{"id":20424,"date":"2024-09-10T16:53:35","date_gmt":"2024-09-10T09:53:35","guid":{"rendered":"https:\/\/thegioifirewall.com\/?p=20306"},"modified":"2025-03-24T07:27:22","modified_gmt":"2025-03-24T07:27:22","slug":"ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows","status":"publish","type":"post","link":"https:\/\/vacif.com\/en\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows\/","title":{"rendered":"B\u1ea2N C\u1eacP NH\u1eacT C\u00d4NG C\u1ee4 T\u1ea4N C\u00d4NG L\u00c0M SUY Y\u1ebeU M\u00c1Y T\u00cdNH WINDOWS"},"content":{"rendered":"\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows.png\" alt=\"\" class=\"wp-image-20320\"\/><\/figure>\n\n\n\n<p>M\u1ed9t m\u00e3 \u0111\u1ed9c EDR m\u00e0 Sophos X-Ops theo d\u00f5i trong ba n\u0103m v\u1eabn ti\u1ebfp t\u1ee5c t\u1ea5n c\u00f4ng c\u00e1c t\u1ed5 ch\u1ee9c b\u1ecb c\u00e1c b\u0103ng \u0111\u1ea3ng ransomware nh\u1eafm t\u1edbi.<\/p>\n\n\n\n<p>\u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/author\/andreas-klopsch\/\">Andreas Klopsch<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/news.sophos.com\/en-us\/2024\/08\/27\/burnt-cigar-2\/\"><strong>Ng\u00e0y 27 th\u00e1ng 8 n\u0103m 2024<\/strong><\/a><\/p>\n\n\n\n<p>V\u00e0o n\u0103m 2022 v\u00e0 2023, Sophos X-Ops \u0111\u00e3 c\u00f4ng b\u1ed1 nghi\u00ean c\u1ee9u v\u1ec1&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2022\/12\/13\/signed-driver-malware-moves-up-the-software-trust-chain\/\">m\u1ed9t b\u1ed9 c\u00f4ng c\u1ee5 ph\u00e1 ho\u1ea1i ch\u1ee9c n\u0103ng c\u1ee7a ph\u1ea7n m\u1ec1m b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i<\/a>&nbsp;\u0111ang \u0111\u01b0\u1ee3c ph\u00e1t tri\u1ec3n v\u00e0 s\u1eed d\u1ee5ng k\u1ebft h\u1ee3p v\u1edbi m\u1ed9t s\u1ed1 b\u0103ng nh\u00f3m ransomware l\u1edbn. Mandiant tr\u01b0\u1edbc \u0111\u00e2y \u0111\u00e3 \u0111\u1eb7t t\u00ean cho c\u00f4ng c\u1ee5 n\u00e0y l\u00e0 Poortry v\u00e0 \u1ee9ng d\u1ee5ng t\u1ea3i c\u1ee7a n\u00f3 l\u00e0 Stonestop.<\/p>\n\n\n\n<p>Nh\u1eefng ng\u01b0\u1eddi t\u1ea1o ra c\u00f4ng c\u1ee5 Poortry \u0111\u00e3 xoay x\u1edf \u0111\u1ec3 c\u00f3 \u0111\u01b0\u1ee3c c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u1ea5p h\u1ea1t nh\u00e2n t\u00f9y ch\u1ec9nh, \u0111\u01b0\u1ee3c x\u00e2y d\u1ef1ng c\u00f3 m\u1ee5c \u0111\u00edch th\u00f4ng qua quy tr\u00ecnh k\u00fd x\u00e1c nh\u1eadn c\u1ee7a Microsoft. Sau khi ch\u00fang t\u00f4i c\u00f4ng b\u1ed1 nghi\u00ean c\u1ee9u c\u1ee7a m\u00ecnh \u2014 v\u00e0 Microsoft \u0111\u00e3 \u0111\u00f3ng l\u1ed7 h\u1ed5ng cho ph\u00e9p c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n n\u00e0y \u0111\u01b0\u1ee3c k\u00fd \u2014 nh\u1eefng ng\u01b0\u1eddi t\u1ea1o ra c\u00f4ng c\u1ee5 kh\u00f4ng ch\u1ec9 d\u1eebng l\u1ea1i. H\u1ecd \u0111\u00e3 ti\u1ebfp t\u1ee5c th\u00eam c\u00e1c t\u00ednh n\u0103ng v\u00e0 ch\u1ee9c n\u0103ng v\u00e0o tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n Poortry, trong m\u1ed9t n\u1ed7 l\u1ef1c li\u00ean t\u1ee5c nh\u1eb1m tr\u00e1nh b\u1ecb ph\u00e1t hi\u1ec7n v\u00e0 t\u00ecm ra nh\u1eefng c\u00e1ch m\u1edbi \u0111\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a ph\u1ea7n m\u1ec1m b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i v\u00e0 EDR.<\/p>\n\n\n\n<p>\u0110\u1ec3 gi\u1ea3i th\u00edch v\u1ec1 c\u00e1c t\u00ednh n\u0103ng m\u1edbi trong Poortry, ch\u00fang ta h\u00e3y c\u00f9ng xem x\u00e9t c\u00e1ch tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n t\u01b0\u01a1ng t\u00e1c v\u1edbi h\u1ec7 \u0111i\u1ec1u h\u00e0nh v\u00e0 c\u00e1ch c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ee7a c\u00f4ng c\u1ee5 di\u1ec7t EDR n\u00e0y \u0111\u00e3 ph\u00e1t tri\u1ec3n c\u00f4ng c\u1ee5 c\u1ee7a h\u1ecd theo th\u1eddi gian.<\/p>\n\n\n\n<p><strong>Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n Windows c\u00f3 th\u1ec3 ph\u00e1 ho\u1ea1i kh\u1ea3 n\u0103ng b\u1ea3o v\u1ec7 nh\u01b0 th\u1ebf n\u00e0o<\/strong><\/p>\n\n\n\n<p>H\u1ea7u h\u1ebft c\u00e1c ph\u1ea7n m\u1ec1m di\u1ec7t EDR \u0111\u1ec1u d\u1ef1a v\u00e0o tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n thi\u1ebft b\u1ecb \u0111\u01b0\u1ee3c t\u1ea3i v\u00e0o nh\u00e2n h\u1ec7 \u0111i\u1ec1u h\u00e0nh, cho ph\u00e9p ch\u00fang truy c\u1eadp v\u00e0o c\u00e1c lo\u1ea1i ch\u1ee9c n\u0103ng c\u1ea5p th\u1ea5p \u0111\u1ec3 c\u00f3 th\u1ec3 h\u1ee7y k\u1ebft n\u1ed1i v\u00e0 ch\u1ea5m d\u1ee9t nhi\u1ec1u lo\u1ea1i ph\u1ea7n m\u1ec1m b\u1ea3o v\u1ec7 kh\u00e1c nhau.<\/p>\n\n\n\n<p>Trong Windows, h\u1ed7 tr\u1ee3 nhi\u1ec1u thi\u1ebft b\u1ecb ngo\u1ea1i vi v\u00e0 th\u00e0nh ph\u1ea7n \u0111\u01b0\u1ee3c k\u1ebft n\u1ed1i, tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n ch\u1ebf \u0111\u1ed9 h\u1ea1t nh\u00e2n \u0111\u01b0\u1ee3c c\u1ea5p quy\u1ec1n r\u1ed9ng r\u00e3i cho c\u00e1c lo\u1ea1i ch\u1ee9c n\u0103ng c\u1ea5p th\u1ea5p n\u00e0y. Trong nh\u1eefng tr\u01b0\u1eddng h\u1ee3p b\u00ecnh th\u01b0\u1eddng, c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n n\u00e0y kh\u00f4ng t\u01b0\u01a1ng t\u00e1c v\u1edbi ph\u1ea7n m\u1ec1m ho\u1eb7c ph\u1ea7n c\u1ee9ng t\u1eeb c\u00e1c c\u00f4ng ty ho\u1eb7c nh\u00e0 s\u1ea3n xu\u1ea5t kh\u00e1c, nh\u01b0ng kh\u00f4ng c\u00f3 s\u1ef1 th\u1ef1c thi n\u00e0o \u0111\u1ed1i v\u1edbi h\u00e0nh vi n\u00e0y. Do \u0111\u00f3, n\u1ebfu tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ee3p l\u1ec7 \u0111\u00e3 k\u00fd kh\u00f4ng x\u00e1c th\u1ef1c \u0111\u00fang c\u00e1c quy tr\u00ecnh t\u01b0\u01a1ng t\u00e1c v\u1edbi n\u00f3, nh\u1eefng k\u1ebb gi\u1ebft EDR c\u00f3 th\u1ec3 khai th\u00e1c m\u1ed9t s\u1ed1 t\u00ednh n\u0103ng c\u1ee7a n\u00f3 \u0111\u1ec3 lo\u1ea1i b\u1ecf c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7.<\/p>\n\n\n\n<p>Microsoft \u0111\u00e3 ph\u00e1t tri\u1ec3n nhi\u1ec1u c\u00e1ch kh\u00e1c nhau \u0111\u1ec3 h\u1ec7 \u0111i\u1ec1u h\u00e0nh c\u1ee7a h\u1ecd c\u00f3 th\u1ec3 ki\u1ec3m so\u00e1t vi\u1ec7c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u00f3 \u0111\u01b0\u1ee3c t\u1ea3i hay kh\u00f4ng, ch\u1eb3ng h\u1ea1n nh\u01b0 c\u01a1 ch\u1ebf Th\u1ef1c thi ch\u1eef k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n: Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n ph\u1ea3i \u0111\u01b0\u1ee3c nh\u00e0 xu\u1ea5t b\u1ea3n ph\u1ea7n m\u1ec1m m\u00e0 Microsoft tin c\u1eady k\u00fd k\u1ef9 thu\u1eadt s\u1ed1 tr\u01b0\u1edbc khi c\u00f3 th\u1ec3 t\u1ea3i.<\/p>\n\n\n\n<p>C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m di\u1ec7t virus EDR khai th\u00e1c l\u1ed7 h\u1ed5ng trong m\u00f4 h\u00ecnh tin c\u1eady n\u00e0y: H\u1ecd c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n d\u1ec5 b\u1ecb l\u1ea1m d\u1ee5ng \u0111\u00e3 t\u1eebng \u0111\u01b0\u1ee3c m\u1ed9t c\u00f4ng ty ph\u1ea7n m\u1ec1m h\u1ee3p ph\u00e1p ph\u00e1t h\u00e0nh; H\u1ecd c\u0169ng c\u00f3 th\u1ec3 k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u1ee7a ri\u00eang h\u1ecd b\u1eb1ng ch\u1ee9ng ch\u1ec9 k\u00fd m\u00e3 h\u1ee3p ph\u00e1p (v\u00e0 c\u00f3 nhi\u1ec1u c\u00e1ch \u0111\u1ec3 l\u1ea5y \u0111\u01b0\u1ee3c ch\u1ee9ng ch\u1ec9 b\u1ecb \u0111\u00e1nh c\u1eafp ho\u1eb7c b\u1ecb r\u00f2 r\u1ec9).