- I-malware engenamafayela isebenza kwimemori futhi isebenzisa kabi amathuluzi asemthethweni njenge-PowerShell noma i-WMI.
- Ingantshontsha idatha, ibhale amafayela, noma ihlole amakhompyutha ngaphandle kokushiya umkhondo osobala kudiski.
- Ukutholwa okuphumelelayo kudinga ukuqapha ukuziphatha nezinqubo, hhayi amafayela kuphela.
- Ukuvikela kudinga i-EDR, ukuhlukaniswa, ukuhlelwa kabusha, kanye nokunciphisa ukusetshenziswa kwezikripthi nama-macro.
Eminyakeni yamuva i i-malware engenafayela I-malware engenamafayela isibe yinye yezinkinga ezinkulu kakhulu kumaqembu e-IT kanye nezokuphepha. Asikhulumi ngegciwane elivamile olilanda kusinamathiseli futhi ongalisusa nge-antivirus scan, kodwa ngento ecashile kakhulu ecasha ngaphakathi kwezinqubo zesistimu.
Lolu hlobo losongo lusizakala amathuluzi esistimu yokusebenza asemthethweniIkakhulukazi ku-Windows, ingasebenzisa ikhodi enobungozi ngqo ku-RAM. Ngenxa yokuthi ayishiyi mkhondo kudiski, ingagwema izinhlelo eziningi ze-antivirus zendabuko futhi ihlale isebenza isikhathi eside ngokwanele ukweba ulwazi, ukubhala amafayela, noma ukugcina iminyango yangemuva ngaphandle kokutholwa.
Iyini ngempela i-malware engenamafayela?
Uma sikhuluma nge-malware engenamafayela, sibhekisela ku- ikhodi enonya engaxhomekile ku-executable yakudala kudiski ukuze isebenze. Esikhundleni sokufakwa njenganoma yiluphi olunye uhlelo, ithembela ezingxenyeni ezikhona kakade ohlelweni (izikripthi, izinsizakalo, abahumushi bemiyalo, njll.) ukuze ilayishe futhi isebenzise imiyalelo yayo ngqo kwimemori.
Ngokombono wezobuchwepheshe, le malware ivame ukuba ukufakwa ezinqubweni esezisebenza kakade noma zingaqaliswa kusetshenziswa imiyalo efaka yonke into ku-RAM. Lokhu kusho ukuthi, uma ikhompyutha icishiwe noma iqalwa kabusha, izinhlobo eziningi ziyanyamalala, kodwa okwamanje zinesikhathi esanele sokubangela umonakalo omkhulu.
Uma kuqhathaniswa ne-malware esekelwe kumafayela, lezi zinsongo ziyi- kulula, kuyaqondakala, futhi kunzima kakhulu ukukulandelelaNgeke uthole ifayela le-.exe elisolisayo kudiski, noma umfaki onobungozi: inkinga ikwilokho okwenzeka ngaphakathi kwezinqubo ezibonakala zithembekile.
Ukwanda kwale ndlela kwanda kakhulu cishe ngo-2017, lapho imikhankaso iqala ukuhlanganisa amasu angenamafayela kanye ama-clicker trojans, i-advanced adware, namathuluzi okufinyelela kude (ama-RAT)Namuhla zihlanganiswe kuzo zonke izinhlobo zokusebenza: kusukela ekuhloleni kanye nama-APT kuya ku-ransomware kanye ne-cryptomining.
Indlela i-malware engenamafayela esebenza ngayo ngaphakathi
Ukuze uqonde ukuthi isebenza kanjani, kubalulekile ukukhumbula ukuthi izinhlelo zokusebenza eziningi ezijwayelekile zisatshalaliswa njenge- ifayela elibhalelwe kudiski bese lilayishwa kwimemori uma umsebenzisi eyisebenzisa. I-malware engenamafayela, ngakolunye uhlangothi, yeqa isinyathelo sokuqala bese ivelela ngqo ku-RAM isebenzisa izindlela zesistimu yokusebenza uqobo.
Imikhankaso eminingi incike emcabangweni "wokuphila ngomhlaba" (abahlala ngaphandle komhlaba): umhlaseli usebenzisa kabi amandla okuphatha asemthethweni esikhundleni sokwethula ama-binary amasha. Ku-Windows, isibonelo esiyinhloko yi-PowerShell, kodwa i-WMI, i-mshta, i-rundll32, izikripthi ze-VBScript noma ze-JScript, kanye nezinye izi-binary ezithembekile (ama-LoLBins) nazo ziyasetshenziswa.
