Iyini i-ASR (Attack Surface Reduction) futhi iwavikela kanjani amadivayisi akho?

Uma uqala ukuhlolisisa ukuphepha kweWindows nakho konke okunikezwa yiMicrosoft Defender, leli gama I-ASR (Attack Surface Reduction) Kuvela isikhathi nesikhathi. Futhi lokho akukhona ukuqondana nje: sikhuluma ngesethi yemithetho namasu ahlose ukumisa ukuhlasela ngaphambi kokuba bathole nethuba lokuqala.

Kumongo we izinsongo eziya ngokuya ziba yinkimbinkimbiNge-ransomware, imibhalo efiphaziwe, ukwebiwa kwemininingwane, nokuhlaselwa okungenafayela, imithetho ye-ASR ibe yingxenye ebalulekile yokuvikela ukuvikela. Inkinga ukuthi zivame ukubonwa njengento "emilingo" futhi eyinkimbinkimbi, kuyilapho empeleni inengqondo ecacile uma ichazwa ngomoya ophansi.

Iyini i-ASR (Attack Surface Reduction) futhi iyiphi inkinga eyixazululayo?

I-Attack Surface Reduction, noma ukunciphisa indawo yokuhlaselaI-ASR yindlela ebandakanya ukunciphisa wonke amaphuzu umhlaseli angangena ngawo, anyakaze, noma akhiphe ikhodi endaweni. Esimeni esithile se-Microsoft, i-ASR isetshenziswa ngemithetho elawula ukuziphatha kwezindawo ezinobungozi obuphezulu: ukwenziwa kombhalo, ama-macros e-Office, izinqubo eziqaliswe kumadrayivu e-USB, ukuhlukunyezwa kwe-WMI, njll.

Ngokwezinto ezibonakalayo, i- Imithetho ye-Microsoft Defender ASR yendawo yokugcina Lezi yizinqubomgomo ezithi: “izinto ezithile ezijwayelekile ze I-malware Ngeke bavunyelwe, nakuba izicelo ezisemthethweni ngezinye izikhathi ziyazenza futhi. Ngokwesibonelo, iZwi ibhuthini I-PowerShell, okuthi a iskripthi okulandwe ku-inthanethi kwethula okusebenzisekayo noma inqubo eyodwa izama ukufaka ikhodi kwenye.

Umqondo oyisisekelo uwukunciphisa inani lezindlela ukuhlaselwa okungase kuzithathe ukuze kungene ohlelweni. Izindlela ezimbalwa ezitholakalayo, indawo encaneLokhu kufanelana ngokuphelele nemodeli ye-Zero Trust: sicabanga ukuthi ngesikhathi esithile kuzoba nokuphulwa, ngakho-ke sinciphisa "indawo yokuqhuma" yesigameko ngangokunokwenzeka.

Kubalulekile ukuhlukanisa lapha phakathi kwemiqondo emibili evame ukuxutshwa: ngakolunye uhlangothi, i ukunciphisa indawo yokuhlasela njengesu elijwayelekile (ukususa izinsizakalo ezingadingekile, ukuvala izikebhe, ukususa isoftware engasasebenzi, izimvume ezikhawulelwe, njll.), futhi ngakolunye uhlangothi, Imithetho ye-Microsoft Defender ASRokuyingxenye ecaciswe kakhulu yalelosu, egxile ekugcineni nasekuziphatheni kwesoftware.

Indawo yokuhlasela: ezomzimba, ezedijithali, nezomuntu

Uma sikhuluma ngendawo yokuhlasela yenhlangano, sibhekise kuyo wonke amaphuzu lapho umhlaseli angahileleka khonaAmadivayisi, izinhlelo zokusebenza, izinsiza ze-inthanethi, ama-akhawunti abasebenzisi, ama-API, amanethiwekhi angaphakathi, amafu angaphandle, njll. Akuyona nje inkinga yobuchwepheshe; iphutha lomuntu nalo liyavela.

Esigabeni sedijithali sithola amawebhusayithi, amaseva, yolwaziama-endpoint, izinsiza zefu, nezinhlelo zokusebenza zebhizinisiYonke isevisi engalungiselelwanga kahle, yonke imbobo evuliwe ngokungadingekile, zonke izinhlelo zokusebenza zesofthiwe ezingapeyishiwe zingaba indawo yokungena yokuxhaphaza. Kungakho izinkampani eziningi zithembele kumathuluzi e-EASM (External Attack Surface Management) enza ngokuzenzakalelayo ukutholwa kwezimpahla ezidaluliwe nokuba sengozini.

Ekubukeni komzimba, okulandelayo kuyangena amaseva asendaweni, izindawo zokusebenza, amadivaysi enethiwekhi, namatheminaliLapha, ubungozi buncishiswa ngezilawuli zokufinyelela ngokomzimba, amakhamera, amakhadi, izingidi, ama-rack avaliwe, kanye hardware Kuqinisiwe. Uma noma ubani ekwazi ukufinyelela isikhungo sedatha ngedrayivu ye-USB, akunandaba ukuthi inqubomgomo yakho yokuphepha inhle kangakanani.