<\/p>\n\n\n\n<p>Nh\u00ecn chung, c\u00f3 ba c\u00e1ch m\u00e0 c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n ph\u1ea7n m\u1ec1m EDR l\u1ea1m d\u1ee5ng ch\u1eef k\u00fd m\u00e3:<\/p>\n\n\n\n<p><strong>L\u1ea1m d\u1ee5ng ch\u1ee9ng ch\u1ec9 b\u1ecb r\u00f2 r\u1ec9<\/strong><\/p>\n\n\n\n<p>\u0110\u00e2y l\u00e0 c\u00e1ch \u0111\u01a1n gi\u1ea3n nh\u1ea5t \u0111\u1ec3 x\u1eed l\u00fd v\u1ea5n \u0111\u1ec1: T\u00ecm ch\u1ee9ng ch\u1ec9 k\u00fd m\u00e3 b\u1ecb r\u00f2 r\u1ec9, b\u1ecb \u0111\u00e1nh c\u1eafp ho\u1eb7c b\u1ecb x\u00e2m ph\u1ea1m t\u1eeb m\u1ed9t c\u00f4ng ty h\u1ee3p ph\u00e1p v\u00e0 s\u1eed d\u1ee5ng ch\u1ee9ng ch\u1ec9 \u0111\u00f3 \u0111\u1ec3 k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u1ee7a b\u1ea1n (ho\u1eb7c l\u1eeba C\u01a1 quan c\u1ea5p ch\u1ee9ng ch\u1ec9 g\u1ed1c c\u1ea5p ch\u1ee9ng ch\u1ec9 cho b\u1ea1n).<\/p>\n\n\n\n<p>\u0110\u1ed1i v\u1edbi t\u1ea5t c\u1ea3 c\u00e1c phi\u00ean b\u1ea3n Windows ra m\u1eaft sau Windows 10 phi\u00ean b\u1ea3n 1607, Microsoft \u0111\u00e3 y\u00eau c\u1ea7u t\u1ea5t c\u1ea3 c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n b\u00ean th\u1ee9 ba c\u1ee7a tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n ch\u1ebf \u0111\u1ed9 h\u1ea1t nh\u00e2n ph\u1ea3i g\u1eedi tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u1ee7a h\u1ecd \u0111\u1ebfn c\u1ed5ng th\u00f4ng tin d\u00e0nh cho nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ee7a Microsoft \u0111\u1ec3 \u0111\u01b0\u1ee3c Microsoft k\u00fd ch\u00e9o. Tuy nhi\u00ean, c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u00e3 k\u00fd ch\u00e9o kh\u00f4ng \u0111\u01b0\u1ee3c Microsoft k\u00fd v\u1eabn \u0111\u01b0\u1ee3c ph\u00e9p t\u1ea3i n\u1ebfu \u0111\u00e1p \u1ee9ng m\u1ed9t trong nh\u1eefng \u0111i\u1ec1u sau:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>M\u00e1y t\u00ednh \u0111\u00e3 \u0111\u01b0\u1ee3c n\u00e2ng c\u1ea5p t\u1eeb phi\u00ean b\u1ea3n Windows tr\u01b0\u1edbc \u0111\u00f3 l\u00ean Windows 10, phi\u00ean b\u1ea3n 1607<\/li>\n\n\n\n<li>Kh\u1edfi \u0111\u1ed9ng an to\u00e0n \u0111\u00e3 b\u1ecb t\u1eaft trong BIOS h\u1ec7 th\u1ed1ng<\/li>\n\n\n\n<li>Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u00e3 \u0111\u01b0\u1ee3c k\u00fd b\u1eb1ng ch\u1ee9ng ch\u1ec9 th\u1ef1c th\u1ec3 cu\u1ed1i \u0111\u01b0\u1ee3c c\u1ea5p tr\u01b0\u1edbc ng\u00e0y 29 th\u00e1ng 7&nbsp;<sup>n\u0103m<\/sup>&nbsp;2015 li\u00ean k\u1ebft v\u1edbi CA \u0111\u01b0\u1ee3c k\u00fd ch\u00e9o \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3<\/li>\n<\/ul>\n\n\n\n<p>M\u1eb7c d\u00f9 b\u1ea3n c\u1eadp nh\u1eadt \u0111\u00e3 gi\u1ea3m thi\u1ec3u nguy c\u01a1 t\u1eeb c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u01b0\u1ee3c k\u00fd ch\u00e9o b\u1eb1ng ch\u1ee9ng ch\u1ec9 b\u1ecb \u0111\u00e1nh c\u1eafp, nh\u01b0ng l\u1ed7 h\u1ed5ng th\u1ee9 ba l\u1ea1i t\u1ea1o ra cho ph\u00e9p k\u1ebb t\u1ea5n c\u00f4ng s\u1eed d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p th\u1ee9 hai.<\/p>\n\n\n\n<p><strong>L\u00e0m gi\u1ea3 d\u1ea5u th\u1eddi gian ch\u1eef k\u00fd<\/strong><\/p>\n\n\n\n<p>\u0110\u1ec3 duy tr\u00ec kh\u1ea3 n\u0103ng t\u01b0\u01a1ng th\u00edch v\u1edbi c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u0169 h\u01a1n, Windows t\u1ea3i c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u01b0\u1ee3c k\u00fd b\u1eb1ng &#8220;ch\u1ee9ng ch\u1ec9 th\u1ef1c th\u1ec3 cu\u1ed1i \u0111\u01b0\u1ee3c c\u1ea5p tr\u01b0\u1edbc ng\u00e0y 29 th\u00e1ng 7 n\u0103m 2015 li\u00ean k\u1ebft v\u1edbi CA \u0111\u01b0\u1ee3c k\u00fd ch\u00e9o \u0111\u01b0\u1ee3c h\u1ed7 tr\u1ee3&#8221;.<\/p>\n\n\n\n<p>Khi k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ea1t nh\u00e2n, Microsoft cung c\u1ea5p cho nh\u00e0 xu\u1ea5t b\u1ea3n ph\u1ea7n m\u1ec1m m\u1ed9t c\u00f4ng c\u1ee5 c\u00f3 t\u00ean l\u00e0&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/dotnet\/framework\/tools\/signtool-exe\">signtool.exe<\/a>&nbsp;. Ngo\u00e0i vi\u1ec7c k\u00fd t\u1ec7p \u0111\u01b0\u1ee3c cung c\u1ea5p, signtool c\u0169ng ki\u1ec3m tra \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o r\u1eb1ng ch\u1ee9ng ch\u1ec9 \u0111\u01b0\u1ee3c cung c\u1ea5p v\u1eabn c\u00f2n hi\u1ec7u l\u1ef1c. M\u1ed9t c\u00e1ch \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o \u0111i\u1ec1u n\u00e0y l\u00e0 s\u1eed d\u1ee5ng h\u00e0m<\/p>\n\n\n\n<p>Th\u00f4ng qua m\u1ed9t lo\u1ea1t c\u00e1c hook v\u00e0o c\u00e1c l\u1ec7nh g\u1ecdi API c\u1ea5p th\u1ea5p n\u00e0y b\u00ean trong h\u1ec7 \u0111i\u1ec1u h\u00e0nh, k\u1ebb t\u1ea5n c\u00f4ng c\u00f3 th\u1ec3 thay \u0111\u1ed5i quy tr\u00ecnh k\u00fd v\u00e0 b\u1ecf qua c\u00e1c ki\u1ec3m tra n\u00e0y \u0111\u1ec3 k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ea1t nh\u00e2n c\u1ee7a ri\u00eang ch\u00fang. M\u1ed9t trong nh\u1eefng h\u00e0m \u0111\u01b0\u1ee3c hook trong k\u1ef9 thu\u1eadt n\u00e0y l\u00e0&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/sysinfoapi\/nf-sysinfoapi-getlocaltime\">GetLocalTime<\/a>&nbsp;\u0111\u1ec3 tr\u1ea3 v\u1ec1 d\u1ea5u th\u1eddi gian gi\u1ea3 m\u1ea1o \u0111\u1ec3 v\u01b0\u1ee3t qua c\u00e1c ki\u1ec3m tra trong signtool.exe.<\/p>\n\n\n\n<p><strong>B\u1ecf qua vi\u1ec7c x\u00e1c nh\u1eadn ch\u1eef k\u00fd c\u1ee7a Microsoft<\/strong><\/p>\n\n\n\n<p>Ph\u01b0\u01a1ng ph\u00e1p cu\u1ed1i c\u00f9ng l\u00e0 th\u00f4ng qua quy tr\u00ecnh k\u00fd x\u00e1c nh\u1eadn c\u1ee7a Microsoft v\u00e0 l\u1ea5y tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ea1t nh\u00e2n \u0111\u01b0\u1ee3c Microsoft k\u00fd tr\u1ef1c ti\u1ebfp. \u0110\u00e2y c\u00f3 l\u1ebd l\u00e0 ph\u01b0\u01a1ng ph\u00e1p kh\u00f3 th\u1ef1c hi\u1ec7n nh\u1ea5t, nh\u01b0ng c\u0169ng cung c\u1ea5p ch\u1eef k\u00fd ch\u1ee9ng ch\u1ec9 WHQL m\u1ea1nh do ch\u00ednh Microsoft c\u1ea5p \u2013 g\u1ea7n nh\u01b0 l\u00e0 ch\u00e9n th\u00e1nh c\u1ee7a ch\u1eef k\u00fd s\u1ed1.<\/p>\n\n\n\n<p>\u0110\u1ec3 l\u1ea1m d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p n\u00e0y, k\u1ebb t\u1ea5n c\u00f4ng c\u1ea7n:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Gi\u1ea5y ch\u1ee9ng nh\u1eadn EV h\u1ee3p l\u1ec7<\/li>\n\n\n\n<li>Truy c\u1eadp v\u00e0o c\u1ed5ng th\u00f4ng tin d\u00e0nh cho nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ee7a Microsoft<\/li>\n<\/ul>\n\n\n\n<p>N\u1ebfu \u0111\u00e1p \u1ee9ng \u0111\u01b0\u1ee3c c\u00e1c y\u00eau c\u1ea7u n\u00e0y, h\u1ecd c\u00f3 th\u1ec3 chu\u1ea9n b\u1ecb m\u1ed9t t\u1ec7p CAB, trong \u0111\u00f3 c\u00f3 th\u00f4ng tin v\u1ec1 t\u00e0i x\u1ebf, k\u00fd b\u1eb1ng ch\u1ee9ng nh\u1eadn EV v\u00e0 g\u1eedi l\u00ean b\u1ea3ng \u0111i\u1ec1u khi\u1ec3n.