Isimo esijwayelekile singaba: umsebenzisi uvula idokhumenti ye-Office enokuqukethwe okunonya noma achofoze isixhumanisi sobugebengu bokweba imininingwane ebucayi; kusukela lapho iskripthi esibiza i-PowerShell noma elinye ithuluzi lokulanda, ukususa ukubhala ngekhodi, noma ukufaka ikhodi yesigaba esilandelayo kwimemori. Konke lokhu kungenzeka ngaphandle kokudala ifayela elihlala njalo ku-hard drive.
Esinye i-vector esivamile sihilela ukusizakala ubungozi bokusebenzisa ikhodi yesilawuli kude, njengokugcwala kwe-buffer kuziphequluli, ama-plugin, noma izinhlelo zokusebenza zeseva. Ngokusebenzisa ubuthakathaka, umhlaseli angakwazi ukusebenzisa i-shellcode ngqo ngaphakathi kwenqubo ebuthakathaka futhi, kusukela lapho, alayishe ezinye izingxenye kwimemori.
Ezinye izinhlobo zize zisebenzise I-Windows Registry noma imisebenzi ehleliwe ukugcina izikripthi noma imiyalo evuselela ukuhlaselwa lapho uhlelo luqala noma umsebenzisi engena ngemvume. Ngisho noma kukhona okubhalelwe iRegistry, i-logic eyinhloko enonya iyaqhubeka nokusebenza kwimemori, okwenza kube nzima ukuyithola ngamathuluzi agxile kuphela ohlelweni lwefayela.
Izindlela zokutheleleka kanye nokufinyelela kokuqala
Umnyango wangaphambili uvame ukuba ngowakudala kakhulu: ama-imeyili obugebengu bokweba imininingwane ebucayi, izixhumanisi ezinonya, kanye namadokhumenti angewona angempela Zisalokhu ziyizinkosi zokufinyelela kokuqala, noma ngabe kusetshenziswa amasu angenamafayela ngaphansi. Icebo liwukuthi kulo lonke uchungechunge, kwenziwa yonke imizamo yokunciphisa noma yikuphi ukunyatheliswa kwediski.
Ezimweni eziningi ziyasetshenziswa Amadokhumenti e-Microsoft Office anama-macros Uma zisebenza, lawa ma-macro abiza i-PowerShell noma i-WMI ukuze alande futhi aqalise isigaba esilandelayo sokuhlasela ngenkumbulo. Ngisho noma kungekho ma-macro, abahlaseli basebenzisa ubuthakathaka ku-Word, Excel, Abafundi be-PDF noma injini yokubhala ngokwayo ukuze kufezwe ukuqaliswa kwekhodi.
Enye indlela ihilela ukusebenzisa ngqo okubonakala kungenangozi okusebenzayo umsebenzisi ayithola nge-imeyili noma ngokulanda kusuka kuwebhu. Lokhu okusebenzisekayo kungakhipha imojula enonya bese kuyilayisha kwimemori kusetshenziswa amasu afana nokuzindla ku-.NET, ngaphandle kokuyigcina kudiski njengefayela elihlukile.
Kukhona nemikhankaso eqondiswe kumaseva ewebhu noma izinhlelo zokusebenza ezivezwe kwi-inthanethi, lapho ubungozi busetshenziswa khona ukusabalalisa ama-webshell anezingxenye ezingenamafayelaIsibonelo samuva ukusetshenziswa kwe-Godzilla namathuluzi afanayo, lapho ikhodi enonya ihamba ngaphakathi kwezicelo ze-HTTP futhi ifakwe ngqo kwimemori kuseva eyonakele.
Ekugcineni, abahlaseli bavame ukusebenzisa izifakazelo ezebiweUma bethola igama lomsebenzisi nephasiwedi yomlawuli noma i-akhawunti enelungelo, bangangena ngemvume nge-RDP noma ezinye iziteshi bese bevula ngesandla izikripthi ze-PowerShell, imiyalo ye-WMI, noma amathuluzi okuphatha afaka i-malware kwimemori ngaphandle kokushiya noma yiziphi izinhlelo ezintsha ezisebenzayo ohlelweni.
