Ungayithola kanjani i-malware engenafayela: umhlahlandlela ophelele wamasiginali, amasu, nokuvikela

I-landscape esongelayo ithathe izinga elifanele ngohlelo olungayilungele ikhompuyutha lokho uhlala enkumbulweni kuphelaLolu hlobo lokuhlasela, olwaziwa kangcono ngokuthi uhlelo olungayilungele ikhompuyutha olungenafayela, alubhali okusebenzisekayo kudiski futhi luhlukumeza amathuluzi esistimu asemthethweni, okwenza kube nzima kakhulu ukutholwa kusetshenziswa isofthiwe yokuvikela amagciwane esekelwe kusiginesha; ngakho-ke, kubalulekile ukwazi Ungawathola kanjani futhi uwasuse kanjani amafayela asolisayo noma uhlelo olungayilungele ikhompuyutha.

Okubalulekile akukhona nje ukucasuka kwayo, kodwa indlela ethembele ngayo izinqubo zokuthembela (I-PowerShell, i-WMI, i-mshta, i-rundll32, phakathi kwabanye) kanye namasu afana "nokuphila ngaphandle komhlaba" ukuze bazifihle. Ngakho-ke, ukutholwa kuhilela ukubheka ukuziphatha, ukuhlobanisa imicimbi, nokuqapha inkumbulo, hhayi ukusesha amafayela asolisayo isitoreji.

Iyini i-malware engenafayela futhi kungani ibalulekile?

Noma yikuphi ukuhlasela okubhekwa njengokungenafayela kuthathwa njengokuyikho Isebenzisa ikhodi enonya ngaphandle kokushiya ama-artifact aqhubekayo kudiski. (noma ukuwanciphisa kakhulu ngangokunokwenzeka), kuncike kumabhanari asevele akhona ohlelweni. Ivamise ukujova noma yethule umthwalo wayo okhokhelwayo ngqo ku-RAM, isebenzise ngaphakathi kwezinqubo ezijwayelekile zesistimu yokusebenza, yingakho iwukhiye. qapha RAM ngesikhathi sangempela.

Le ndlela ikuvumela ukuthi ugweme izilawuli ezincike kuzo ukuhlolwa kwefayela, kusukela ekugunyazweni okusebenzisekayo nokuhlaziywa kwesithunzi. Nakuba okunye ukuhlaselwa kuphatha ukungabi namafayela angu-100%, kuvame kakhulu ukuthi bahlanganise izigaba ezisekelwe efayilini nezingenafayela ngesikhathi somjikelezo wokungena.

Isici esivamile ukuthi isitha siyasisebenzisa imigqa yomyalo kanye nombhalo wokuhlela isigaba ngasinye. Njengoba lingekho “ifayela elixakile” elisobala, izinjini ezisekelwe kwisiginesha zinesikhathi esinzima sokukhulisa izexwayiso, ikakhulukazi uma umsebenzi ungena ngaphakathi kwemingcele “evamile” yamathuluzi okuphatha.

Kubalulekile ukukhumbula ukuthi, ngokuklama, eziningi zalezi zimila zine ukuphikelela okulinganiselweLapho nje isistimu iqala kabusha, umthwalo ku-RAM uyanyamalala. Kodwa-ke, abahlaseli bavame ukwethula izindlela zokungena kabusha noma zokuphikelela ezincane ukuze ukufinyelela kubuyiselwe ngaphandle kokungenelela.

Kungani kunzima kangaka ukukubona?

Isizathu sokuqala sisobala: Alikho ifayela elingaskenwaUma ikhodi iphila futhi ifela enkumbulweni, izinjini ze-disk-centric zinokuncane ezingakunikeza, ngaphandle uma kunenqubo, inkumbulo, ne-telemetry yenethiwekhi ezihambisana nakho.

Isizathu sesibili ukuhlukunyezwa izinqubo zomdabu nezisayiniwe yohlelo (PowerShell, WMI, mshta, rundll32, VBScript, JScript, batch interpreters, .NET, njll.). Lokhu kuphilisana “nokusemthethweni” kunciphisa umsindo futhi kwenza kube nzima ukuhlukanisa okuhle nokubi ngaphandle kokuhlaziya ukuziphatha noma amathuluzi afana Inqubo Hacker.

Isizathu sesithathu ukuthi amafemu amile Azisebenzi kahle ngemithwalo ekhokhelwayo ehlanganiswa ngesikhathi sokusebenza, efiphaziwe, noma elayishwe kumemori. Eqinisweni, izinhlelo eziningi zokuvikela amagciwane azihloli ngokugcwele ukwenziwa kwenkumbulo yesikhathi sangempela.

