{"id":10109,"date":"2021-10-01T14:41:47","date_gmt":"2021-10-01T11:41:47","guid":{"rendered":"https:\/\/www.kaspersky.com.tr\/blog\/?p=10109"},"modified":"2021-10-01T14:41:47","modified_gmt":"2021-10-01T11:41:47","slug":"most-used-lolbins","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com.tr\/blog\/most-used-lolbins\/10109\/","title":{"rendered":"Siber su\u00e7lular\u0131n en \u00e7ok kulland\u0131\u011f\u0131 LOLBin’ler"},"content":{"rendered":"

Siber su\u00e7lular uzun zamand\u0131r Microsoft Windows kullan\u0131c\u0131lar\u0131na sald\u0131rmak i\u00e7in yasal programlar ve i\u015fletim sistemi bile\u015fenleri kullan\u0131yor. Bu teknik, Living off the Land<\/a> sald\u0131r\u0131s\u0131 olarak biliniyor. Sald\u0131rganlar bu taktik sayesinde bir siber ta\u015fla birka\u00e7 ku\u015f vurmaya, k\u00f6t\u00fc ama\u00e7l\u0131 yaz\u0131l\u0131m ara\u00e7 kiti geli\u015ftirme maliyetini d\u00fc\u015f\u00fcrmeye, i\u015fletim sistemi ayakizlerini minimize etmeye ve faaliyetlerini me\u015fru BT aktiviteleri aras\u0131na gizlemeye \u00e7al\u0131\u015f\u0131yor.<\/p>\n

Di\u011fer bir deyi\u015fle, ana hedef, k\u00f6t\u00fc ama\u00e7l\u0131 aktivitelerinin tespit edilmesini zorla\u015ft\u0131rmak. Bu nedenle g\u00fcvenik uzmanlar\u0131 uzun zamand\u0131r potansiyel olarak g\u00fcvenli olmayan y\u00fcr\u00fct\u00fclebilir dosyalar\u0131, komut dosyalar\u0131n\u0131 ve kitapl\u0131klar\u0131 izliyorlar. Hatta GitHub\u2019daki LOLBAS projesi<\/a> alt\u0131nda bir t\u00fcr kay\u0131t da tutuyorlar.<\/p>\n

[MDR placeholder] Kaspersky Y\u00f6netilen Tespit ve Yan\u0131t (MDR)[\/MDR placeholder] servisinde geni\u015f bir i\u015f alan\u0131 yelpazesindeki \u00e7ok say\u0131da \u015firketi koruyan meslekta\u015flar\u0131m\u0131z, ger\u00e7ek hayattaki sald\u0131r\u0131larda bu yakla\u015f\u0131m\u0131 s\u0131kl\u0131kla g\u00f6r\u00fcyorlar. Y\u00f6netilen Tespit ve Yan\u0131t Analist Raporu\u2019nda<\/a> modern i\u015fletmelere sald\u0131rmak i\u00e7in en s\u0131k kullan\u0131lan sistem bile\u015fenlerini incelediler. \u0130\u015fte ke\u015ffettikleri:<\/p>\n

Alt\u0131n madalya PowerShell\u2019e<\/h2>\n

Komut sat\u0131r\u0131 aray\u00fcz\u00fcne sahip bir komut dosyas\u0131 dili ve yaz\u0131l\u0131m motoru olan PowerShell, Microsoft\u2019un daha g\u00fcvenli ve kontrol edilebilir hale getirme \u00e7abalar\u0131na ra\u011fmen a\u00e7\u0131k ara farkla siber su\u00e7lular aras\u0131nda en yayg\u0131n kullan\u0131lan me\u015fru ara\u00e7 oldu. MDR servisimiz taraf\u0131ndan tan\u0131mlanan olaylar\u0131n %3,3\u2019\u00fc, PowerShell\u2019i k\u00f6t\u00fcye kullanma te\u015febb\u00fcs\u00fc i\u00e7eriyordu. Dahas\u0131, anketi yaln\u0131zca kritik olaylara indirgedi\u011fimizde PowerShell\u2019in her be\u015f olaydan birinde (tam olarak %20,3\u2019\u00fcnde) parma\u011f\u0131 oldu\u011funu g\u00f6r\u00fcyoruz.<\/p>\n

G\u00fcm\u00fc\u015f madalya rundll32.exe\u2019ye<\/h2>\n

\u0130kinci s\u0131rada, dinamik ba\u011flant\u0131 kitapl\u0131klar\u0131ndan (DLL\u2019lerden) kod \u00e7al\u0131\u015ft\u0131rmak i\u00e7in kullan\u0131lan rundll32 ana i\u015flemini g\u00f6r\u00fcyoruz. T\u00fcm olaylar\u0131n %2\u2019sine, kritik olaylar\u0131n %5,1\u2019ine kar\u0131\u015fm\u0131\u015f.<\/p>\n

Bronz madalya birka\u00e7 yard\u0131mc\u0131 programa<\/h2>\n

T\u00fcm olaylar\u0131n %1,9\u2019unda ge\u00e7en be\u015f ara\u00e7 bulduk:<\/p>\n