Amasu athile asetshenziswa yi-malware engenamafayela
Esinye sezihluthulelo zalokhu kuhlaselwa ukusetshenziswa kabusha amathuluzi omdabu wamawindi njengendlela yokuhambisa imibhalo yabo. Lokhu kubangela ukuthi imisebenzi enonya ihlangane nemisebenzi evamile yokuphatha, okwenza kube nzima ukuhlaziya kanye nokuphendula.
Phakathi kwezindlela ezivame kakhulu esizitholayo ukusetshenziswa kwe I-PowerShell njengesiqalisi sekhodi esifakiwe ngqo kusuka kumugqa womyalo. Isibonelo, iskripthi esifihliwe sidluliswa njengepharamitha, inqubomgomo yokusebenzisa ikhutshaziwe, ifasitela liyafihlwa, futhi umthwalo wokukhokha ulandwa ngqo kwimemori, konke ngaphandle kokushiya ifayela le-.ps1 noma yikuphi ukusebenziseka okusolisayo kubonakala.
Elinye isu elidumile kakhulu ukugcina imibhalo enonya ku- Okubhaliselwe kwe-Windows Management Instrumentation (WMI)Ngezikhathi ezithile, i-WMI iqalisa iskripthi, esingasebenzisa ikhodi kusuka kwimemori, sixhumeke kumaseva omyalo nokulawula, noma siqalise izigaba ezintsha zokutheleleka.
Ngokufanayo, amaqembu amaningi asebenzisa I-Windows Registry kanye ne-Task Scheduler njengesiphephelo sezikripthi zabo nemiyalo. Esikhundleni sokubeka i-executable kufolda yokuqalisa, bachaza okhiye bokuqalisa noma imisebenzi ehleliwe esebenzisa izikripthi ze-PowerShell, mshta, noma ze-rundll32 ngekhodi efakiwe noma endiza.
Amasu ayabonakala futhi ku- ukubonakaliswa ku-.NETlapho i-executable elula equkethe ama-assembly abethelwe noma acindezelwe alayishwa ngqo kwimemori kusetshenziswa i-Reflection.Load, ngaphandle kokubhalwa njengamafayela e-.dll kudiski. Lokhu kuvumela ukuthunyelwa kwamaTrojan ayinkimbinkimbi kakhulu ngaphakathi kwenqubo eyodwa, ebonakala ijwayelekile.
Yini engenziwa ukuhlasela okungenamafayela?
Naphezu kwegama layo, ukuhlasela okungenamafayela akukhawulelwe emthonjeni wakho. Eqinisweni, kungenza imisebenzi efanayo ne-malware yendabuko: ukwebiwa kolwazi, ukubethela idatha, ukunyakaza okuseceleni, ubunhloli, ukumbiwa kwemali yedijithali, noma ukufakwa kweminyango yangemuva ehlala njalo.
Imikhankaso eminingi engenamafayela iziphatha ngendlela isela leziqinisekisoLokhu kuhilela ukuthwebula amaphasiwedi, amathokheni eseshini, noma ama-hashe okufakazela ubuqiniso kusukela enkumbulweni yezinqubo ezibucayi. Lokhu kwenza kube lula ukwandisa amalungelo, ukulimaza izinhlelo eziningi, nokugcina ukufinyelela isikhathi eside ngaphandle kokusebenzisa ama-binary engeziwe.
Abanye bagxila ku ifayela le-ransomwarelapho ingxenye yokubethela kanye nokuqonda kokuxhumana kwenziwa ngqo kwimemori. Nakuba ingxenye yediski ingavela ngesikhathi esithile ukuze ilawule inani elikhulu lamafayela, ukulayisha kokuqala kanye nokulawula ukuhlaselwa kwenziwa ngamasu angenamafayela ukuze kugwenywe ukutholakala kusenesikhathi.
Abahlaseli bangafaka futhi ama-rootkit noma ama-RAT athuthukile Uma sezimisiwe, la mathuluzi asebenzisa iziteshi ezingenamafayela ukuthola imiyalo, ukuhamba kunethiwekhi, nokubuyekeza amamojula. Ngenxa yokuthi ahlanganiswe nezinqubo zesistimu noma izinsizakalo ezibalulekile, la mathuluzi kunzima kakhulu ukuwaqeda.