Ngaphezu kwalokho, ukukhuphuka kwemikhankaso eqondisiwe (ama-APT) kanye nokusetshenziswa kwamaqhinga athuthukile kukhuphule izinga. Sibonile ukuhlaselwa okusebenza ku-kernel noma ngama-webshellngokulandelela okuncane kocwaningo, okuqhubeka kuphazamisa impendulo uma engekho amarekhodi anele kanye nokulandeleka.

Ukuhlasela okungenafayela kungena futhi kusebenze kanjani

Ukufinyelela kokuqala kuvame ukutholwa kusetshenziswa amasu akudala: Ubugebengu bokweba imininingwane ebucayi ngezixhumanisi noma okunamathiselwe kwi-imeyili, Amadokhumenti ehhovisi anama-macros noma i-DDE, imibhalo PDF nge-JavaScript enonya, ukuxhashazwa kobungozi (okuhlanganisa nezinsiza zokuxhaphaza), noma imininingwane eyebiwe.

Ngemva kokungenela, uchungechunge lokubulala luyaqaliswa olucela amathuluzi afana nala I-PowerShell noma i-WMI ukulanda, ukususa ukubhala, noma ukujova umthwalo okhokhelwayo ngqo kumemori yenqubo. Konke lokhu kuhlelwe nge imiyalo kanye nemibhalo, ngokwazo, engase ibonakale njengemisebenzi yokuphatha evamile.

Emikhankasweni eminingi, umhlaseli ubheka qhubeka isikhathi eside njengoba kudingeka Ukugcina i-backdoor ngaphandle kokubhala okusebenzisekayo okubonakalayo, imisebenzi ehleliwe, okhiye bokubhalisa, noma, ikakhulukazi, okubhaliselwe komcimbi we-WMI kusetshenziselwa ukuvuselela ukwenza kusebenze kusibangeli esithile (isb., ukuqalisa kwesistimu noma ukungena ngemvume komsebenzisi).

Uma okuqondiwe kungavamile ukuqala kabusha—ngokwesibonelo, iseva ebalulekile—ukuba khona kwenkumbulo kungase kube inkinga. kunenzuzo ikakhulukazi ngoba kwandisa ithuba lesitha ngaphandle kwesidingo sokuphikelela okunomsindo.

Amasu, ukuhluka kanye nezimo zangempela

Ifilosofi "abahlala ngaphandle komhlaba"(ukuphila ngaphandle komhlaba)" ifingqa le ndlela: umhlaseli usebenzisa okubili kanye nokusebenza okukhona kakade Windows ukuhambisa, ukuqoqa, nokwenza. Lokhu kunciphisa isidingo "sokushiya" amathuluzi kudiski futhi kunciphisa ukuchayeka kwawo.

Amasu adumile ahlanganisa umjovo ezinqubweni izici ezikhona, ukusetshenziswa kwe-mshta noma i-rundll32 ukulayisha ikhodi, imibhalo ye-VBScript/JScript nokusebenza kwenqwaba, kanye nokuba khona Ama-DLL asolisayoOkuphinde kubonakale imithwalo ekhokhelwayo eshumekwe kumadokhumenti asizakala ngobungozi ukuze bathole ukusetshenziswa ngaphandle kokubhala okusebenzisekayo okuphikelelayo.

Zikhona izindlela ezinjengalezi ifayela le-ransomware, elungiselela ukwenziwa kwayo enkumbulweni futhi ibhale ngemfihlo idatha ngaphambi kokuthi izivikelo ziyithole; okunye okuhlukile kuhlukumeza i Ukubhaliswa kweWindows ukusingatha ukulungiselelwa okubethelwe noma ukulayishwa okukhokhelwayo, ukuqalisa ukusebenza ngokhiye abazisusayo.

Izibonelo eziphawulekayo zibhaliwe: ama-webshell afana Godzilla eyamukela amamojula nge-HTTP futhi iwajove kumemori; i-backdoor SMB/Exploit.DoublePulsarekwazi ukulayisha ikhodi ngokuqondile kunethiwekhi ngokusebenzisa ubungozi be-SMB 1.0; noma imikhankaso ye I-APT29 (The Dukes) njenge-Operation Ghost, enezicabha ezingemuva ezingenafayili njenge-RegDuke ne-POSHSPY.

Ukuphikelela: I-WMI, Ukugawula, kanye Nemisebenzi

Ukuze ugweme ukulahlekelwa ukufinyelela, abahlaseli abaningi bayalungiselela Okubhaliselwe kwe-WMI ukuhlanganisa izihlungi zomcimbi nabathengi (CommandLineEventConsumer) abethula i-PowerShell noma ezinye izenzo lapho umbandela ufinyelelwa (isb., isikhathi sokuphumula sesistimu).