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-1.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Sau khi g\u1eedi, tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n tr\u1ea3i qua m\u1ed9t s\u1ed1 l\u1ea7n ki\u1ec3m tra \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n kh\u00f4ng \u0111\u1ed9c h\u1ea1i. N\u1ebfu tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n v\u01b0\u1ee3t qua c\u00e1c b\u00e0i ki\u1ec3m tra n\u00e0y, n\u00f3 s\u1ebd mang ch\u1eef k\u00fd \u201cMicrosoft Windows Hardware Compatibility Publisher\u201d.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-2.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>M\u1ed9t trong nh\u1eefng tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u00e3 k\u00fd WHQL t\u1eeb c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng n\u0103m 2022-2023<\/p>\n\n\n\n<p><strong>Poortry &amp; Stonestop: M\u1ed1i \u0111e d\u1ecda \u0111\u00e1ng k\u1ec3 t\u1eeb n\u0103m 2022<\/strong><\/p>\n\n\n\n<p>Poortry (\u0111\u00f4i khi c\u00f2n \u0111\u01b0\u1ee3c g\u1ecdi l\u00e0 BurntCigar) l\u00e0 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ea1t nh\u00e2n \u0111\u1ed9c h\u1ea1i \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng k\u1ebft h\u1ee3p v\u1edbi tr\u00ecnh t\u1ea3i c\u00f3 t\u00ean Stonestop c\u1ee7a Mandiant, ng\u01b0\u1eddi \u0111\u1ea7u ti\u00ean b\u00e1o c\u00e1o v\u1ec1 s\u1ef1 t\u1ed3n t\u1ea1i c\u1ee7a c\u00f4ng c\u1ee5 n\u00e0y. Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ecf qua Driver Signature Enforcement b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng b\u1ea5t k\u1ef3 k\u1ef9 thu\u1eadt n\u00e0o trong ba k\u1ef9 thu\u1eadt \u0111\u01b0\u1ee3c m\u00f4 t\u1ea3 \u1edf tr\u00ean. C\u1ea3 hai \u0111\u1ec1u b\u1ecb che gi\u1ea5u r\u1ea5t nhi\u1ec1u b\u1edfi c\u00e1c tr\u00ecnh \u0111\u00f3ng g\u00f3i th\u01b0\u01a1ng m\u1ea1i ho\u1eb7c m\u00e3 ngu\u1ed3n m\u1edf, ch\u1eb3ng h\u1ea1n nh\u01b0 VMProtect, Themida ho\u1eb7c ASMGuard.<\/p>\n\n\n\n<p>T\u1eeb cu\u1ed1i n\u0103m 2022 \u0111\u1ebfn gi\u1eefa n\u0103m 2023, c\u00e1c bi\u1ebfn th\u1ec3 Poortry mang ch\u1ee9ng ch\u1ec9 Microsoft WHQL. Tuy nhi\u00ean, do s\u1ef1 h\u1ee3p t\u00e1c gi\u1eefa Sophos X-Ops v\u00e0 Microsoft, h\u1ea7u h\u1ebft c\u00e1c m\u1eabu ch\u1ee9ng th\u1ef1c \u0111\u00e3 k\u00fd n\u00e0y \u0111\u00e3 \u0111\u01b0\u1ee3c t\u00ecm th\u1ea5y v\u00e0 Microsoft \u0111\u00e3 h\u1ee7y k\u00edch ho\u1ea1t c\u00e1c t\u00e0i kho\u1ea3n b\u1ecb l\u1ea1m d\u1ee5ng \u0111\u1ec3 k\u00fd c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u00f3.<\/p>\n\n\n\n<p>Nh\u1eefng ng\u01b0\u1eddi t\u1ea1o ra Poortry kh\u00f4ng h\u1ec1 n\u1ea3n l\u00f2ng; Thay v\u00e0o \u0111\u00f3, h\u1ecd chuy\u1ec3n sang s\u1eed d\u1ee5ng ph\u01b0\u01a1ng ph\u00e1p Gi\u1ea3 m\u1ea1o d\u1ea5u th\u1eddi gian ch\u1eef k\u00fd ho\u1eb7c l\u1ea5y m\u1ed9t ch\u1ee9ng ch\u1ec9 b\u1ecb r\u00f2 r\u1ec9 h\u1ee3p l\u1ec7.<\/p>\n\n\n\n<p>Trong n\u0103m qua, ch\u00fang t\u00f4i \u0111\u00e3 c\u00f3 th\u1ec3 li\u00ean k\u1ebft vi\u1ec7c s\u1eed d\u1ee5ng Poortry v\u1edbi c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng li\u00ean quan \u0111\u1ebfn \u00edt nh\u1ea5t n\u0103m nh\u00f3m ransomware l\u1edbn:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>CUBA<\/li>\n\n\n\n<li>M\u00e8o \u0111en<\/li>\n\n\n\n<li>Medusa<\/li>\n\n\n\n<li>Kh\u00f3aBit<\/li>\n\n\n\n<li>Ti\u1ec1n chu\u1ed9c<\/li>\n<\/ul>\n\n\n\n<p>T\u1eeb n\u0103m 2023, ch\u00fang t\u00f4i \u0111\u00e3 quan s\u00e1t th\u1ea5y nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng li\u00ean t\u1ee5c s\u1eed d\u1ee5ng Poortry trong c\u00e1c cu\u1ed9c t\u1ea5n c\u00f4ng. M\u1ed9t \u0111\u1eb7c \u0111i\u1ec3m m\u00e0 ch\u00fang t\u00f4i quan s\u00e1t \u0111\u01b0\u1ee3c trong nghi\u00ean c\u1ee9u tr\u01b0\u1edbc \u0111\u00f3 l\u00e0 nh\u1eefng ng\u01b0\u1eddi t\u1ea1o ra Poortry th\u01b0\u1eddng xuy\u00ean thay \u0111\u1ed5i tr\u00ecnh \u0111\u00f3ng g\u00f3i c\u1ee7a h\u1ecd, t\u1ea1o ra m\u1ed9t kh\u1ed1i l\u01b0\u1ee3ng c\u00e1c bi\u1ebfn th\u1ec3 \u0111\u01b0\u1ee3c s\u1eeda \u0111\u1ed5i \u0111\u00f4i ch\u00fat d\u1ef1a tr\u00ean b\u1ea3n g\u1ed1c. Trong nghi\u00ean c\u1ee9u c\u1ee7a m\u00ecnh, ch\u00fang t\u00f4i \u0111\u00e3 t\u00ecm th\u1ea5y nhi\u1ec1u bi\u1ebfn th\u1ec3 \u0111\u01b0\u1ee3c k\u00fd hi\u1ec7u WHQL kh\u00e1c nhau, \u0111\u01b0\u1ee3c \u0111\u00f3ng g\u00f3i v\u1edbi c\u00e1c tr\u00ecnh \u0111\u00f3ng g\u00f3i th\u01b0\u01a1ng m\u1ea1i ho\u1eb7c phi th\u01b0\u01a1ng m\u1ea1i kh\u00e1c nhau.<\/p>\n\n\n\n<p>V\u00ec \u0111\u1ecba \u0111i\u1ec3m \u0111\u00f3 kh\u00f4ng m\u1edf c\u1eeda n\u00ean nh\u1eefng ng\u01b0\u1eddi s\u00e1ng t\u1ea1o ra Poortry hi\u1ec7n tri\u1ec3n khai c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u01b0\u1ee3c k\u00fd b\u1eb1ng nhi\u1ec1u ch\u1ee9ng ch\u1ec9 kh\u00f4ng ph\u1ea3i c\u1ee7a Microsoft.<\/p>\n\n\n\n<p>H\u00ecnh b\u00ean d\u01b0\u1edbi minh h\u1ecda d\u00f2ng th\u1eddi gian v\u1ec1 t\u00ean ng\u01b0\u1eddi k\u00fd hi\u1ec7u \u0111\u01b0\u1ee3c quan s\u00e1t th\u1ea5y \u0111\u01b0\u1ee3c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n t\u1ea3i tr\u1ecdng c\u1ee7a Poortry s\u1eed d\u1ee5ng trong kho\u1ea3ng th\u1eddi gian 15 th\u00e1ng.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-3.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>\u0110i\u1ec1u \u0111\u00e1ng n\u00f3i l\u00e0 \u0111\u00f4i khi ch\u00fang t\u00f4i th\u1ef1c hi\u1ec7n c\u00e1c quan s\u00e1t c\u1ee7a m\u00ecnh trong qu\u00e1 tr\u00ecnh \u1ee9ng ph\u00f3 s\u1ef1 c\u1ed1, v\u00e0 \u0111\u00f4i khi thu th\u1eadp d\u01b0\u1edbi d\u1ea1ng d\u1eef li\u1ec7u t\u1eeb xa. M\u1ed9t \u0111i\u1ec1u ch\u00fang t\u00f4i c\u00f3 th\u1ec3 ch\u1eafc ch\u1eafn l\u00e0 t\u1ed5ng s\u1ed1 l\u01b0\u1ee3ng v\u00e0 lo\u1ea1i ch\u1ee9ng ch\u1ec9 l\u1edbn h\u01a1n nh\u1eefng g\u00ec ch\u00fang t\u00f4i c\u00f3 th\u1ec3 x\u00e1c \u0111\u1ecbnh ch\u1ec9 b\u1eb1ng quan s\u00e1t.<\/p>\n\n\n\n<p><strong>Ch\u01a1i roulette ch\u1ee9ng ch\u1ec9<\/strong><\/p>\n\n\n\n<p>Sophos, theo th\u1eddi gian, \u0111\u00e3 quan s\u00e1t th\u1ea5y m\u1ed9t t\u00e1c nh\u00e2n \u0111e d\u1ecda tri\u1ec3n khai c\u00e1c bi\u1ebfn th\u1ec3 c\u1ee7a Poortry tr\u00ean c\u00e1c m\u00e1y kh\u00e1c nhau trong m\u1ed9t khu v\u1ef1c duy nh\u1ea5t trong m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng. C\u00e1c bi\u1ebfn th\u1ec3 n\u00e0y ch\u1ee9a c\u00f9ng m\u1ed9t t\u1ea3i tr\u1ecdng, nh\u01b0ng \u0111\u01b0\u1ee3c k\u00fd b\u1eb1ng m\u1ed9t ch\u1ee9ng ch\u1ec9 kh\u00e1c v\u1edbi tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u1ea7u ti\u00ean \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong cu\u1ed9c t\u1ea5n c\u00f4ng. V\u00e0o th\u00e1ng 8 n\u0103m 2023, trong m\u1ed9t cu\u1ed9c \u0111i\u1ec1u tra c\u1ee7a Sophos X-Ops, ch\u00fang t\u00f4i ph\u00e1t hi\u1ec7n ra r\u1eb1ng nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 c\u00f3 \u0111\u01b0\u1ee3c quy\u1ec1n truy c\u1eadp ban \u0111\u1ea7u th\u00f4ng qua m\u1ed9t c\u00f4ng c\u1ee5 truy c\u1eadp t\u1eeb xa c\u00f3 t\u00ean l\u00e0 SplashTop. Ngay khi nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng v\u00e0o m\u1ea1ng, ch\u00fang \u0111\u00e3 tri\u1ec3n khai Poortry v\u00e0 Stonestop. Nh\u01b0ng t\u00ean ng\u01b0\u1eddi k\u00fd, &#8220;bopsoft&#8221;, \u0111\u00e3 \u0111\u01b0\u1ee3c bi\u1ebft \u0111\u1ebfn l\u00e0 m\u1ed9t ch\u1ee9ng ch\u1ec9 b\u1ecb \u0111\u00e1nh c\u1eafp v\u00e0 \u0111\u00e3 b\u1ecb ch\u1eb7n b\u1eb1ng m\u1ed9t quy t\u1eafc h\u00e0nh vi.