Ngasohlangothini lwezomnotho, umthelela uhumusha ukulahleka kwedatha, ukuphazamiseka kwesevisi, izinhlawulo zomthetho, kanye nomonakalo wedumelaNjengoba lokhu kungena kuvame ukungatholakali izinyanga eziningi, inani lolwazi olufihliwe kanye nobubanzi bokuphulwa kungaba lukhulu kakhulu.
Izigaba zokuhlasela kwe-malware okungenamafayela
Nakuba izici zobuchwepheshe zihlukile, umjikelezo wokuphila kokuhlaselwa okungenamafayela ufana kakhulu nowanoma yikuphi ukungena okuthuthukisiwe. Yiziphi izinguquko eziyi- izindlela ezisetshenziswa esigabeni ngasinye kanye nendlela abazifihla ngayo.
Esigabeni se ukufinyelela kokuqalaUmhlaseli udinga indawo yokuqala yokubamba: ukuchofoza kusixhumanisi se-phishing, ukuvulwa kwedokhumenti equkethe ama-macro, ukuxhashazwa kweseva esengozini, noma ukusetshenziswa kabusha kweziqinisekiso ezisengozini. Ukusuka lapho, umgomo uwukusebenzisa ikhodi ngaphakathi kohlelo oluqondiwe.
Uma leso sinyathelo sesifeziwe, isigaba esilandelayo siyaqala ukwenziwa enkumbulweniYilapho i-PowerShell, i-WMI, i-mshta, i-rundll32, i-VBScript, i-JScript, noma abanye abahumushi besebenza khona ukulayisha nokusebenzisa i-payload ngaphandle kokukhiqiza ama-executable ahlala njalo kudiski. Ikhodi ivame ukufihlwa noma ukubethelwa futhi isuswe ukubethelwa ku-RAM kuphela.
Bese kuqala ukuphishekela ukuphikelelaNakuba imithwalo eminingi yokulayisha engenamafayela iyanyamalala lapho ikhompyutha iqala kabusha, abahlaseli abanolwazi bahlanganisa izikripthi ze-RAM-resident nezihluthulelo zeRegistry, imisebenzi ehleliwe, noma okubhaliselwe kwe-WMI okuqalisa kabusha ikhodi njalo lapho kuhlangatshezwana nesimo esithile, njengokuqala kohlelo noma ukungena ngemvume komsebenzisi.
Ekugcineni, izinhloso zokugcina Izenzo zomhlaseli zifaka: ukwebiwa kwedatha nokukhishwa kwayo, ukubethela ulwazi, ukuthunyelwa kwe-malware eyengeziwe, ubunhloli obuqhubekayo, kanye nokucekelwa phansi kwezinhlelo ezibalulekile. Konke lokhu kwenziwa ngenkathi kuzama ukugcina iphrofayili ephansi kakhulu ukuze kugwenywe izexwayiso zakuqala kanye nokuhlaziywa kwe-forensic.
Kungani kunzima kangaka ukukubona?
Inkinga enkulu nge-malware engenamafayela ukuthi Iphula imodeli yokuzivikela yakudala ngokusekelwe kumafayela kanye nokusayinaUma kungekho okusolisayo okusebenzayo okufanele kuhlaziywe, izinjini eziningi ze-antivirus aziboni okwenzekayo ngaphakathi kwenkumbulo kanye nezinqubo ezisemthethweni.
Ukungabikho kwamafayela kudiski kusho ukuthi Azikho izinto okufanele ziskenwe ngezikhathi ezithile ekufuneni amaphethini aziwayo. Ngaphezu kwalokho, ngokusebenzisa ama-binary asayinwe uhlelo lokusebenza uqobo, njenge-PowerShell.exe, i-wscript.exe, noma i-rundll32.exe, umsebenzi ononya ufihlwa ngemuva kwamagama umphathi avame ukuwathemba.
Ngaphezu kwalokho, imikhiqizo eminingi ezuzwe njengefa ine- Ukubonakala okulinganiselwe ezinqubweni ezisebenzayoBagxila ohlelweni lwamafayela kanye nethrafikhi yenethiwekhi, kodwa abahloli kahle izingcingo zangaphakathi ze-API, amapharamitha omugqa womyalo, ukuziphatha kwesikripthi, noma imicimbi yeRegistry engase ibonise ukuhlaselwa okungenamafayela.