Umlenze wesithathu uwubuso obuhlobene ne ubunjiniyela bezenhlalo kanye nesici somuntuAma-imeyili obugebengu bokweba imininingwane ebucayi, izingcingo zokuzenzisa, amawebhusayithi emigodi yamanzi, noma amaphutha alula ezisebenzi aholela ekulandeni okuqukethwe okunonya. Yingakho ukunciphisa indawo yokuhlasela kuphinde kufake ukuqeqeshwa nokuqwashisa, hhayi ubuchwepheshe kuphela.

I-ASR njengensika yokuphepha kokuvimbela kanye ne-Zero Trust

Kumodeli ye-Zero Trust sicabanga ukuthi inethiwekhi isivele isengozini noma izoba sengoziniFuthi esihlose ngakho ukuvimbela umhlaseli ukuthi angakhuli kalula noma athole amalungelo. Imithetho ye-ASR ingena kahle lapha ngoba ibeka imigoqo ngokumelene nama-vectors okuhlasela axhashazwa kakhulu, ikakhulukazi ekugcineni.

Imithetho ye-ASR isebenzisa umgomo wokuthi ubuncane belungelo obusetshenziswa ekuziphatheniAkukhona nje kuphela mayelana nokuthi i-akhawunti inaziphi izimvume, kodwa yiziphi izenzo ezingenziwa uhlelo oluthile. Isibonelo, i-Office isengahlela amadokhumenti ngaphandle kwenkinga, kodwa ngeke isakwazi ukuqalisa izinqubo zangemuva noma ukudala okusebenzisekayo kudiski ngokukhululekile.

Lolu hlobo lokulawula ukuziphatha lunamandla ikakhulukazi ngokumelene izinsongo ze-polymorphic nokuhlaselwa okungenafayelaNakuba uhlelo olungayilungele ikhompuyutha luhlala lushintsha isiginesha noma i-hashi, iningi lisadinga ukwenza izinto ezifanayo: ukusebenzisa izikripthi, ukufaka ikhodi kuzinqubo, ukukhohlisa i-LSASS, ukuhlukumeza i-WMI, ukubhala abashayeli abasengozini, njll. I-ASR igxile ngokuqondile kulawa maphethini.

Ngaphezu kwalokho, imithetho ingenziwa ngezindlela ezahlukene: ukuvimba, ukuhlola, noma isexwayisoLokhu kuvumela ukutholwa kwezigaba, kuqale ngokubheka umthelela wako (imodi yocwaningo), bese ukwazisa umsebenzisi (isixwayiso), futhi ekugcineni kuvinjwe ngokungenamusa uma okungafakwanga sekulungisiwe.

Okudingekayo kanye nezinhlelo zokusebenza ezihambisanayo

Ukuze uthole okuningi emithethweni ye-ASR ku-Microsoft Defender, kubalulekile ukuba nesisekelo esiqinile. Ngokwenza, udinga I-Microsoft Defender Antivirus kufanele kube i-antivirus yakho eyinhloko.isebenza kumodi esebenzayo, hhayi ethule, futhi enokuvikela kwesikhathi sangempela kuvuliwe.

Imithetho eminingi, ikakhulukazi ethuthuke kakhulu, idinga ukuba nayo Ukuvikelwa Okulethwa Amafu Iyasebenza futhi ixhumeka ngezinsizakalo zefu ze-Microsoft. Lona ukhiye ezicini ezithembele kusithunzi, ukusabalala, noma ama-heuristics emafini, njengokuthi "okwenziwayo okungahlangabezani nokusabalala, ubudala, noma isimiso sohlu oluthenjiwe" noma isimiso "sokuvikelwa kwe-ransomware okuthuthukisiwe".

Nakuba imithetho ye-ASR ingadingi ilayisense ngokuqinile I-Microsoft 365 E5, yebo kunjalo Ukuba ne-E5 noma amalayisense alinganayo kunconywa kakhulu. Uma ufuna ukuba nokuphatha okuthuthukile, ukuqapha, ukuhlaziya, ukubika, namandla okuhamba komsebenzi ahlanganiswe ku-Microsoft Defender ye-Endpoint kanye nengosi ye-Microsoft Defender XDR.

Uma usebenza ngamalayisense afana ne-Windows Professional noma i-Microsoft 365 E3 ngaphandle kwalezo zici ezithuthukisiwe, usengasebenzisa i-ASR, kodwa kuzodingeka uthembele kakhulu Isibukeli somcimbi, amalogi we-Microsoft Defender Antivirus, nezixazululo zokuphathelene ukuqapha nokubika (ukudluliswa komcimbi, i-SIEM, njll.). Kuzo zonke izimo, kubalulekile ukubukeza uhlu lwe izinhlelo ezisebenzayo isekelwengoba imithetho ehlukene inezidingo ezincane ze Windows 10/11 nezinguqulo zeseva.

Izindlela zokubusa ze-ASR kanye nokuhlola kwangaphambili

Umthetho ngamunye we-ASR ungacushwa ezifundeni ezine: akulungiselelwe/kukhutshaziwe, vimba, ukucwaninga, noma isexwayisoLezi zifunda zimelwe futhi ngamakhodi ezinombolo (0, 1, 2 kanye no-6 ngokulandelanayo) asetshenziswa ku-GPO, MDM, Intune naku-PowerShell.