<\/p>\n\n\n\n<p>Trong v\u00f2ng 30 gi\u00e2y sau l\u1ea7n th\u1eed cu\u1ed1i c\u00f9ng s\u1eed d\u1ee5ng m\u00e3 c\u00f3 ch\u1eef k\u00fd c\u1ee7a \u201cBopsoft\u201d, nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng \u0111\u00e3 t\u1ea3i m\u1ed9t tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n Poortry kh\u00e1c, l\u1ea7n n\u00e0y \u0111\u01b0\u1ee3c k\u00fd b\u1edfi \u201cEvangel Technology (HK) Limited\u201d. M\u00e1y ch\u1ee7 \u0111\u00e3 nhanh ch\u00f3ng b\u1ecb c\u00f4 l\u1eadp v\u00e0 cu\u1ed9c t\u1ea5n c\u00f4ng \u0111\u00e3 b\u1ecb ng\u0103n ch\u1eb7n.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-4.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>Chuy\u1ec3n \u0111\u1ed5i t\u1eeb EDR killer sang EDR wiper<\/strong><\/p>\n\n\n\n<p>V\u00e0o th\u00e1ng 7 n\u0103m 2024, khi tham gia v\u00e0o m\u1ed9t s\u1ef1 c\u1ed1 m\u00e0 k\u1ebb th\u00f9 c\u1ed1 g\u1eafng tri\u1ec3n khai ransomware RansomHub, Sophos CryptoGuard \u0111\u00e3 ng\u0103n ch\u1eb7n n\u1ed7 l\u1ef1c m\u00e3 h\u00f3a d\u1eef li\u1ec7u khi c\u00e1c nh\u00e0 ph\u00e2n t\u00edch \u0111\u00f3ng c\u00e1c \u0111i\u1ec3m truy c\u1eadp c\u1ee7a k\u1ebb t\u1ea5n c\u00f4ng. M\u1ed9t ph\u00e2n t\u00edch sau s\u1ef1 c\u1ed1 cho th\u1ea5y hai t\u1ec7p th\u1ef1c thi b\u1ed5 sung \u0111\u00e3 \u0111\u01b0\u1ee3c th\u1ea3 v\u00e0o nhi\u1ec1u m\u00e1y tr\u01b0\u1edbc cu\u1ed9c t\u1ea5n c\u00f4ng ransomware cu\u1ed1i c\u00f9ng:<\/p>\n\n\n\n<p>&lt;d&gt;\\Users\\&lt;u&gt;\\desktop\\c7iy3d.exe<\/p>\n\n\n\n<p>&lt;d&gt;\\Users\\&lt;u&gt;\\appdata\\local\\temp\\usnnr.sys<\/p>\n\n\n\n<p>Th\u00f4ng qua s\u1ef1 k\u1ebft h\u1ee3p c\u1ee7a ph\u00e2n t\u00edch t\u0129nh v\u00e0 \u0111\u1ed9ng, ch\u00fang t\u00f4i x\u00e1c \u0111\u1ecbnh c\u00e1c t\u1ec7p l\u00e0 Poortry v\u00e0 Stonestop. Trong s\u1ed1 nh\u1eefng \u0111i\u1ec3m kh\u00e1c bi\u1ec7t m\u00e0 ch\u00fang t\u00f4i quan s\u00e1t \u0111\u01b0\u1ee3c gi\u1eefa phi\u00ean b\u1ea3n tr\u01b0\u1edbc v\u00e0 phi\u00ean b\u1ea3n n\u00e0y, Poortry hi\u1ec7n c\u0169ng c\u00f3 th\u1ec3 x\u00f3a ho\u00e0n to\u00e0n c\u00e1c th\u00e0nh ph\u1ea7n EDR quan tr\u1ecdng, thay v\u00ec ch\u1ec9 ch\u1ea5m d\u1ee9t c\u00e1c quy tr\u00ecnh c\u1ee7a ch\u00fang.<\/p>\n\n\n\n<p>Trend Micro&nbsp;<a href=\"https:\/\/www.trendmicro.com\/de_de\/research\/23\/e\/blackcat-ransomware-deploys-new-signed-kernel-driver.html\">\u0111\u00e3 b\u00e1o c\u00e1o<\/a>&nbsp;v\u00e0o n\u0103m 2023 r\u1eb1ng Poortry \u0111\u00e3 ph\u00e1t tri\u1ec3n kh\u1ea3 n\u0103ng x\u00f3a t\u1ec7p kh\u1ecfi \u1ed5 \u0111\u0129a, nh\u01b0ng \u0111\u00e2y l\u00e0 l\u1ea7n \u0111\u1ea7u ti\u00ean ch\u00fang t\u00f4i quan s\u00e1t th\u1ea5y t\u00ednh n\u0103ng n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng trong m\u1ed9t cu\u1ed9c t\u1ea5n c\u00f4ng.<\/p>\n\n\n\n<p><strong>Nh\u00ecn k\u1ef9 h\u01a1n v\u00e0o c\u00e1c bi\u1ebfn th\u1ec3 m\u1edbi nh\u1ea5t<\/strong><\/p>\n\n\n\n<p>C\u1ea3 t\u1ec7p th\u1ef1c thi Stonestop v\u00e0 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n Poortry \u0111\u1ec1u \u0111\u01b0\u1ee3c \u0111\u00f3ng g\u00f3i v\u00e0 l\u00e0m t\u1ed1i ngh\u0129a. Tr\u00ecnh t\u1ea3i n\u00e0y \u0111\u01b0\u1ee3c l\u00e0m t\u1ed1i ngh\u0129a b\u1edfi tr\u00ecnh \u0111\u00f3ng g\u00f3i ngu\u1ed3n \u0111\u00f3ng c\u00f3 t\u00ean l\u00e0 ASMGuard, c\u00f3 tr\u00ean Github.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-5.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u01b0\u1ee3c k\u00fd b\u1eb1ng ch\u1ee9ng ch\u1ec9 mang t\u00ean ng\u01b0\u1eddi k\u00fd \u201cFEI XIAO.\u201d Sophos X-Ops r\u1ea5t t\u1ef1 tin r\u1eb1ng d\u1ea5u th\u1eddi gian ch\u1eef k\u00fd \u0111\u00e3 \u0111\u01b0\u1ee3c l\u00e0m gi\u1ea3 \u0111\u1ec3 k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n. \u0110\u00e1ng ch\u00fa \u00fd, n\u00f3 c\u1ed1 g\u1eafng ng\u1ee5y trang b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng c\u00f9ng th\u00f4ng tin trong b\u1ea3ng thu\u1ed9c t\u00ednh c\u1ee7a n\u00f3 nh\u01b0 m\u1ed9t tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n (idmtdi.sys) cho m\u1ed9t ph\u1ea7n m\u1ec1m c\u00f3 s\u1eb5n tr\u00ean th\u1ecb tr\u01b0\u1eddng,&nbsp;<a href=\"https:\/\/www.tonec.com\/products\/idm\/index.html\">Internet Download Manager c\u1ee7a Tonec Inc.<\/a>&nbsp;Nh\u01b0ng \u0111\u00f3 kh\u00f4ng ph\u1ea3i l\u00e0 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n c\u1ee7a g\u00f3i ph\u1ea7n m\u1ec1m n\u00e0y \u2013 nh\u1eefng k\u1ebb t\u1ea5n c\u00f4ng ch\u1ec9 sao ch\u00e9p th\u00f4ng tin t\u1eeb n\u00f3.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-6.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Phi\u1ebfu thu\u1ed9c t\u00ednh tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n PoorTry c\u00f3 ng\u00e0y hi\u1ec7u l\u1ef1c tr\u01b0\u1edbc khi n\u00f3 \u0111\u01b0\u1ee3c t\u1ea1o ra h\u01a1n m\u1ed9t th\u1eadp k\u1ef7<\/p>\n\n\n\n<p>\u0110\u1ec3 gi\u1ea3i th\u00edch r\u00f5 h\u01a1n, ch\u00fang t\u00f4i chia lu\u1ed3ng th\u1ef1c hi\u1ec7n th\u00e0nh ba giai \u0111o\u1ea1n ri\u00eang bi\u1ec7t.<\/p>\n\n\n\n<p><strong>Giai \u0111o\u1ea1n kh\u1edfi t\u1ea1o<\/strong><\/p>\n\n\n\n<p>Trong c\u00e1c s\u1ef1 c\u1ed1 m\u00e0 ch\u00fang t\u00f4i theo d\u00f5i, t\u00e1c nh\u00e2n \u0111e d\u1ecda th\u1ea3 Poortry v\u00e0 Stonestop c\u00f9ng nhau v\u00e0o c\u00f9ng m\u1ed9t th\u01b0 m\u1ee5c. Khi th\u1ef1c thi, Stonestop s\u1ebd ki\u1ec3m tra tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n t\u01b0\u01a1ng \u1ee9ng trong th\u01b0 m\u1ee5c hi\u1ec7n t\u1ea1i.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-7.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Th\u00f4ng b\u00e1o l\u1ed7i hi\u1ec3n th\u1ecb khi tr\u00ecnh t\u1ea3i kh\u00f4ng k\u1ebft n\u1ed1i \u0111\u01b0\u1ee3c v\u1edbi tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ea1t nh\u00e2n.