Abahlaseli, beqaphela lokhu kulinganiselwa, baphendukela ku- amasu okufiphaza, ukubethela, kanye nokuhlukaniswa kwekhodiIsibonelo, bahlukanisa iskripthi esinonya sibe yizingcezu eziningana ezihlanganiswa ngesikhathi sangempela, noma bafihla imiyalelo ngaphakathi kwezithombe, izinsiza ezifakiwe, noma izintambo ezibonakala zingenangozi.
Ezindaweni lapho izinhlelo zingaqalwa kabusha khona (amaseva abalulekile, ama-terminal okukhiqiza, njll.), i-malware ehlala kwimemori ingakwazi hlala usebenza amasonto noma izinyanga ngaphandle kokubonwa, ikakhulukazi uma uhamba ngokucophelela futhi unciphisa ivolumu yethrafikhi noma izenzo ezibonakalayo.
Ukulinganiselwa kokuzivikela kwendabuko
Impendulo yokuqala yabahlinzeki abaningi kulolu songo kube ukuzama khawulela noma uvimbele ngqo amathuluzi afana ne-PowerShell noma ama-Office macrosNakuba kunganciphisa amanye ama-vector, akusona isisombululo esingokoqobo noma esiphelele ezinhlanganweni eziningi.
I-PowerShell isibe yi- ingxenye ebalulekile yokuphathwa kwesistimu ye-WindowsUkuzenzakalela kwemisebenzi, ukuthunyelwa kwesofthiwe, kanye nokuphathwa kweseva. Ukuyivimba ngokuphelele kungakhubaza ukusebenza kwe-IT futhi kuphoqe ukuthi kwenziwe kabusha izinqubo eziningi zangaphakathi.
Ngaphezu kwalokho, ngokombono womhlaseli, kunezindlela eziningi zokwenza ukugwema inqubomgomo elula yokuvimbaKunezindlela zokulayisha injini ye-PowerShell kusuka kumalabhulali (dll) usebenzisa i-rundll32, ukuguqula izikripthi zibe yi-executables ngamathuluzi afana ne-PS2EXE, ukusebenzisa amakhophi aguquliwe e-PowerShell.exe, noma ngisho nokushumeka izikripthi ze-PowerShell ezithombeni ze-PNG bese uzisebenzisa ngemigqa yemiyalo efihliwe.
Kwenzeka okufanayo ngama-Office macros: Izinkampani eziningi zithembele kuzo ukuzenzakalela imibiko, izibalo, kanye nezinqubo zebhizinisi. Ukuzikhubaza emhlabeni jikelele kungaphula izinhlelo zokusebenza zangaphakathi, kuyilapho ukuthembela kuphela ekuhlaziyweni okumile kwekhodi ye-VBA kuvame ukuholela esilinganisweni esinzima sokuphatha amaphutha amahle kanye namaphutha amabi.
Ngaphezu kwalokho, ezinye izindlela ezisekelwe ku- ukutholwa-njengesevisi okusekelwe efwini Zidinga ukuxhumana okuqhubekayo futhi, ngezinye izikhathi, zisebenza ngokubambezeleka okukhulu ukuvimbela ukuqaliswa kokuqala kwe-malware. Uma isinqumo sokuvimbela senziwa imizuzwana noma imizuzu kamuva, umonakalo ungase ube usuvele wenziwe.
Ukugxila kuyashintsha: kusuka kumafayela kuya ekuziphatheni
Njengoba ifayela lingasayona into eyinhloko, izixazululo zokuzivikela zanamuhla zigxile ku qapha ukuziphatha kwezinqubo esikhundleni sokuhlola okuqukethwe amafayela. Umqondo uwukuthi, yize kunezinkulungwane zezinhlobo ze-malware, amaphethini emisebenzi enonya awahlukahlukene kakhulu.
Le ndlela incike ezinjinini ze- ukuhlaziywa kokuziphatha kanye nokufunda komshini eziqapha njalo ukuthi inqubo ngayinye yenzani: ukuthi yini eyiyalayo, yiziphi izinsiza zesistimu ezithintayo, indlela exhumana ngayo nomhlaba wangaphandle, kanye nokuthi yiziphi izinguquko ezizama ukuziletha endaweni ezungezile.