Imodi Vimba Yenza kusebenze umthetho futhi imise ngokuqondile ukuziphatha okusolisayo. Imodi I-Audit Ibhala imicimbi ebingavinjwa, kodwa ivumela isenzo ukuthi siqhubeke, okukuvumela ukuthi uhlole umthelela kuzicelo zebhizinisi ngaphambi kokuqinisa ezokuphepha.

Imodi Isixwayiso (Xwayisa) uhlobo lwesisekelo esimaphakathi: umthetho uziphatha njengomthetho ovimbelayo, kodwa umsebenzisi ubona ibhokisi lengxoxo elibonisa ukuthi okuqukethwe kuvinjiwe futhi unikezwa inketho vula okwesikhashana amahora angu-24Ngemva kwaleso sikhathi, iphethini efanayo izovinjwa futhi ngaphandle kwalapho umsebenzisi eyivumela futhi.

Imodi yesixwayiso isekelwa kuphela kusuka Windows 10 inguqulo 1809 (RS5) nakamuvaEzinguqulweni ezedlule, uma ulungise umthetho kumodi yesixwayiso, empeleni uzoziphatha njengomthetho wokuvimba. Ukwengeza, eminye imithetho ethile ayisekeli imodi yesixwayiso uma ilungiswa nge-Intune (yize yenza nge-Group Policy).

Ngaphambi kokufinyelela iphuzu lokukhiya, kunconywa kakhulu ukusebenzisa imodi yokuhlola futhi uthembele ku IMicrosoft Defender Vulnerability ManagementLapha ungabona umthelela olindelekile wesimiso ngasinye (iphesenti lamadivayisi athintekile, umthelela ongaba khona kubasebenzisi, njll.). Ngokusekelwe kudatha yocwaningo, unganquma ukuthi yimiphi imithetho ozoyisebenzisa kumodi yokuvimbela, yiziphi amaqembu okuhlola, nokuthi yikuphi ukukhishwa okudingayo.

Imithetho ye-ASR ngohlobo: imithetho ejwayelekile yokuvikela neminye imithetho

I-Microsoft ihlukanisa imithetho ye-ASR ibe ngamaqembu amabili: ngakolunye uhlangothi, i imithetho ejwayelekile yokuvikelaLawa yilawo cishe anconywa ukuthi asebenze ngoba anomthelela omncane kakhulu ekusebenziseni, futhi ngakolunye uhlangothi, yonke imithetho evamise ukudinga isigaba sokuhlola ngokucophelela.

Phakathi kwemithetho ejwayelekile yokuvikela, okulandelayo kuyagqama, isibonelo: "Vimba ukuhlukunyezwa kwabalawuli abasayiniwe abasengozini yokuxhashazwa", "Vimba ukuntshontshwa kwemininingwane ohlelweni olungaphansi lwesiphathimandla sezokuphepha sasendaweni (lsass.exe)" o “Vimba ukuphikelela ngokubhaliselwe komcimbi we-WMI”Lezi zikhomba ngokuqondile kumasu avamile okukhula kwamalungelo, ukugwema ukuzivikela, nokuphikelela.

Imithetho esele, nakuba inamandla kakhulu, ingase ingqubuzane nezinhlelo zokusebenza zebhizinisi ezisebenzisa kakhulu imibhalo, amamakhro, izinqubo zezingane, noma amathuluzi okuphatha akude. Lokhu kuhlanganisa zonke ezithintayo IHhovisi, i-Adobe Reader, i-PSExec, i-WMI ekude, imibhalo efiphaziwe, ukusebenzisa kusuka ku-USB, ama-WebShells, Njll

Ngomthetho ngamunye, imibhalo ye-Microsoft a Igama le-Intune, igama elingenzeka Kusiphathi Sokucupha, i-GUID ehlukile, okuncikile (AMSI, Cloud Protection, RPC…) kanye nezinhlobo zezehlakalo ezikhiqizwa usesho oluthuthukisiwe (isibonelo, AsrObfuscatedScriptBlocked, AsrOfficeChildProcessAuditednjll.). Lawa ma-GUID yiwo ozodinga ukuwasebenzisa ku-GPO, MDM, naku-PowerShell ukuze unike amandla, ukhubaze, noma uguqule imodi.

Incazelo enemininingwane yemithetho ye-ASR eyinhloko

Imithetho ye-ASR ihlanganisa uhla olubanzi kakhulu hlasela ama-vectorsNgezansi isifinyezo salezo ezifanele kakhulu nokuthi yini ngempela ngayinye evimbayo, ngokusekelwe kuzithenjwa ezisemthethweni nolwazi olusebenzayo.

Vimbela ukuhlukunyezwa kwabashayeli abasayiniwe abasengozini, abaxhashazwayo

Lo mthetho uvimbela uhlelo lokusebenza olunamalungelo anele ukusuka bhala izishayeli ezisayiniwe kodwa ezisengozini kudiski abahlaseli bangabese belayisha ukuze bathole ukufinyelela ku-kernel futhi bakhubaze noma badlule izixazululo zokuphepha. Ayikuvimbi ukulayishwa kwabashayeli abasengozini abevele bekhona, kodwa inqamula enye yezindlela ezijwayelekile zokubethula.