<\/p>\n\n\n\n<p>T\u00ean t\u1ec7p v\u00e0 t\u00ean thi\u1ebft b\u1ecb c\u1ee7a tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u1ec1u \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng v\u00e0o tr\u00ecnh t\u1ea3i. Khi b\u1eaft \u0111\u1ea7u, tr\u00ecnh t\u1ea3i s\u1ebd l\u1ea5y x\u1eed l\u00fd c\u1ee7a tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ea1t nh\u00e2n \u0111\u1ed9c h\u1ea1i v\u00e0 b\u1eaft \u0111\u1ea7u b\u1eaft tay b\u1eb1ng c\u00e1ch g\u1eedi chu\u1ed7i \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng \u0111\u1ebfn tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n th\u00f4ng qua l\u1ec7nh g\u1ecdi API&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/win32\/api\/ioapiset\/nf-ioapiset-deviceiocontrol\">DeviceIoControl<\/a>&nbsp;.<\/p>\n\n\n\n<p>Nh\u00ecn chung, giao ti\u1ebfp gi\u1eefa c\u00e1c th\u00e0nh ph\u1ea7n di\u1ec5n ra th\u00f4ng qua API DeviceIoControl n\u00e0y. M\u1ed7i t\u00ednh n\u0103ng do th\u00e0nh ph\u1ea7n ch\u1ebf \u0111\u1ed9 h\u1ea1t nh\u00e2n cung c\u1ea5p \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t b\u1eb1ng c\u00e1ch g\u1eedi m\u1ed9t m\u00e3 IOCTL kh\u00e1c nhau. C\u00e1c bi\u1ebfn th\u1ec3 tr\u01b0\u1edbc \u0111\u00f3 giao ti\u1ebfp th\u00f4ng qua tr\u00ecnh x\u1eed l\u00fd IRP_MJ_DEVICE_CONTROL. Bi\u1ebfn th\u1ec3 hi\u1ec7n t\u1ea1i s\u1eed d\u1ee5ng tr\u00ecnh x\u1eed l\u00fd IRP_MJ_MAXIMUM_FUNCTION \u0111\u1ec3 nh\u1eadn c\u00e1c g\u00f3i y\u00eau c\u1ea7u I\/O.<\/p>\n\n\n\n<p>\u0110i\u1ec1u \u0111\u00e1ng n\u00f3i l\u00e0 c\u00e1c \u00e1nh x\u1ea1 t\u1eeb m\u00e3 IOCTL sang t\u00ednh n\u0103ng \u0111\u00e3 thay \u0111\u1ed5i k\u1ec3 t\u1eeb l\u1ea7n ph\u00e2n t\u00edch cu\u1ed1i c\u00f9ng c\u1ee7a ch\u00fang t\u00f4i. V\u00ed d\u1ee5, l\u1ec7nh \u0111\u1ec3 h\u1ee7y m\u1ed9t quy tr\u00ecnh c\u1ee5 th\u1ec3 theo ID quy tr\u00ecnh \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t b\u1eb1ng c\u00e1ch g\u1eedi g\u00f3i y\u00eau c\u1ea7u I\/O c\u00f3 m\u00e3 0x222094. M\u1eabu m\u1edbi nh\u1ea5t \u00e1nh x\u1ea1 m\u00e3 IOCTL 0x222144 sang c\u00f9ng ch\u1ee9c n\u0103ng.<\/p>\n\n\n\n<p>K\u1ec3 t\u1eeb b\u00e1o c\u00e1o n\u0103m 2023 c\u1ee7a Trend Micro, c\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n c\u1ee7a Poortry \u0111\u00e3 t\u0103ng s\u1ed1 l\u01b0\u1ee3ng m\u00e3 IOCTL c\u00f3 th\u1ec3 nh\u1eadn \u0111\u01b0\u1ee3c t\u1eeb 10 l\u00ean 22. Ch\u00fang t\u00f4i v\u1eabn \u0111ang ti\u1ebfp t\u1ee5c ph\u00e2n t\u00edch t\u1ea5t c\u1ea3 c\u00e1c t\u00ednh n\u0103ng kh\u1ea3 d\u1ee5ng.<\/p>\n\n\n\n<p>Gi\u1ed1ng nh\u01b0 c\u00e1c phi\u00ean b\u1ea3n tr\u01b0\u1edbc, b\u1eaft tay \u0111\u01b0\u1ee3c kh\u1edfi t\u1ea1o b\u1eb1ng c\u00e1ch g\u1eedi m\u1ed9t chu\u1ed7i \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng \u0111\u1ebfn tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n. Khi gi\u00e1 tr\u1ecb b\u1eaft tay \u0111\u01b0\u1ee3c ch\u1ea5p nh\u1eadn, n\u00f3 s\u1ebd \u0111\u1eb7t m\u1ed9t c\u1edd trong nh\u1ecb ph\u00e2n cho ph\u00e9p c\u00e1c ch\u1ee9c n\u0103ng c\u1ee7a tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n \u0111\u1ed9c h\u1ea1i.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-8.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>Giai \u0111o\u1ea1n suy y\u1ebfu<\/strong><\/p>\n\n\n\n<p>Giai \u0111o\u1ea1n th\u1ee9 hai t\u1eadp trung v\u00e0o vi\u1ec7c v\u00f4 hi\u1ec7u h\u00f3a c\u00e1c s\u1ea3n ph\u1ea9m EDR th\u00f4ng qua m\u1ed9t lo\u1ea1t c\u00e1c k\u1ef9 thu\u1eadt kh\u00e1c nhau, ch\u1eb3ng h\u1ea1n nh\u01b0 x\u00f3a ho\u1eb7c s\u1eeda \u0111\u1ed5i c\u00e1c ch\u01b0\u01a1ng tr\u00ecnh th\u00f4ng b\u00e1o c\u1ee7a h\u1ea1t nh\u00e2n.<\/p>\n\n\n\n<p>Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ea3o m\u1eadt s\u1eed d\u1ee5ng m\u1ed9t s\u1ed1 t\u00ednh n\u0103ng kh\u00e1c nhau do H\u0110H Windows cung c\u1ea5p \u0111\u1ec3 \u0111\u0103ng k\u00fd l\u1ec7nh g\u1ecdi l\u1ea1i khi c\u00e1c s\u1ef1 ki\u1ec7n c\u1ee5 th\u1ec3 tr\u00ean h\u1ec7 th\u1ed1ng Windows x\u1ea3y ra. M\u1ed9t v\u00ed d\u1ee5 l\u00e0 h\u00e0m&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/ntddk\/nf-ntddk-pssetcreateprocessnotifyroutine\">PsSetCreateProcessNotifyRoutine<\/a>&nbsp;, h\u00e0m n\u00e0y th\u00eam m\u1ed9t tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n cung c\u1ea5p l\u1ec7nh g\u1ecdi l\u1ea1i khi m\u1ed9t quy tr\u00ecnh m\u1edbi \u0111\u01b0\u1ee3c t\u1ea1o.<\/p>\n\n\n\n<p>Vi\u1ec7c lo\u1ea1i b\u1ecf c\u00e1c th\u00f3i quen g\u1ecdi l\u1ea1i n\u00e0y th\u01b0\u1eddng l\u00e0 b\u01b0\u1edbc quan tr\u1ecdng \u0111\u1ec3 khi\u1ebfn c\u00e1c s\u1ea3n ph\u1ea9m EDR tr\u1edf n\u00ean v\u00f4 d\u1ee5ng. V\u00e0o n\u0103m 2022, ch\u00fang t\u00f4i c\u0169ng \u0111\u00e3 vi\u1ebft v\u1ec1 m\u1ed9t&nbsp;<a href=\"https:\/\/news.sophos.com\/en-us\/2022\/10\/04\/blackbyte-ransomware-returns\/\">tr\u01b0\u1eddng h\u1ee3p t\u01b0\u01a1ng t\u1ef1<\/a>&nbsp;khi ransomware BlackByte l\u1ea1m d\u1ee5ng tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n d\u1ec5 b\u1ecb t\u1ea5n c\u00f4ng h\u1ee3p l\u1ec7 \u0111\u1ec3 lo\u1ea1i b\u1ecf c\u00e1c th\u00f3i quen th\u00f4ng b\u00e1o h\u1ea1t nh\u00e2n quan tr\u1ecdng.<\/p>\n\n\n\n<p>Trong giai \u0111o\u1ea1n th\u1ee9 hai, ch\u00fang t\u00f4i quan s\u00e1t th\u1ea5y t\u1ed5ng c\u1ed9ng b\u1ea3y m\u00e3 IOCTL ri\u00eang bi\u1ec7t \u0111\u01b0\u1ee3c g\u1eedi \u0111\u1ebfn th\u00e0nh ph\u1ea7n ch\u1ebf \u0111\u1ed9 h\u1ea1t nh\u00e2n. Ch\u1ec9 c\u00f3 ch\u1ee9c n\u0103ng \u0111\u01b0\u1ee3c \u00e1nh x\u1ea1 t\u1edbi 0x222400 \u0111\u01b0\u1ee3c th\u1ef1c thi. C\u00e1c t\u00ednh n\u0103ng kh\u00e1c \u0111\u00e3 tho\u00e1t s\u1edbm do c\u00e1c c\u1edd c\u1ee5 th\u1ec3 \u0111\u01b0\u1ee3c \u0111\u1eb7t trong nh\u1ecb ph\u00e2n. Ch\u00fang t\u00f4i nghi ng\u1edd r\u1eb1ng c\u00e1c ch\u1ee9c n\u0103ng kh\u00f4ng \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t l\u00e0 th\u1eed nghi\u1ec7m, ch\u1ec9 \u0111\u01b0\u1ee3c k\u00edch ho\u1ea1t tr\u00ean c\u00e1c lo\u1ea1i h\u1ec7 th\u1ed1ng c\u1ee5 th\u1ec3 ho\u1eb7c ch\u1ec9 b\u1ecb v\u00f4 hi\u1ec7u h\u00f3a.<\/p>\n\n\n\n<p>M\u00e3 IOCTL v\u00e0 h\u00e0nh vi \u0111\u01b0\u1ee3c \u00e1nh x\u1ea1 c\u1ee7a ch\u00fang nh\u01b0 sau:<\/p>\n\n\n\n<p><strong>0x2220C0 (Disabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c, Poortry s\u1ebd nh\u1eadp m\u1ed9t ch\u01b0\u01a1ng tr\u00ecnh kh\u1edfi t\u1ea1o b\u1ed5 sung, l\u1ea5y \u0111\u1ecba ch\u1ec9 c\u1ee7a nhi\u1ec1u c\u1ea5u tr\u00fac v\u00e0 ch\u1ee9c n\u0103ng quan tr\u1ecdng kh\u00e1c nhau.<\/p>\n\n\n\n<p><strong>0x222100 (Disabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c, Poortry c\u1ed1 g\u1eafng v\u00f4 hi\u1ec7u h\u00f3a ho\u1eb7c k\u00edch ho\u1ea1t l\u1ec7nh g\u1ecdi l\u1ea1i kernel th\u00f4ng qua vi\u1ec7c s\u1eeda \u0111\u1ed5i c\u1edd PspNotifyEnableMask. \u0110\u00e2y l\u00e0 m\u1ed9t th\u1ee7 thu\u1eadt ph\u1ed5 bi\u1ebfn \u0111\u01b0\u1ee3c rootkit s\u1eed d\u1ee5ng \u0111\u1ec3 k\u00edch ho\u1ea1t ho\u1eb7c v\u00f4 hi\u1ec7u h\u00f3a l\u1ec7nh g\u1ecdi l\u1ea1i kernel,&nbsp;<a href=\"https:\/\/overlayhack.com\/edr-bypass-evasion\">nh\u01b0 \u0111\u01b0\u1ee3c gi\u1ea3i th\u00edch trong b\u00e0i vi\u1ebft n\u00e0y<\/a>&nbsp;.