Isibonelo, inqubo yeHhovisi ingaphawulwa njengesolisayo uma ikhipha umyalo we-PowerShell ofihliwe ngemingcele yokukhubaza izinqubomgomo zokuphepha nokulanda ikhodi kusuka kusizinda esisolisayo. Noma inqubo, ngaphandle kwesizathu esibonakalayo, efinyelela ngokuzumayo amakhulu amafayela abucayi noma eguqula okhiye bokubhalisa ababalulekile.
Isizukulwane sakamuva sezinhlelo ze-EDR kanye namapulatifomu e-XDR aqoqa i-telemetry eningiliziwe yama-endpoints, amaseva kanye nenethiwekhifuthi bayakwazi ukwakha kabusha izindaba eziphelele (ngezinye izikhathi ezibizwa ngokuthi ama-StoryLines) zokuthi isigameko saqala kanjani, yiziphi izinqubo ezazihilelekile, nokuthi yiziphi izinguquko ezenzeka kumshini othintekile.
Injini yokuziphatha enhle ayigcini nje ngokubona usongo, kodwa futhi ingakwazi ukunciphisa noma ukuguqula ngokuzenzakalelayo izenzo ezinonya: bulala izinqubo ezihilelekile, uhlukanise ikhompyutha, ubuyisele amafayela abethelwe, ulungise izinguquko ku-Registry, futhi unqume ukuxhumana nezizinda zomyalo nokulawula.
Ubuchwepheshe kanye nemithombo yemicimbi ebalulekile ku-Windows
Ukuze uhlaziye izinsongo ezingenamafayela ku-Windows, kuyasiza kakhulu ukusizakala izindlela ze-telemetry zesistimu yokusebenza yomdabu, esevele ikhona futhi inikeza ulwazi oluningi ngalokho okwenzeka ngemuva kwezigcawu.
Ngakolunye uhlangothi kukhona Ukulandelela Umcimbi we-Windows (ETW)I-ETW iwuhlaka oluvumela ukuqoshwa kwemicimbi enemininingwane eminingi ehlobene nokusebenza kwenqubo, izingcingo ze-API, ukufinyelela imemori, nezinye izici zesistimu yangaphakathi. Izixazululo eziningi ze-EDR zithembele ku-ETW ukuthola ukuziphatha okungajwayelekile ngesikhathi sangempela.
Esinye isici esibalulekile I-Antimalware Scan Interface (AMSI)I-AMSI iyi-API eklanywe yi-Microsoft ukuvumela izinjini zokuphepha ukuthi zihlole izikripthi kanye nokuqukethwe okuguquguqukayo ngaphambi nje kokuba kusebenze, noma ngabe kufihliwe. I-AMSI iwusizo kakhulu nge-PowerShell, i-VBScript, i-JScript, nezinye izilimi zokubhala.
Ngaphezu kwalokho, izinjini zesimanje ziyahlaziywa njalo izindawo ezibucayi njengeRegistry, Task Scheduler, okubhaliselwe kwe-WMI, noma izinqubomgomo zokusebenzisa iskripthiIzinguquko ezisolisayo kulezi zindawo zivame ukuba uphawu lokuthi ukuhlaselwa okungenamafayela sekuqinise ukuqhubeka.
Konke lokhu kuhambisana ne-heuristics ecabangela hhayi inqubo yamanje kuphela, kodwa futhi umongo wokwenza: lapho inqubo yomzali ivela khona, yimuphi umsebenzi wenethiwekhi oye wabonwa ngaphambi nangemva kwalokho, kungakhathaliseki ukuthi kube nokwehluleka okungajwayelekile, ukuvinjelwa okungavamile noma ezinye izimpawu, ezihlanganiswe ndawonye, ezenza izikali zibe nokusola.
Amasu okuthola nokuvimbela asebenzayo
Empeleni, ukuzivikela kulezi zinsongo kuhilela ukuhlanganisa ubuchwepheshe, izinqubo kanye nokuqeqeshwaAkwanele ukufaka i-antivirus bese ukhohlwa ngayo; isu elihlanganisiwe elifanelana nokuziphatha kwangempela kwe-malware engenamafayela liyadingeka.