Ikhonjwa yi-GUID 56a863a9-875e-4185-98a7-b882c64b5ce5 futhi ikhiqize imicimbi yohlobo AsrVulnerableSignedDriverAudited y AsrVulnerableSignedDriverBlocked kusesho oluthuthukile lwe-Microsoft Defender.

Vimbela i-Adobe Reader ukuthi ingakhi izinqubo zengane

Inhloso yalo mthetho ukuvimbela I-Adobe Reader isebenza njenge-springboard ukulanda futhi uqalise imithwalo ekhokhelwayo. Ivimbela ukudalwa kwezinqubo zesibili ezivela ku-Reader, ivikela ezenzweni ze-PDF nezindlela zobunjiniyela bomphakathi ezincike kulesi sibukeli.

I-GUID yakho 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2cfuthi ingadala imicimbi AsrAdobeReaderChildProcessAudited y AsrAdobeReaderChildProcessBlockedKuya ngokuthi iMicrosoft Defender Antivirus iyasebenza.

Vimbela zonke izinhlelo zokusebenza ze-Office kusukela ekudaleni izinqubo zezingane

Lo mthetho uvimbela i-Word, i-Excel, i-PowerPoint, i-OneNote, ne-Access khiqiza izinqubo zesibiliKuyindlela eqondile yokumisa ukuhlaselwa okuningi okususelwa ku-macro okwethulwe yi-PowerShell. I-CMD noma amanye amathuluzi esistimu ukuze akhiphe ikhodi enonya.

I-GUID ehambisanayo ithi d4f940ab-401b-4efc-aadc-ad5f3c50688aEzimeni zomhlaba wangempela, ezinye izinhlelo zokusebenza zebhizinisi ezisemthethweni nazo zisebenzisa le phethini (isibonelo, ukuvula i- ngokushesha komyalo noma faka izinguquko kuRejista), ngakho-ke kubalulekile ukuyihlola kuqala ngemodi yokuhlola.

Vimba ukwebiwa kwemininingwane ye-LSASS

Lo mthetho uvikela inqubo lsass.exe ngokumelene nokufinyelela okungagunyaziwe kusuka kwezinye izinqubo, ukunciphisa indawo yokuhlasela kumathuluzi afana ne-Mimikatz, ezama ukukhipha ama-hashe, amagama ayimfihlo ayimfihlo, noma amathikithi e-Kerberos.

Uhlanganyela ifilosofi I-Microsoft Defender Credential GuardUma usuvele une-Credential Guard enikwe amandla, umthetho wengeza okuncane, kodwa uwusizo kakhulu ezindaweni lapho ungeke ukwazi ukukunika amandla ngenxa yokungahambisani ne abashayeli noma isofthiwe yomuntu wesithathu. I-GUID yakho 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2.

Vimba okuqukethwe okusebenzisekayo okuvela kumaklayenti e-imeyili kanye ne-webmail

Lapha sifaka umthetho ohambisana kakhulu nokuhlaselwa kobugebengu bokweba imininingwane ebucayi. Ekwenzayo ukuvimbela... okusebenzisekayo, imibhalo, namafayela acindezelwe alandiwe noma anamathiselwe kumakhasimende e-imeyili nama-webmail gijima ngqo. Isebenza ikakhulukazi ku-Outlook, Outlook.com, kanye nabahlinzeki be-webmail abadumile, futhi iwusizo ikakhulukazi ekuhlanganisweni nokunye ukuvikela kwe-imeyili kanye izilungiselelo zesiphequluli ezivikelekile.

I-GUID yakho be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 futhi yakha izenzakalo ezifana AsrExecutableEmailContentAudited y AsrExecutableEmailContentBlockedIwusizo ikakhulukazi ekuhlanganisweni nokunye ukuvikela kwe-imeyili.

Vimbela okusebenzisekayo ekusebenzeni uma kungafinyeleli ukuvama, ubudala, noma imibandela yohlu lokwethenjwa.

Lo mthetho uvimbela ukusetshenziswa kokumbambambili (.exe, .dll, .scr, njll.) lokho azivamile ngokwanele, azikhulile ngokwanele, noma azithembekile Ngokusho kwedatha yesithunzi sefu ye-Microsoft, inamandla kakhulu ngokumelene ne-malware entsha, kodwa ingaba sengozini ezindaweni ezine-software eningi yasendlini noma engajwayelekile.

I-GUID i 01443614-cd74-433a-b99e-2ecdc07bfc25 Futhi kuncike ngokusobala ekuvikelweni kwamafu. Futhi, kuyisimo esicacile somthetho wokuthi kungcono kakhulu ukuqala kumodi yokucwaninga bese usebenzisa ukuvimbela kancane kancane.

Vimba ukusetshenziswa kwezikripthi okungenzeka zibe-ofuscated

Ikhodi ene-obfuscated ivamile kubo bobabili abahlaseli futhi, ngezinye izikhathi, nonjiniyela abasemthethweni. Lo mthetho uyahlaziya izici ezisolisayo ku-Obfuscated PowerShell, VBScript, JavaScript, noma kuma-macro scripts futhi ivimba labo abanethuba eliphezulu lokuba nonya.