Abanye bakhetha ukusungula imisebenzi ehleliwe ehlukahlukene noma shintsha Isibhalisi ezindaweni zokuqalisa. Nakuba okuhle okungenafayela kugwema ukubhala kudiski, lezi "imvuthu" ezincane zivame ukuvela uma ukuqina noma ukuphinda kufakwe.

Ngokuphambene, lezi zindlela ziyahamba ama-artifact abonakalayo Uma ihlolisiswe kahle: Amakhosombe e-WMI, izincazelo zomsebenzi, okhiye beRegistry abalungisiwe. Ngakho-ke ukubaluleka kokuba nezinqubomgomo zokucwaningwa kwamabhuku neze-telemetry kusukela ekuqaleni.

Kubalulekile ukukhumbula ukuthi i-RAM iguquguquka. Ngakho-ke, ngaphandle kokuphikelela, a ukuqaliswa kabusha kwesistimu Ingakhipha okokufakelwa, kodwa ungazethembi ngokweqile: umhlaseli onokufinyelela angakwazi ukwenza kabusha kusetshenziswa indlela efanayo ngokushesha nje lapho ethola ithuba elilungile.

Ingozi yebhizinisi nokuthi kungani ukuvimba "konke ngesikhathi esisodwa" akuyona impendulo

Ukuvimbela ngobumpumputhe amathuluzi abalulekile njenge I-PowerShell Ingalimaza ukusebenza kwe-IT, futhi noma kunjalo, akwanele: kunezindlela zokweqa inqubomgomo yokusebenzisa, ukulayisha i-PowerShell nge-DLL, ukubuyisela kabusha imibhalo, noma ukupakisha kokunye okwenziwayo ukuze ugweme izilawuli eziyisisekelo.

Okufanayo kuya ku- Amamakhro ehhovisiNakuba kuhle ukuzikhubaza njengenqubomgomo uma ibhizinisi likuvumela, ukutholwa kwazo ngamasiginesha noma i-static heuristics kuyinkimbinkimbi futhi kuvame ukuba nemibono engamanga uma kukhona ikhodi engabonakali noma efiphaziwe.

Ukutholwa ngokuphelele iseva-side noma cloud-sideNgaphandle kokuvimbela ekugcineni, kuholela ekuthembekeni nasekuxhumekeni kokuxhumana; ukukuqukatha ngesikhathi, umenzeli wephoyinti lokugcina kufanele akwazi ukwenza izinqumo zasendaweni ngomongo ogcwele wesistimu.

Ekugcineni, inkinga ingeyokubona kanye nomongo: sidinga ukuqonda ukuthi iyiphi inqubo ebizwa ngokuthi iyiphi, ngaziphi izimpikiswano, yiziphi izihluthulelo noma imisebenzi eyakhayo, ikuphi ukuxhumana okuvuliwe, nokuthi kanjani. uchungechunge lwezenzakalo luyaguquguquka en el tiempo.

Ukuziphendukela kwemvelo kanye nezibalo: ukuthambekela okukhuphukayo

Imikhankaso ye-Fileless ibilokhu ikhula iminyaka. Eminye imibiko yemboni ikhombe ngesikhathi ukwanda ngo-94% ekuhlaselweni okungenafayela kusemester, ukusetshenziswa kwe-PowerShell kuphakama ngokuphindwe kabili esikhathini esingamasonto (kusuka ku-2,5 kuya ku-5,2 ukuhlaselwa ngamaphoyinti angu-1.000), isikhumbuzo esicacile sokuthi lawa maqhinga ayintandokazi yabahlaseli.

Lokhu kunyuka kuchazwa yinhlanganisela ye ukuvuthwa okuhlaselayo, ukwehluleka kokufakwa kwesiginesha, ukuduma kokuhlasela okuqondiwe, kanye nokulula ukuzifihla ngaphakathi kwezinqubo ezithenjwayo ngaphandle kokuphakamisa izinsolo ngokushesha.

Ungayithola kanjani ngempela i-malware engenafayela

Okubalulekile wukusuka ekukhombeni ukuthi “ungubani” (ifayela) uye ekubhekeni “wenzani“(ukuziphatha). Ukuqapha kwendawo yokugcina yesikhathi sangempela—inkumbulo, isihlahla senqubo, umugqa womyalo, Isibhalisi, umsebenzi wenethiwekhi— kuvumela ukuqashelwa kwamaphethini anonya avamile emindenini ehlukahlukene.