Ezingeni lobuchwepheshe, kubalulekile ukusabalalisa Izixazululo ze-EDR noma ze-XDR ngamakhono okuhlaziya ukuziphatha kanye nokubonakala kwezinga lenqubo. Lawa mathuluzi kumele akwazi ukurekhoda nokuhlanganisa umsebenzi ngesikhathi sangempela, ukuvimba ukuziphatha okungavamile, futhi anikeze ulwazi olucacile lwezobunhloli eqenjini lezokuphepha.
Kubuye kube lula Ukukhawulela ukusetshenziswa kwe-PowerShell, i-WMI, kanye nabanye abahumushi kulokho okudingeke kakhulu, ukusebenzisa uhlu lokulawula ukufinyelela, ukusayina iskripthi (Ukusayina Ikhodi) kanye nezinqubomgomo zokusebenzisa ezikhawulela ukuthi iyiphi ikhodi engasebenza kanye namalungelo angakanani.
Ngasohlangothini lwabasebenzisi, ukuqeqeshwa kusabalulekile: kuyadingeka ukuqinisa ukuqwashisa nge-phishing, izixhumanisi ezisolisayo, kanye namadokhumenti angalindelekileLokhu kubaluleke kakhulu phakathi kwabasebenzi abanokufinyelela kolwazi olubucayi noma amalungelo aphezulu. Ukunciphisa inani lokuchofoza ngokunganaki kunciphisa kakhulu indawo yokuhlasela.
Okokugcina, umuntu akanakuyidebesela i-patch kanye nomjikelezo wokubuyekeza isofthiweAmaketanga amaningi angenamafayela aqala ngokusebenzisa ubuthakathaka obaziwayo obukhona kakade. Ukugcina iziphequluli, ama-plugin, izinhlelo zokusebenza zebhizinisi, kanye nezinhlelo zokusebenza kusesikhathini kuvala iminyango ebalulekile kubahlaseli.
Izinsizakalo eziphethwe kanye nokuzingela izinsongo
Ezinhlanganweni eziphakathi nendawo nezinkulu, lapho inani lemicimbi likhulu khona, kunzima eqenjini langaphakathi ukubona konke. Yingakho bekhula ngokuthandwa. izinsizakalo zokuqapha nokuphatha impendulo (MDR/EMDR) kanye nezikhungo zokuphepha zangaphandle (ama-SOC).
Lezi zinsizakalo zihlanganisa ubuchwepheshe obuthuthukisiwe kanye amaqembu abahlaziyi aqapha amahora angama-24 ngosuku, izinsuku eziyi-7 ngesonto izindawo zamakhasimende abo, zihlobanisa izimpawu ezibuthakathaka ebezingeke zibonwe. Umqondo uwukuthola ukuziphatha okuvamile kwe-malware engenamafayela ngaphambi kokuba kwenzeke umonakalo.
Ama-SOC amaningi athembele kuzinhlaka ezifana I-MITER ATT&CK ukuklobha amaqhinga, amasu, kanye nezinqubo zezitha (ama-TTP) nokwakha imithetho ethile eqondiswe ekusebenzeni kwememori, ukusetshenziswa kabi kwe-LoLBins, i-WMI enonya, noma amaphethini okukhipha idatha ngokuyimfihlo.
Ngaphezu kokuqapha okuqhubekayo, lezi zinsizakalo zivame ukufaka phakathi ukuhlaziywa kwe-forensic, impendulo yezehlakalo, kanye nokubonisana ukuthuthukisa ukwakheka kwezokuphepha, ukuvala izikhala eziphindaphindayo, nokuqinisa izilawuli kuma-endpoints namaseva.
Ezinkampanini eziningi, ukunikeza abanye abantu ingxenye yalo msebenzi kuyindlela engcono kakhulu yokubhekana nezinsongo eziyinkimbinkimbi kangaka, njengoba akuwona wonke umuntu ongakwazi ukukhokhela ithimba langaphakathi eligxile ekufuneni i-malware ethuthukisiwe.
Iqiniso liwukuthi i-malware engenamafayela isishintshe unomphela indlela esiqonda ngayo ukuphepha kwe-endpoint: Amafayela awaseyona inkomba yokhiye kuphelaFuthi inhlanganisela yokubona okujulile, ukuhlaziywa kokuziphatha, imikhuba emihle yokuphatha, kanye nesiko lokuphepha kwe-inthanethi elandisiwe kuphela elingakuvimbela nsuku zonke.