I-GUID yakho 5beb7efe-fd9a-4556-801d-275e5ffc04cc Isebenzisa i-AMSI (I-Antimalware Scan Interface) nokuvikelwa kwamafu ukuze yenze isinqumo sayo. Lona omunye wemithetho esebenza ngempumelelo ngokumelene nemikhankaso yesimanje esekelwe kumbhalo.

Vimbela i-JavaScript noma i-VBScript ukuthi ingaqalisi okusebenzisekayo okulandiwe

Lo mthetho ugxile kuphethini yokulanda ejwayelekile: a Umbhalo oku-JS noma we-VBS ulanda ifayela kanambambili ku-inthanethi bese ulenza.Okwenziwa yi-ASR lapha ukuvimbela leso sinyathelo esiqondile sokwethula okulandekayo okulandiwe.

I-GUID yakho d3e037e1-3eb8-44c8-a917-57927947596dIphinde ithembele ku-AMSI futhi ibaluleke kakhulu ezimeni lapho ubuchwepheshe obudala noma imibhalo isasetshenziswa esipheqululini noma kudeskithophu.

Vimbela izinhlelo zokusebenza ze-Office ekudaleni okuqukethwe okusebenzisekayo

Enye indlela evamile ukusebenzisa i-Office ukuze bhala izingxenye ezinonya kudiski eqhubekayo ngemva kokuqalisa kabusha (isibonelo, i-executable eqhubekayo noma i-DLL). Lo mthetho uvimbela i-Office ekulondolozeni noma ekufinyeleleni lolo hlobo lokuqukethwe okusebenzisekayo ukuze likuqalise.

I-GUID i 3b576869-a4ec-4529-8536-b80a7769e899 Ithembele ku-Microsoft Defender Antivirus naku-RPC. Isebenza kahle kakhulu ekwephuleni amaketanga okutheleleka asuselwa ku-macro alanda imithwalo ekhokhelwayo eqhubekayo.

Vimbela izinhlelo zokusebenza ze-Office ekufakeni ikhodi kwezinye izinqubo

Lokhu kuvimbela i-Office ekusebenziseni amasu we umjovo wenquboLokhu kuhlanganisa ukujova ikhodi kwezinye izinqubo ukuze kufihlwe umsebenzi omubi. I-Microsoft ayiqapheli noma yikuphi ukusetshenziswa kwebhizinisi okusemthethweni kwale phethini, ngakho-ke kuwumthetho ophephile ukuvumela ezindaweni eziningi.

I-GUID yakho 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84Kodwa-ke, izinhlelo zokusebenza ezithile ezingqubuzana nalo mthetho zibhaliwe, ngakho-ke uma umsindo uvela endaweni, kuhle ukuhlola ukuhambisana.

Vimbela izinhlelo zokusebenza zokuxhumana ze-Office ekudaleni izinqubo zezingane

Ngokuyinhloko okuhloswe ngayo ku-Outlook kanye neminye imikhiqizo yezokuxhumana ye-Office, lo mthetho uvimbela ukudala izinqubo zesibili kusuka kuklayenti le-imeyiliukunciphisa ukuhlaselwa okusebenzisa ubungozi emithethweni ye-Outlook, amafomu, noma ama-imeyili anonya ukuze kusetshenziswe ikhodi.

I-GUID yakho 26190899-1602-49e8-8b27-eb1d0a1ce869 futhi isiza ukuvala i-vector ekhangayo kakhulu yemikhankaso yobugebengu bokweba imininingwane ebucayi.

Vimba ukuphikelela ngokubhaliselwe komcimbi we-WMI

Izinsongo eziningi "ezingenafayela" zithembele kuzo WMI ukuze kuzuzwe ukuphikelela ngaphandle kokushiya imikhondo ecacile kudiski. Lo mthetho uvimbela ukudalwa kokubhaliselwe komcimbi we-WMI okunonya okungaqalisa kabusha ikhodi noma nini lapho umbandela ufinyelelwa.

I-GUID yakho e6db77e5-3df2-4cf1-b95a-636979351e5b futhi ayikuvumeli ukukhishwa kwamafayela noma amafolda, ukuze kuvinjwe ukuthi ahlukunyezwe.

Vimba izinqubo ezidalwe kusuka ku-PSExec nemiyalo ye-WMI

I-PsExec ne-WMI zingamathuluzi okuphatha okukude asemthethweni, kodwa futhi asetshenziswa njalo ukunyakaza kwe-lateral kanye nokusakazwa kwe-malwareLo mthetho uvimbela izinqubo ezivela kuyo imiyalo I-PSExec noma i-WMI isetshenziswa, kunciphisa leyo ivekhtha.

I-GUID i d1e49aac-8f56-4280-b9ba-993a6d77406cUngomunye waleyo mithetho lapho ukusebenzelana nabalawuli kanye namathimba okusebenza kubalulekile ukuze kugwenywe ukuphazamisa izinqubo zokuphatha ezikude ezisemthethweni.