Izixazululo zesimanje ze EDR/XDR kanye nezinjini ze IA Izinkomba zokuziphatha zithola ukulandelana okusolisayo okufana nalokhu: Idokhumenti yasehhovisi yethula i-PowerShell efihliwe ngaphandle kokwenziwa kwephrofayela, ukulanda inkumbulo kanye nokujova okulandelayo kwenye inqubo elandelwa ukubethela noma ukuhluzwa.

Ukwengeza, kubalulekile ukunika amandla nokubeka endaweni eyodwa izingodo kusuka ku-PowerShell (i-v5+ ithuthukisa ukulandeleka), vumela i-Sysmon ukuthi inothise imicimbi futhi igade inqolobane ye-WMI ngokubhaliselwe okungavamile, abathengi, nokubophezela.

Ukuhlaziywa kwenethiwekhi kwengeza esinye isendlalelo: ukuhlolwa kwe ukuziphatha kwethrafikhi (C2, amaphethini okuhlunga), ukuvimbela ukuhlaselwa kwenethiwekhi, nokuhlotshaniswa nemicimbi yephoyinti lokugcina. Uma uhlelo olungayilungele ikhompuyutha luthinta i-kernel noma luzulazula kumemori evikelekile, inethiwekhi inganikeza imikhondo umsingathi angayiboni.

Isiqondiso esiwusizo sokuvimbela nokuzingela

Ikhawulela ukusetshenziswa kwe I-PowerShell ne-WMI Lokhu okwabalawuli kanye namacala acacile ebhizinisi, nge-AppLocker/WDAC noma izinqubomgomo zokwenza ezichazwe kahle nezibhalwe ohlwini. Akukhona nje ukwenqabela, kodwa mayelana nokulawula, ukugawula, kanye nokuxwayisa ngokuchezuka.

Khubaza futhi ulawule macros Sebenzisa Inqubomgomo Yeqembu Ehhovisi noma nini lapho kungenzeka, futhi usebenzise Ukubuka Okuvikelwe kanye namasignesha edijithali ezifanekiso. Fundisa abasebenzisi ukuthi babone ama-imeyili obugebengu bokweba imininingwane ebucayi nezixhumanisi ezinonya, njengoba ubunjiniyela bezenhlalo buseyiphoyinti lokungena elikhethwayo.

Faka isicelo iziqeshana Ukuphepha kwesistimu nohlelo lokusebenza, ukubeka phambili izingxenye eziveziwe (iziphequluli, ama-plugin, iHhovisi, .NET, amasevisi e-SMB). Iqapha ubungozi futhi yehlise indawo yokuhlasela (ikhubaza i-SMBv1, isibonelo, uma kungabalulekile).

Thuthukisa i-telemetry: Inika amandla ukugawulwa kwe-PowerShell okuthuthukisiwe, i-Sysmon enomthetho ocushwe kahle, kanye nokuhlolwa kwe- Ukubhalisa kanye nemisebenzi, kanye nemibuzo ye-WMI yezikhathi ezithile (isb., ukuhlola __EventFilter, EventConsumer kanye ne-FilterToConsumerBinding ngokumelene nesisekelo esaziwayo).

Faka izixazululo nge ukuskena inkumbulo kanye nokuhlaziywa kokuziphatha okukwazi ukubona imithwalo efakwe ezinqubweni ezibukhoma, futhi kuhlola i-EDR/XDR ngokuzingela okuqhubekayo okusongelayo, ukunqanda inqubo, ukuguqulwa kokuguqulwa kanye nokuhlukaniswa kwemishini lapho kudingekile.

Imephu ye-Tactical kanye nempendulo

Ukusebenza ngohlaka I-MITER ATT&CK Isiza ukuhlonza amaqhinga/amasu afanelekile: ukwenza (T1059), ukusetshenziswa kwe-PowerShell (T1059.001), i-WMI (T1047), umjovo wenqubo (T1055), ukuphikelela ngeRegistry (T1112) noma imisebenzi (T1053), ukuhlunga (T1041), phakathi kokunye.

Esigamekweni esijwayelekile, kubalulekile ukwakha kabusha "indaba" ephelele: yikuphi okunamathiselwe okuvuliwe umsebenzisi, iyiphi inqubo eyethule ukuthi iyiphi, ngaziphi izimpikiswano, yiziphi izinto zobuciko ezidalwe, nokuthi iketango lasakazeka kanjani. Qondanisa wonke umongo Kuyisihluthulelo sokuhlukanisa izimpande nokugwema ukusika lapho kungafanele zisikwe khona.

