomekeka okunzima phakathi kweenkquboUbukho bezicelo zelifa ezingawaxhasiyo amanyathelo ale mihla, isantya esikhawulezayo sotshintsho kubuchwepheshe, unyino lwezixhobo, kunye nongquzulwano olungapheliyo phakathi kokhuseleko kunye nemveliso zonke zinegalelo kulo mngeni. Ukufumana ibhalansi elungileyo kufuna ukuqonda okunzulu kweshishini kunye nokubeka phambili izinto ezibalulekileyo kunye neenkqubo.

Ngokunikwa lo mongo, imithetho ye-ASR iba sesona sixhobo sisebenzayo sokunciphisa ibala lokudlala lomhlaseli ekupheleni. Ukucwangciswa kakuhle (ukuqala ngophicotho-zincwadi), ukulungiswa kakuhle kunye nokukhutshwa okuchanekileyo, kunye nokubekwa esweni ngononophelo, kuthintela impazamo yomsebenzisi, ukuxhaphazwa okukodwa, okanye i-USB drive enobungozi ekunyukeni ngokuzenzekelayo kwisiganeko esibalulekileyo, inceda ukugcina encinci, ukulawula ngakumbi, kwaye, ngaphezu kwayo yonke into, indawo yokuhlasela esebenzayo. kunzima kakhulu ukuxhaphaza.