Vimba ukuqalisa kabusha kwemodi ephephile okuqalwe ngemiyalo

En Imodi ephephileIzixazululo eziningi zokuphepha zikhutshaziwe noma zikhawulelwe kakhulu. Enye i-ransomware ihlukumeza imiyalo efana bcdedit noma i-bootcfg ukuze iqalise kabusha ngemodi ephephile futhi ubethele ngaphandle kokumelana okuningi. Lo mthetho uqeda lokho okungenzeka, uvumela ukufinyelela okuqhubekayo kumodi ephephile kuphela ngemvelo yokutakula okwenziwa ngesandla.

I-GUID yakho 33ddedf1-c6e0-47cb-833e-de6133960387 futhi yakha izenzakalo ezifana AsrSafeModeRebootBlocked o AsrSafeModeRebootWarnBypassed.

Vimba izinqubo ezingasayiniwe noma ezingathenjwa ezivela ku-USB

Lapha, umzila wokungena wakudala uyalawulwa: i Amadrayivu e-USB namakhadi e-SDNgalo mthetho, okusebenzisekayo okungasayiniwe noma okungathenjwa okwenziwa kule midiya kuvinjiwe. Lokhu kusebenza kokuhamba ngakubili okufana ne-.exe, .dll, .scr, njll.

I-GUID i b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 futhi iwusizo ikakhulukazi ezindaweni lapho kunobungozi bokusetshenziswa kwe-USB okungalawulwa.

Vimba ukusetshenziswa kwamathuluzi esistimu akopishiwe noma angcolile

Ukuhlasela okuningi kuzama ukukopisha noma ukulingisa Amathuluzi esistimu yeWindows (okufana ne-cmd.exe, powershell.exe, regsvr32.exe, njll.) ukuzenza njengezinqubo ezisemthethweni. Lo mthetho uvimbela ukusetshenziswa kwezinto ezisebenzisekayo ezihlonzwe njengamakhophi noma abakhohlisi balawa mathuluzi.

I-GUID yakho c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb futhi ikhiqiza izehlakalo ezifana AsrAbusedSystemToolBlockedIhambisana kahle namanye amasu okulawula uhlelo lokusebenza.

Vimba ukudalwa kwe-WebShell kumaseva

Ama-WebShell ayimibhalo eklanyelwe ngokuqondile ukunikeza umhlaseli isilawuli kude phezu kwesevaukuyivumela ukuthi isebenzise imiyalo, ilayishe amafayela, ikhiphe idatha, njll. Lo mthetho, oqondiswe kumaseva nezindima ezifana ne-Exchange, uvimba ukudalwa kwale mibhalo eyingozi.

I-GUID i a8f5898e-1dc8-49a9-9878-85004b8a61e6 futhi yakhelwe ukuqinisa ngokukhethekile amaseva adaluliwe.

Vimba izingcingo ze-Win32 API ezivela kumamakhro we-Office

Mhlawumbe omunye wemithetho esebenza ngempumelelo ngokumelene i-macro malwareIvimbela ikhodi ye-Office VBA ekungeniseni nasekubizeni ama-Win32 APIs, avame ukusetshenziselwa ukulayisha i-shellcode kumemori, ukuphatha izinqubo, inkumbulo yokufinyelela, njll.

I-GUID yakho 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b futhi incike ku-AMSI. Empeleni, ihlanganisa izifanekiso eziningi zohlelo olungayilungele ikhompuyutha ku-Word ne-Excel ezithembele kulezi zingcingo ukuze zenze ikhodi engafanele.

Ukusetshenziswa kokuvikelwa kwe-ransomware okuthuthukisiwe

Lo mthetho wengeza isendlalelo esengeziwe sokuvikela esisekelwe ikhasimende kanye ne-cloud heuristics ukuthola ukuziphatha okuhambisana ne-ransomware. Kucatshangelwa izici ezifana nesithunzi, isiginesha yedijithali, noma ukusabalala ukuze kunqunywe ukuthi ifayela kungenzeka yini libe yi-ransomware kunohlelo olusemthethweni.

I-GUID yakho c1db55ab-c21a-4637-bb3f-a12568109d35Futhi nakuba izama ukunciphisa amaphuzu angamanga, ivame ukwenza iphutha ohlangothini lokuqapha ukuze ingaphuthelwa i-cipher yangempela.

Izindlela zokumisa: Intune, MDM, Configuration Manager, GPO, kanye nePowerShell

Imithetho yokunciphisa indawo yokuhlaselwa ingalungiselelwa ngezindlela ezimbalwa kuye ngokuthi uphatha kanjani izimoto zedivayisi yakho. Isincomo esijwayelekile seMicrosoft ukusebenzisa izinkundla zokuphatha ezingeni lebhizinisi (Intune noma Isiphathi Sokulungiselela), njengoba izinqubomgomo zabo zihamba phambili kune-GPO noma ukulungiselelwa kwe-PowerShell kwendawo lapho isistimu iqala.

cunt I-Microsoft Intune Unezindlela ezintathu: inqubomgomo yokuphepha yephoyinti lokuphela elithile le-ASR, amaphrofayela okulungiselelwa kwedivayisi (I-Endpoint Protection), namaphrofayela angokwezifiso asebenzisa i-OMA-URI ukuchaza imithetho nge-GUID kanye nesifunda. Kuzo zonke izimo, ungakwazi ukwengeza okukhishiwe kwefayela nefolda ngokuqondile noma ukungenise kusuka kufayela le-CSV.