<\/p>\n\n\n\n<p><strong>0x222104 (Disabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c m\u00e3 IOCTL n\u00e0y, Poortry s\u1ebd s\u1eeda \u0111\u1ed5i c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i kernel c\u1ee7a c\u00e1c ki\u1ec3u \u0111\u1ed1i t\u01b0\u1ee3ng PsProcess, PsThread v\u00e0 ExDesktopObj. \u0110\u00e2y l\u00e0 c\u00e1c c\u1ea5u tr\u00fac d\u1eef li\u1ec7u ch\u1ebf \u0111\u1ed9 kernel bi\u1ec3u di\u1ec5n c\u00e1c \u0111\u1ed1i t\u01b0\u1ee3ng c\u1ee5 th\u1ec3 trong kernel Windows. T\u1ef1 gi\u1ea3i th\u00edch, ki\u1ec3u \u0111\u1ed1i t\u01b0\u1ee3ng PsProcess bi\u1ec3u di\u1ec5n m\u1ed9t \u0111\u1ed1i t\u01b0\u1ee3ng quy tr\u00ecnh. C\u00e1c ki\u1ec3u \u0111\u1ed1i t\u01b0\u1ee3ng n\u00e0y c\u0169ng ch\u1ee9a m\u1ed9t bi\u1ebfn tr\u1ecf \u0111\u1ebfn c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i \u0111\u00e3 \u0111\u0103ng k\u00fd cho \u0111\u1ed1i t\u01b0\u1ee3ng t\u01b0\u01a1ng \u1ee9ng.<\/p>\n\n\n\n<p>V\u00ec t\u00ednh n\u0103ng n\u00e0y \u0111\u00e3 b\u1ecb v\u00f4 hi\u1ec7u h\u00f3a, ch\u00fang t\u00f4i kh\u00f4ng ch\u1eafc \u0111\u1ed1i th\u1ee7 c\u00f3 th\u1ec3 nh\u1eafm \u0111\u1ebfn vi\u1ec7c s\u1eeda \u0111\u1ed5i c\u00e1c danh s\u00e1ch g\u1ecdi l\u1ea1i n\u00e0y nh\u01b0 th\u1ebf n\u00e0o. M\u1ed9t k\u1ecbch b\u1ea3n c\u00f3 th\u1ec3 x\u1ea3y ra l\u00e0 v\u00f4 hi\u1ec7u h\u00f3a ch\u00fang ho\u00e0n to\u00e0n b\u1eb1ng c\u00e1ch \u0111\u1eb7t c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i th\u00e0nh m\u1ed9t h\u00e0m t\u00f9y ch\u1ec9nh kh\u00f4ng c\u00f3 b\u1ea5t k\u1ef3 ch\u1ee9c n\u0103ng n\u00e0o, ch\u1ec9 c\u1ea7n tr\u1ea3 v\u1ec1 ngay l\u1eadp t\u1ee9c,<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-9.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>0x222108 (Disabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c, Poortry s\u1eeda \u0111\u1ed5i bi\u1ebfn CmpCallbackCount \u0111\u1ec3 b\u1eadt ho\u1eb7c t\u1eaft l\u1ec7nh g\u1ecdi l\u1ea1i kernel registry. Bi\u1ebfn n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 \u0111\u1ebfm s\u1ed1 l\u1ec7nh g\u1ecdi l\u1ea1i \u0111\u00e3 \u0111\u0103ng k\u00fd. Ch\u00fang t\u00f4i nghi ng\u1edd r\u1eb1ng n\u1ebfu gi\u00e1 tr\u1ecb n\u00e0y \u0111\u01b0\u1ee3c v\u00e1 th\u00e0nh 0, c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i s\u1ebd tr\u1edf n\u00ean v\u00f4 d\u1ee5ng.<\/p>\n\n\n\n<p><strong>0x22210C (Disabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c, Poortry c\u1ed1 g\u1eafng x\u00f3a tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n fltMgr.sys kh\u1ecfi thi\u1ebft b\u1ecb \\\\FileSystem\\\\FastFat v\u00e0 \\\\FileSystem\\\\Ntfs b\u1eb1ng c\u00e1ch s\u1eed d\u1ee5ng h\u00e0m DeviceIoDetachDevice. H\u00e0m n\u00e0y th\u01b0\u1eddng \u0111\u01b0\u1ee3c c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n h\u1ee3p l\u1ec7 s\u1eed d\u1ee5ng \u0111\u1ec3 d\u1ecdn d\u1eb9p trong qu\u00e1 tr\u00ecnh t\u1eaft m\u00e1y. Tuy nhi\u00ean, rootkit c\u00f3 th\u1ec3 s\u1eed d\u1ee5ng h\u00e0m n\u00e0y \u0111\u1ec3 ng\u0103n c\u00e1c tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n m\u1ee5c ti\u00eau nh\u1eadn b\u1ea5t k\u1ef3 y\u00eau c\u1ea7u I\/O n\u00e0o n\u1eefa.<\/p>\n\n\n\n<p>fltMgr.sys l\u00e0 tr\u00ecnh qu\u1ea3n l\u00fd b\u1ed9 l\u1ecdc tr\u00ean Windows. Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n n\u00e0y \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 m\u1edf r\u1ed9ng ho\u1eb7c s\u1eeda \u0111\u1ed5i ch\u1ee9c n\u0103ng c\u1ee7a c\u00e1c ch\u1ee9c n\u0103ng hi\u1ec7n c\u00f3 tr\u00ean h\u1ec7 th\u1ed1ng Windows. Tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n n\u00e0y c\u0169ng th\u01b0\u1eddng \u0111\u01b0\u1ee3c c\u00e1c s\u1ea3n ph\u1ea9m EDR s\u1eed d\u1ee5ng.<\/p>\n\n\n\n<p>Ch\u00fang t\u00f4i nghi ng\u1edd r\u1eb1ng vi\u1ec7c t\u00e1ch n\u00f3 ra th\u00f4ng qua vi\u1ec7c s\u1eed d\u1ee5ng IoDetachDevice s\u1ebd khi\u1ebfn c\u00e1c b\u1ed9 l\u1ecdc \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t tr\u1edf n\u00ean v\u00f4 d\u1ee5ng tr\u00ean h\u1ec7 th\u1ed1ng m\u1ee5c ti\u00eau.<\/p>\n\n\n\n<p><strong>0x2221C0 (Disabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c, Poortry nh\u1eadp c\u00e1c ch\u01b0\u01a1ng tr\u00ecnh con \u0111\u1ec3 l\u1ea5y \u0111\u1ecba ch\u1ec9 c\u1ee7a c\u00e1c tr\u00ecnh x\u1eed l\u00fd h\u00e0m ch\u00ednh c\u1ee7a ClassPnp.sys v\u00e0 ntfs.sys, ch\u1eb3ng h\u1ea1n nh\u01b0 NtfsFsdClose ho\u1eb7c NtfsFsdRead c\u1ee7a ntfs.sys. Do \u0111\u00f3, ch\u00fang t\u00f4i nghi ng\u1edd r\u1eb1ng ch\u01b0\u01a1ng tr\u00ecnh con n\u00e0y c\u00f3 th\u1ec3 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng nh\u01b0 m\u1ed9t ch\u01b0\u01a1ng tr\u00ecnh con kh\u1edfi t\u1ea1o b\u1ed5 sung \u0111\u1ec3 l\u1ea5y c\u00e1c \u0111\u1ecba ch\u1ec9 h\u00e0m quan tr\u1ecdng \u0111\u01b0\u1ee3c c\u00e1c t\u00ednh n\u0103ng kh\u00e1c s\u1eed d\u1ee5ng.<\/p>\n\n\n\n<p><strong>0x222400 (Enabled)<\/strong><\/p>\n\n\n\n<p>Khi nh\u1eadn \u0111\u01b0\u1ee3c, Poortry v\u00f4 hi\u1ec7u h\u00f3a c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i kernel \u0111\u00e3 c\u00e0i \u0111\u1eb7t th\u00f4ng qua m\u1ed9t lo\u1ea1t c\u00e1c k\u1ef9 thu\u1eadt kh\u00e1c nhau. Th\u00e0nh ph\u1ea7n ch\u1ebf \u0111\u1ed9 ng\u01b0\u1eddi d\u00f9ng bao g\u1ed3m t\u00ean c\u1ee7a tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n m\u1ee5c ti\u00eau khi g\u00f3i y\u00eau c\u1ea7u I\/O \u0111\u01b0\u1ee3c g\u1eedi.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-10.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>C\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i kernel \u0111\u01b0\u1ee3c c\u00e0i \u0111\u1eb7t th\u00f4ng qua PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine v\u00e0 PsSetCreateProcessNotifyRoutine \u0111\u00e3 \u0111\u01b0\u1ee3c v\u00e1. \u1ede ph\u1ea7n m\u1edf \u0111\u1ea7u c\u1ee7a h\u00e0m g\u1ecdi l\u1ea1i, Poortry s\u1eeda \u0111\u1ed5i l\u1ec7nh \u0111\u1ea7u ti\u00ean \u0111\u1ec3 tr\u1ea3 v\u1ec1 s\u1ed1 kh\u00f4ng ngay l\u1eadp t\u1ee9c khi \u0111\u01b0\u1ee3c nh\u1eadp.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-11.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Cho \u0111\u1ebfn nay, ch\u00fang t\u00f4i \u0111\u00e3 x\u00e1c \u0111\u1ecbnh \u0111\u01b0\u1ee3c c\u00e1c k\u1ef9 thu\u1eadt sau \u0111\u00e2y \u0111\u1ec3 v\u00f4 hi\u1ec7u h\u00f3a c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i h\u1ea1t nh\u00e2n v\u00e0 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ea3o m\u1eadt:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>C\u1ea5u tr\u00fac b\u00ean trong \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng b\u1edfi c\u00e1c h\u00e0m t\u01b0\u01a1ng \u1ee9ng PsSetLoadImageNotifyRoutine, PsSetCreateThreadNotifyRoutine v\u00e0 PsSetCreateProcessNotifyRoutine \u0111\u01b0\u1ee3c l\u1eb7p l\u1ea1i. N\u1ebfu l\u1ec7nh g\u1ecdi l\u1ea1i thu\u1ed9c v\u1ec1 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c g\u1eafn th\u1ebb, Do \u0111\u00f3, h\u00e0m g\u1ecdi l\u1ea1i \u0111\u00e3 \u0111\u0103ng k\u00fd s\u1ebd tho\u00e1t ngay l\u1eadp t\u1ee9c m\u00e0 kh\u00f4ng th\u1ef1c hi\u1ec7n b\u1ea5t k\u1ef3 ho\u1ea1t \u0111\u1ed9ng n\u00e0o theo \u00fd \u0111\u1ecbnh c\u1ee7a n\u00f3.