Abanye abakhiqizi bethule imiqondo efana nokuthi “Indaba"Ukuhlanganisa izinqubo ezihlobene kanye nokufaka kahle umthombo wosongo. Le ndlela ivumela ukuncishiswa kwalo lonke iqembu elinonya, ukuguqulwa kwezenzo (okhiye, amafayela, izixhumanisi), kanye nesiphetho esihlanzekile ngaphandle kokuphazamisa izinqubo ezisemthethweni njengeklayenti le-imeyili."

Impendulo kufanele ibe yendawo futhi isheshe: uma i-ejenti isivele inakho umongo womsebenzisi, izinqubo, Isibhalisi, inethiwekhi namafayelaIngavimba, ihlehle, futhi ihlukanise ngaphandle kokulinda izinqumo emafini, okubalulekile ngokumelene nemithwalo yemisebenzi ehlala kuphela enkumbulweni imizuzwana.

Izibonelo zokutholwa namasignali okufanele aqashwe

Sesha izicelo ze I-PowerShell ene-ExecutionPolicy Bypass, iwindi elifihliwe, ngaphandle kwephrofayili, futhi i-ascargas ukuhlaselwa kwenkumbulo okulandelwa i-Start-Process noma umjovo. Lawa amaphethini avamile ekuhlaselweni okuvela kumadokhumenti anama-macros noma i-DDE.

Ku-WMI, hlola izikhala zamagama ze impande\ukubhalisa ukuthola izihlungi zomcimbi, abathengi bomugqa womyalo, kanye nezibopho ezingekho kusisekelo. Ize idale okubhaliselwe "okuvikelayo" okukuxwayisa ngezinto ezintsha ezisolisayo.

KuRegistry, bheka izinto. okhiye bokungena nezindawo ezivamile zokuphikelela, kanye nezinkomba eziphambanayo lokhu ngenqubo ye-telemetry. Isebenzisa i-Sysmon, ibheka ukudalwa kwenqubo enenzalo engavamile (Ihhovisi → PowerShell → cmd → rundll32, njll.).

Kunethiwekhi, ikhomba ukuxhumana okuphumayo ezizindeni noma emizileni akujwayelekile, imithwalo ekhokhelwayo ebethelwe noma ukukhishwa okukhulayo, futhi ihlobanisa imisebenzi ye-PowerShell/WMI nezigigaba zokuxhumana eziphumayo.

Izinsizakalo zemakethe namakhono

Kukhona izinsiza eziphethwe ezifana I-EMDR (Ukutholwa Nezimpendulo Eziphethwe Ibhizinisi) okuhlanganisa ukutholwa okusebenzayo okusekelwe ku-MITER ATT&CK ngempendulo yesikhathi sangempela, kanye SOC 24/7 ukuqapha, ukuhlaziya ukuziphatha kanye nokwenza i-forensics lapho kudingeka.

Ezingeni lomkhiqizo, izixazululo nge ukutholwa kokuziphatha Emaphethelweni ngokwawo, asebenza kahle kakhulu ekuhlaselweni okungenafayela ngoba awancikile ku-vector (i-exploit, macro, PowerShell, PowerSploit, exploit kit noma ngisho nokuba sengozini kwezinsuku eziyiziro) futhi angahlehlisa ngokuzenzakalelayo izenzo.

Ngaphandle kokumaketha, okubalulekile ukuthi i-ejenti inakho konke umongo wendawo (abasebenzisi, izinqubo, izimpikiswano, Isibhalisi, amafayela nokuxhumana) ukwenza izinqumo ngaphandle kokubambezeleka, ukunciphisa, ukuhlukanisa nokuvumela umsebenzi oqhubekayo kudivayisi ehlanzekile.

Ngokomlando, imikhankaso efana WannaCry Akhombisa ukuba wusizo kwale ndlela: ukutholwa kanye nokuvimbela ngokuziphatha nangaphambi kokuba namasignesha, okunciphise kakhulu umthelela ezinhlanganweni ezivikelekile.

Ukuthola uhlelo olungayilungele ikhompuyutha olungenafayela kudinga ukubheka lapho isenzo senzeka khona ngempela: inkumbulo, umugqa womyalo, izinqubo, nobudlelwano bazo ngokuhamba kwesikhathi. Ngezinqubomgomo ezinhle zokugawulwa kwemithi, ukuqapha kwe-PowerShell ne-WMI, izilawuli zokuziphatha kwe-endpoint, ukuvikela okunezigaba, kanye nemephu ye-ATT&CK, kungafezeka ngokuphelele. asuse isinyenyela ekusabiseni okuthi, ngokwemvelo yalo, kuncamele ukunganakwa.