Ezimweni ama-MDM ajwayelekile I-CSP isetshenziswa ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules Ukuze uchaze uhlu lwama-GUID anezimo, ahlukaniswe amabha aqondile. Isibonelo, ungahlanganisa imithetho embalwa ngokunikeza u-0, 1, 2, noma 6 kuye ngokuthi uyafuna ukukhubaza, ukuvimba, ukuhlola, noma ukuxwayisa. Okungafakiwe kulawulwa ne-CSP. ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions.

cunt I-Microsoft Configuration Manager Ungadalela izinqubomgomo Windows Defender I-Exploit Guard igxile “Ekuncishisweni kwendawo yokuhlasela”, khetha ukuthi yimiphi imithetho ofuna ukuyivimba noma ukuyihlola bese uyithumela kumaqoqo athile wamadivayisi.

La Inqubomgomo yeqembu Ikuvumela ukuthi ulungiselele i-ASR ngezifanekiso zokuphatha ngokuzulazulela ku-Microsoft Defender Antivirus kanye namanodi "Attack Surface Reduction". Lapho, unika amandla inqubomgomo "Yenza imithetho yokunciphisa indawo yokuhlasela" bese ufaka ama-GUID nezimo zawo ezihambisanayo. I-GPO eyengeziwe ikuvumela ukuthi uchaze okungafakwanga kwefayela nendlela.

Ekugcineni, I-PowerShell Kuyindlela eqondile nelusizo kakhulu yokuhlolwa okukodwa noma izikripthi ezizenzakalelayo. Cmdlets like Set-MpPreference y Add-MpPreference Zikuvumela ukuthi unike amandla, uhlole, uxwayise, noma ukhubaze imithetho ngayinye, futhi uphathe uhlu lokukhishwa nge -AttackSurfaceReductionOnlyExclusionsNokho, uma kukhona i-GPO noma i-Intune ehilelekile, izilungiselelo zabo ziza kuqala.

Okungafakwanga, ukungqubuzana kwenqubomgomo, nezaziso

Cishe yonke imithetho ye-ASR iyakuvumela ungafaki amafayela namafolda Lokhu kuvimbela ukuvinjwa kwezinhlelo zokusebenza ezisemthethweni okuthi, ngokuklama, zibonise ukuziphatha okufana ne-malware. Ithuluzi elinamandla, kodwa kufanele lisetshenziswe ngokunemba kokuhlinzwa: ukukhishwa okubanzi ngokweqile kungashiya ubungozi obukhulu.

Uma kusetshenziswa izinqubomgomo ezingqubuzanayo ezivela ku-MDM ne-Intune, ukulungiselelwa kwe Ukuqondisa kweqembu kuthatha kuqala Uma ikhona. Ngaphezu kwalokho, imithetho ye-ASR isekela ukuziphatha kokuhlanganisa inqubomgomo: isethi enkulu yakhiwa ngokulungiselelwa okungangqubuzani, futhi okufakiwe okungqubuzanayo kuye kwashiywa kuleyo divayisi.

Ngaso sonke isikhathi lapho umthetho uqalwa kumodi yokuvimba, umsebenzisi ubona a isaziso sohlelo echaza ukuthi umsebenzi uvinjiwe ngenxa yezizathu zokuphepha. Lezi zaziso zingenziwa ngezifiso ngemininingwane yenkampani kanye nolwazi lokuxhumana. Kweminye imithetho nezimo, izexwayiso ze-EDR nezaziso zangaphakathi nazo ziyakhiqizwa futhi zibonakale kuphothali ye-Microsoft Defender.

Akuyona yonke imithetho ehloniphayo Ukukhishwa kwe-antivirus ye-Microsoft Defender Futhi abacabangi izinkomba ze-compromise (IOCs) ezilungiselelwe ku-Defender ye-Endpoint. Isibonelo, umthetho we-LSASS wokuvimbela ukwebiwa kwemininingwane noma umthetho wokuvinjwa kokufakwa kwekhodi ye-Office ungacabangi ama-IOC athile, ukuze kugcinwe ukuqina kwawo.

Ukuqapha Umcimbi we-ASR: Iphothali, Usesho Oluthuthukile, kanye nesibukeli somcimbi

Ukuqapha kuyisihluthulelo sokuqinisekisa ukuthi i-ASR ayilona ibhokisi elimnyama. I-Defender for Endpoint inikeza imibiko enemininingwane yemicimbi nokuvinjwa okuhlobene nemithetho ye-ASR, okungaboniswana ngakho kokubili kuphothali ye-Microsoft Defender XDR nangosesho oluthuthukisiwe.

Ukusesha okuthuthukisiwe kukuvumela ukuthi uqalise imibuzo mayelana netafula DeviceEventsukuhlunga ngezinhlobo zesenzo eziqala ngokuthi "Asr". Isibonelo, umbuzo oyisisekelo DeviceEvents | where ActionType startswith 'Asr' Ikubonisa imicimbi ehlobene ne-ASR eqoqwe ngenqubo nangehora, njengoba ijwayela esimweni esisodwa ngehora ukuze kwehliswe ivolumu.