<\/li>\n\n\n\n<li>Nh\u00e2n Windows tri\u1ec3n khai c\u00e1c c\u1ea5u tr\u00fac d\u1eef li\u1ec7u quan tr\u1ecdng nh\u01b0 PsProcess, PsThread v\u00e0 ExDesktopObject \u0111\u1ea1i di\u1ec7n cho c\u00e1c th\u00e0nh ph\u1ea7n c\u01a1 b\u1ea3n c\u1ee7a h\u1ec7 \u0111i\u1ec1u h\u00e0nh Windows. C\u00e1c c\u1ea5u tr\u00fac n\u00e0y ch\u1ee9a m\u1ed9t bi\u1ebfn c\u00f3 t\u00ean l\u00e0 CallbackList qu\u1ea3n l\u00fd t\u1ea5t c\u1ea3 c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i li\u00ean quan \u0111\u1ebfn \u0111\u1ed1i t\u01b0\u1ee3ng c\u1ee5 th\u1ec3. Poortry l\u1eb7p l\u1ea1i danh s\u00e1ch n\u00e0y v\u00e0 n\u1ebfu l\u1ec7nh g\u1ecdi l\u1ea1i thu\u1ed9c v\u1ec1 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c g\u1eafn th\u1ebb, th\u00ec h\u00e0m g\u1ecdi l\u1ea1i \u0111\u00e3 \u0111\u0103ng k\u00fd s\u1ebd tho\u00e1t ngay l\u1eadp t\u1ee9c m\u00e0 kh\u00f4ng th\u1ef1c hi\u1ec7n b\u1ea5t k\u1ef3 ho\u1ea1t \u0111\u1ed9ng n\u00e0o theo \u00fd \u0111\u1ecbnh c\u1ee7a n\u00f3.<\/li>\n\n\n\n<li>M\u1ed9t danh s\u00e1ch li\u00ean k\u1ebft n\u1ed9i b\u1ed9 \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng b\u1edfi CmRegisterCallback v\u00e0 CmUnregisterCallback \u0111\u01b0\u1ee3c l\u1eb7p l\u1ea1i. Danh s\u00e1ch li\u00ean k\u1ebft n\u00e0y ch\u1ee9a c\u00e1c \u0111i\u1ec3m h\u00e0m \u0111\u1ebfn c\u00e1c l\u1ec7nh g\u1ecdi l\u1ea1i \u0111\u1ed1i t\u01b0\u1ee3ng v\u00e0 s\u1ed5 \u0111\u0103ng k\u00fd \u0111\u00e3 \u0111\u0103ng k\u00fd. N\u1ebfu l\u1ec7nh g\u1ecdi l\u1ea1i thu\u1ed9c v\u1ec1 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c g\u1eafn th\u1ebb, ph\u1ea7n m\u1edf \u0111\u1ea7u c\u1ee7a h\u00e0m s\u1ebd \u0111\u01b0\u1ee3c v\u00e1.<\/li>\n\n\n\n<li>Poortry s\u1eed d\u1ee5ng h\u00e0m xu\u1ea5t FltEnumerateFilters t\u1eeb fltMgr.sys \u0111\u1ec3 l\u1eb7p qua c\u00e1c b\u1ed9 l\u1ecdc \u0111\u01b0\u1ee3c \u00e1p d\u1ee5ng. N\u1ebfu b\u1ed9 l\u1ecdc thu\u1ed9c v\u1ec1 tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n b\u1ea3o m\u1eadt \u0111\u01b0\u1ee3c g\u1eafn th\u1ebb, ph\u1ea7n m\u1edf \u0111\u1ea7u c\u1ee7a h\u00e0m s\u1ebd \u0111\u01b0\u1ee3c v\u00e1.<\/li>\n\n\n\n<li>M\u1eb7c d\u00f9 ch\u00fang t\u00f4i kh\u00f4ng th\u1ec3 k\u00edch ho\u1ea1t tr\u1ef1c ti\u1ebfp ch\u1ee9c n\u0103ng n\u00e0y, ch\u00fang t\u00f4i \u0111\u00e3 t\u00ecm th\u1ea5y b\u1eb1ng ch\u1ee9ng cho th\u1ea5y Poortry c\u00f3 th\u1ec3 l\u1ea1m d\u1ee5ng ch\u1ee9c n\u0103ng&nbsp;<a href=\"https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/wdm\/nf-wdm-iodetachdevice\">IoDetachDevice<\/a>&nbsp;\u0111\u1ec3 t\u00e1ch \u0111\u1ed1i t\u01b0\u1ee3ng thi\u1ebft b\u1ecb kh\u1ecfi ng\u0103n x\u1ebfp thi\u1ebft b\u1ecb c\u1ee7a h\u1ec7 th\u1ed1ng. Tr\u00e1i ng\u01b0\u1ee3c v\u1edbi ch\u1ee9c n\u0103ng \u0111\u01b0\u1ee3c cung c\u1ea5p b\u1edfi m\u00e3 IOCTL 0x22210C, n\u00f3 \u00edt n\u00e9 tr\u00e1nh h\u01a1n v\u00e0 ch\u1ec9 t\u00e1ch thi\u1ebft b\u1ecb n\u1ebfu t\u00ean thi\u1ebft b\u1ecb kh\u1edbp v\u1edbi t\u00ean \u0111\u1ea7u v\u00e0o \u0111\u01b0\u1ee3c g\u1eedi qua DeviceIoControl.<\/li>\n<\/ul>\n\n\n\n<p><strong>Giai \u0111o\u1ea1n d\u1ecdn d\u1eb9p<\/strong><\/p>\n\n\n\n<p>Sau khi b\u1ecb v\u00f4 hi\u1ec7u h\u00f3a, ph\u1ea7n m\u1ec1m di\u1ec7t EDR s\u1ebd nh\u1eafm \u0111\u1ebfn m\u1ee5c ti\u00eau ch\u1ea5m d\u1ee9t c\u00e1c quy tr\u00ecnh li\u00ean quan \u0111\u1ebfn b\u1ea3o m\u1eadt v\u00e0 khi\u1ebfn t\u00e1c nh\u00e2n EDR tr\u1edf n\u00ean v\u00f4 d\u1ee5ng b\u1eb1ng c\u00e1ch x\u00f3a c\u00e1c t\u1ec7p quan tr\u1ecdng kh\u1ecfi \u0111\u0129a.<\/p>\n\n\n\n<p>\u0110\u1ea7u ti\u00ean, th\u00e0nh ph\u1ea7n ch\u1ebf \u0111\u1ed9 ng\u01b0\u1eddi d\u00f9ng g\u1eedi nhi\u1ec1u y\u00eau c\u1ea7u I\/O v\u1edbi m\u00e3 IOCTL 0x222144 \u0111\u1ebfn th\u00e0nh ph\u1ea7n ch\u1ebf \u0111\u1ed9 h\u1ea1t nh\u00e2n, bao g\u1ed3m ID ti\u1ebfn tr\u00ecnh c\u1ee7a ti\u1ebfn tr\u00ecnh c\u1ea7n k\u1ebft th\u00fac.<\/p>\n\n\n\n<p>B\u1ed9 t\u1ea3i ch\u1ee9a danh s\u00e1ch c\u00e1c \u0111\u01b0\u1eddng d\u1eabn \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng tr\u1ecf \u0111\u1ebfn v\u1ecb tr\u00ed c\u00e0i \u0111\u1eb7t s\u1ea3n ph\u1ea9m EDR. N\u00f3 l\u1eb7p l\u1ea1i t\u1ea5t c\u1ea3 c\u00e1c th\u01b0 m\u1ee5c con v\u00e0 t\u1ec7p trong th\u01b0 m\u1ee5c v\u00e0 x\u00f3a c\u00e1c t\u1ec7p quan tr\u1ecdng \u0111\u1ed1i v\u1edbi t\u00e1c nh\u00e2n EDR, ch\u1eb3ng h\u1ea1n nh\u01b0 t\u1ec7p EXE ho\u1eb7c t\u1ec7p DLL b\u1eb1ng c\u00e1ch g\u1eedi y\u00eau c\u1ea7u IOCTL c\u00f3 m\u00e3 0x222180 \u0111\u1ebfn tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n. Y\u00eau c\u1ea7u \u0111\u00e3 g\u1eedi bao g\u1ed3m \u0111\u01b0\u1eddng d\u1eabn c\u1ee7a t\u1ec7p c\u1ea7n x\u00f3a.<\/p>\n\n\n\n<p>\u0110\u00e1ng ch\u00fa \u00fd, th\u00e0nh ph\u1ea7n ch\u1ebf \u0111\u1ed9 ng\u01b0\u1eddi d\u00f9ng c\u00f3 th\u1ec3 ho\u1ea1t \u0111\u1ed9ng \u1edf hai ch\u1ebf \u0111\u1ed9:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>X\u00f3a c\u00e1c t\u1eadp tin theo lo\u1ea1i<\/li>\n\n\n\n<li>X\u00f3a c\u00e1c t\u1eadp tin theo t\u00ean<\/li>\n<\/ul>\n\n\n\n<p>Ch\u00fang t\u00f4i nghi ng\u1edd r\u1eb1ng t\u00e1c gi\u1ea3 \u0111\u00e3 th\u00eam c\u00e1c ch\u1ebf \u0111\u1ed9 ho\u1ea1t \u0111\u1ed9ng n\u00e0y \u0111\u1ec3 \u0111\u1ea3m b\u1ea3o t\u00ednh linh ho\u1ea1t khi nh\u1eafm \u0111\u1ebfn c\u00e1c m\u1ee5c ti\u00eau kh\u00e1c nhau. Ch\u00fang t\u00f4i c\u0169ng tin r\u1eb1ng danh s\u00e1ch c\u00e1c \u0111\u01b0\u1eddng d\u1eabn \u0111\u01b0\u1ee3c m\u00e3 h\u00f3a c\u1ee9ng tr\u1ecf \u0111\u1ebfn c\u00e1c th\u01b0 m\u1ee5c c\u00e0i \u0111\u1eb7t c\u1ee7a c\u00e1c s\u1ea3n ph\u1ea9m EDR thay \u0111\u1ed5i t\u00f9y thu\u1ed9c v\u00e0o m\u1ee5c ti\u00eau.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"http:\/\/aws.vacif.com\/wp-content\/uploads\/sites\/3\/2024\/09\/ban-cap-nhat-cong-cu-tan-cong-lam-suy-yeu-may-tinh-windows-12.