Ezindaweni ezingenayo i-E5 noma ngaphandle kokufinyelela kulawa makhono, kuhlale kunenketho yokubuyekeza I-Windows ingena ku-Event ViewerI-Microsoft inikeza ukubukwa kwangokwezifiso (okufana nefayela le-cfa-events.xml) elihlunga izehlakalo ezifanele, ngezihlonzi ezifana ne-5007 (izinguquko zokumisa), 1121 (umthetho kwimodi yokuvinjwa) kanye no-1122 (umthetho kumodi yokuhlola).

Ngokusetshenziswa okuxubile, kuvamile impela ukudlulisela le micimbi ku-a I-SIEM noma inkundla yokugawula emaphakathi, zihlobanise nezinye izinkomba futhi zicuphe izexwayiso zangokwezifiso lapho imithetho ethile iqala ukukhiqiza imicimbi eminingi engxenyeni ethile yenethiwekhi.

Ukunciphisa indawo yokuhlasela ngale kwe-ASR: amasu, ubuchwepheshe nezinselele

Nakuba imithetho ye-ASR iyingxenye ebaluleke kakhulu, ukunciphisa indawo yokuhlasela njengesu lomhlaba wonke lidlulela ngalé kwendawo yokugcina. Kuhilela mephu zonke izimpahla kanye nezindawo zokungenaSusa izinsizakalo ezingadingekile, amanethiwekhi engxenye, sebenzisa izilawuli zokufinyelela eziqinile, qinisa amasistimu, gcina ukulungiselelwa okuvikelekile, futhi uvikele ifu nama-API.

Izinhlangano ngokuvamile ziqala ngohlu oluphelele lwe amadivayisi, isofthiwe, ama-akhawunti nokuxhumanaOkulandelayo, amasevisi angasetshenzisiwe nezinhlelo zokusebenza zikhonjwa futhi zikhishwe, izimbobo zenethiwekhi ziyavalwa, nezici ezingangezi inani ziyakhutshazwa. Lokhu kwenza imvelo ibe lula futhi kunciphisa inani "leminyango" edinga ukugadwa.

Ingxenye ye- ukulawula ukufinyelela Kubalulekile: ukusetshenziswa komgomo wokuba nelungelo elincane, amagama ayimfihlo aqinile, ukuqinisekiswa kwezinto eziningi, ukuhoxiswa okusheshayo kokufinyelela lapho othile eshintsha izindima noma eshiya inhlangano, nokuqapha imizamo yokungena ngemvume esolisayo.

Efwini, indawo yokuhlasela iyakhula ngesevisi entsha ngayinye, i-API, noma ukuhlanganiswa. Ukungalungiseki kahle ku isitorejiIzindima ezibanzi ngokwedlulele, ama-akhawunti ezintandane, noma amanani azenzakalelayo angavikelekile yizinkinga ezijwayelekile. Lapha yilapho kuculwa khona ukuhlola okuvamile, ukubethelwa kwedatha lapho uphumule futhi usendleleni, ukuhlukaniswa kwenethiwekhi okubonakalayo, nokubuyekezwa kwemvume okuqhubekayo kuqala khona.

Ukusekela konke lokhu, ubuchwepheshe obufana ukutholwa kwempahla namathuluzi okwenza imephu, izikena zokuba sengozini, amasistimu okulawula ukufinyelela, izinkundla zokuphatha ukuhlela, namathuluzi okuphepha enethiwekhi (izicishamlilo, i-IDS/IPS, i-NDR, njll.). Izixazululo ezifana ne-SentinelOne, isibonelo, zihlanganisa ukuvikelwa kwephoyinti lokugcina, ukuhlaziya ukuziphatha, kanye nokuphendula okuzenzakalelayo ukuze kuncishiswe ngokwengeziwe indawo yokuhlasela ephumelelayo.

Izinselelo ziningi: ukuncika okuyinkimbinkimbi phakathi kwamasistimuUkuba khona kwezinhlelo zokusebenza zefa ezingasekeli izinyathelo zesimanje, isivinini esisheshayo soshintsho lwezobuchwepheshe, imikhawulo yezinsiza, kanye nokungqubuzana okungapheli phakathi kokuvikeleka nokukhiqiza konke kunomthelela kule nselele. Ukuthola ibhalansi efanele kudinga ukuqonda okujulile kwebhizinisi nokubeka phambili izimpahla nezinqubo ezibalulekile.

Ngokunikezwa kwalo mongo, imithetho ye-ASR iba ngelinye lamathuluzi asebenza kahle kakhulu okukhawulela inkundla yokudlala yomhlaseli ekugcineni. Ukuhleleka kahle (kuqala ngokucwaninga), kulungiswe kahle ngokukhishwa okunembayo, futhi kuqashwe ngokucophelela, kuvimbela iphutha lomsebenzisi, ukuxhaphaza okukodwa, noma idrayivu ye-USB enonya ekukhuphukeni ngokuzenzakalelayo ibe yisigameko esibucayi, okusiza ekugcineni indawo encane, elawulekayo, futhi, ngaphezu kwakho konke, indawo yokuhlasela esebenza ngempumelelo. okunzima kakhulu ukukusebenzisa.