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>K\u1ebft lu\u1eadn<\/strong><\/p>\n\n\n\n<p>Poortry v\u00e0 tr\u00ecnh t\u1ea3i li\u00ean quan Stonestop \u0111\u00e3 tr\u1ea3i qua m\u1ed9t c\u1ea3i ti\u1ebfn t\u00ednh n\u0103ng nghi\u00eam tr\u1ecdng trong 20 th\u00e1ng k\u1ec3 t\u1eeb khi Sophos v\u00e0 Microsoft c\u00f4ng b\u1ed1 b\u00e1o c\u00e1o chung v\u1ec1 vi\u1ec7c k\u1ebb gi\u1ebft ng\u01b0\u1eddi EDR l\u1ea1m d\u1ee5ng c\u01a1 ch\u1ebf k\u00fd WHQL. C\u00f4ng c\u1ee5 t\u1eebng t\u01b0\u01a1ng \u0111\u1ed1i \u0111\u01a1n gi\u1ea3n \u0111\u1ec3 g\u1ee1 b\u1ecf c\u00e1c th\u00e0nh ph\u1ea7n b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i &#8220;g\u00e2y r\u1eafc r\u1ed1i&#8221; \u0111\u00e3 tr\u1edf th\u00e0nh, trong ch\u00ednh n\u00f3, m\u1ed9t con dao \u0111a n\u0103ng c\u1ee7a c\u00e1c kh\u1ea3 n\u0103ng \u0111\u1ed9c h\u1ea1i l\u1ea1m d\u1ee5ng ngu\u1ed3n cung c\u1ea5p ch\u1ee9ng ch\u1ec9 k\u00fd m\u00e3 b\u1ecb \u0111\u00e1nh c\u1eafp ho\u1eb7c s\u1eed d\u1ee5ng kh\u00f4ng \u0111\u00fang c\u00e1ch g\u1ea7n nh\u01b0 v\u00f4 h\u1ea1n \u0111\u1ec3 v\u01b0\u1ee3t qua c\u00e1c bi\u1ec7n ph\u00e1p b\u1ea3o v\u1ec7 X\u00e1c minh ch\u1eef k\u00fd tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n.<\/p>\n\n\n\n<p>C\u00e1c nh\u00e0 ph\u00e1t tri\u1ec3n Poortry \u0111\u00e3 bi\u1ebfn n\u00f3 th\u00e0nh m\u1ed9t \u0111\u1eb7c \u0111i\u1ec3m kh\u00e1c bi\u1ec7t c\u1ee7a c\u00f4ng c\u1ee5 c\u1ee7a h\u1ecd l\u00e0 n\u00f3 c\u00f3 th\u1ec3 l\u00e0m \u0111\u01b0\u1ee3c nhi\u1ec1u h\u01a1n l\u00e0 ch\u1ec9 g\u1ee1 b\u1ecf tr\u00ecnh \u0111i\u1ec1u khi\u1ec3n ch\u1ed1ng gi\u1ea3 m\u1ea1o EDR ho\u1eb7c b\u1ea3o v\u1ec7 \u0111i\u1ec3m cu\u1ed1i. Poortry \u0111\u00e3 ph\u00e1t tri\u1ec3n th\u00e0nh th\u1ee9 g\u00ec \u0111\u00f3 gi\u1ed1ng nh\u01b0 m\u1ed9t rootkit c\u0169ng c\u00f3 c\u00e1c \u0111i\u1ec1u khi\u1ec3n h\u1eefu h\u1ea1n \u0111\u1ed1i v\u1edbi m\u1ed9t s\u1ed1 l\u1ec7nh g\u1ecdi API kh\u00e1c nhau \u0111\u01b0\u1ee3c s\u1eed d\u1ee5ng \u0111\u1ec3 ki\u1ec3m so\u00e1t ch\u1ee9c n\u0103ng h\u1ec7 \u0111i\u1ec1u h\u00e0nh c\u1ea5p th\u1ea5p. Gi\u1edd \u0111\u00e2y, n\u00f3 c\u0169ng c\u00f3 kh\u1ea3 n\u0103ng x\u00f3a s\u1ea1ch k\u1ebb th\u00f9 c\u1ee7a m\u00ecnh \u2013 ph\u1ea7n m\u1ec1m b\u1ea3o m\u1eadt \u2013 ngay kh\u1ecfi \u0111\u0129a nh\u01b0 m\u1ed9t c\u00e1ch \u0111\u1ec3 d\u1ecdn \u0111\u01b0\u1eddng cho vi\u1ec7c tri\u1ec3n khai ransomware.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>M\u1ed9t m\u00e3 \u0111\u1ed9c EDR m\u00e0 Sophos X-Ops theo d\u00f5i trong ba n\u0103m v\u1eabn ti\u1ebfp t\u1ee5c t\u1ea5n c\u00f4ng c\u00e1c t\u1ed5 ch\u1ee9c b\u1ecb c\u00e1c b\u0103ng \u0111\u1ea3ng ransomware nh\u1eafm t\u1edbi. \u0110\u01b0\u1ee3c vi\u1ebft b\u1edfi&nbsp;Andreas Klopsch Ng\u00e0y 27 th\u00e1ng 8 n\u0103m 2024 V\u00e0o n\u0103m 2022 v\u00e0 2023, Sophos X-Ops \u0111\u00e3 c\u00f4ng b\u1ed1 nghi\u00ean c\u1ee9u v\u1ec1&nbsp;m\u1ed9t b\u1ed9 c\u00f4ng c\u1ee5 ph\u00e1 ho\u1ea1i [&hellip;]<\/p>\n","protected":false},"author":13,"featured_media":20565,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_eb_attr":"","ocean_post_layout":"","ocean_both_sidebars_style":"","ocean_both_sidebars_content_width":0,"ocean_both_sidebars_sidebars_width":0,"ocean_sidebar":"","ocean_second_sidebar":"","ocean_disable_margins":"enable","ocean_add_body_class":"","ocean_shortcode_before_top_bar":"","ocean_shortcode_after_top_bar":"","ocean_shortcode_before_header":"","ocean_shortcode_after_header":"","ocean_has_shortcode":"","ocean_shortcode_after_title":"","ocean_shortcode_before_footer_widgets":"","ocean_shortcode_after_footer_widgets":"","ocean_shortcode_before_footer_bottom":"","ocean_shortcode_after_footer_bottom":"","ocean_display_top_bar":"default","ocean_display_header":"default","ocean_header_style":"","ocean_center_header_left_menu":"","ocean_custom_header_template":"","ocean_custom_logo":0,"ocean_custom_retina_logo":0,"ocean_custom_logo_max_width":0,"ocean_custom_logo_tablet_max_width":0,"ocean_custom_logo_mobile_max_width":0,"ocean_custom_logo_max_height":0,"ocean_custom_logo_tablet_max_height":0,"ocean_custom_logo_mobile_max_height":0,"ocean_header_custom_menu":"","ocean_menu_typo_font_family":"","ocean_menu_typo_font_subset":"","ocean_menu_typo_font_size":0,"ocean_menu_typo_font_size_tablet":0,"ocean_menu_typo_font_size_mobile":0,"ocean_menu_typo_font_size_unit":"px","ocean_menu_typo_font_weight":"","ocean_menu_typo_font_weight_tablet":"","ocean_menu_typo_font_weight_mobile":"","ocean_menu_typo_transform":"","ocean_menu_typo_transform_tablet":"","ocean_menu_typo_transform_mobile":"","ocean_menu_typo_line_height":0,"ocean_menu_typo_line_height_tablet":0,"ocean_menu_typo_line_height_mobile":0,"ocean_menu_typo_line_height_unit":"","ocean_menu_typo_spacing":0,"ocean_menu_typo_spacing_tablet":0,"ocean_menu_typo_spacing_mobile":0,"ocean_menu_typo_spacing_unit":"","ocean_menu_link_color":"","ocean_menu_link_color_hover":"","ocean_menu_link_color_active":"","ocean_menu_link_background":"","ocean_menu_link_hover_background":"","ocean_menu_link_active_background":"","ocean_menu_social_links_bg":"","ocean_menu_social_hover_links_bg":"","ocean_menu_social_links_color":"","ocean_menu_social_hover_links_color":"","ocean_disable_title":"default","ocean_disable_heading":"default","ocean_post_title":"","ocean_post_subheading":"","ocean_post_title_style":"","ocean_post_title_background_color":"","ocean_post_title_background":0,"ocean_post_title_bg_image_position":"","ocean_post_title_bg_image_attachment":"","ocean_post_title_bg_image_repeat":"","ocean_post_title_bg_image_size":"","ocean_post_title_height":0,"ocean_post_title_bg_overlay":0.5,"ocean_post_title_bg_overlay_color":"","ocean_disable_breadcrumbs":"default","ocean_breadcrumbs_color":"","ocean_breadcrumbs_separator_color":"","ocean_breadcrumbs_links_color":"","ocean_breadcrumbs_links_hover_color":"","ocean_display_footer_widgets":"default","ocean_display_footer_bottom":"default","ocean_custom_footer_template":"","ocean_post_oembed":"","ocean_post_self_hosted_media":"","ocean_post_video_embed":"","ocean_link_format":"","ocean_link_format_target":"self","ocean_quote_format":"","ocean_quote_format_link":"post","ocean_gallery_link_images":"on","ocean_gallery_id":[],"footnotes":""},"categories":[80,10],"tags":[492,493],"class_list":["post-20424","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-huong-dan-tai-lieu","category-tin-tuc","tag-edr","tag-sophos-x-ops","entry","has-media"],"_links":{"self":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20424","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/users\/13"}],"replies":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/comments?post=20424"}],"version-history":[{"count":1,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20424\/revisions"}],"predecessor-version":[{"id":20583,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/posts\/20424\/revisions\/20583"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media\/20565"}],"wp:attachment":[{"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/media?parent=20424"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/categories?post=20424"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/vacif.com\/en\/wp-json\/wp\/v2\/tags?post=20424"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}