PowerShell is a fairly common automation tool that is often used by both malware developers and information security specialists.
This article will consider the use of PowerShell for remote collection of data from end devices when responding to information security incidents. To do this, you need to write a script that will run on the end device, and then there will be a detailed description of this script.
function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
{
$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
$path = "$path$computer$date"
$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
processid, commandline, parentprocessid
$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
localport, remoteaddress, remoteport, owningprocess, state
$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
localport, remoteaddress, remoteport, owningprocess, state
$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
where author -notlike '*ΠΠ°ΠΉΠΊΡΠΎΡΠΎΡΡ*' | where author -ne $null |
where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'
$job = Get-ScheduledJob
$ADS = get-item * -stream * | where stream -ne ':$Data'
$user = quser
$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"
$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "AlternativeDataStream"
for ($w = 0; $w -lt $array.count; $w++){
$name = $arrayName[$w]
$array[$w] >> $path$name.txt
}
}
}To get started, create a function CSIRT, which will take an argument - the path to save the received data. Due to the fact that most cmdlets work in Powershell v5, a check of the PowerShell version has been made for correct operation.
function CSIRT{
param($path)# ΠΏΡΠΈ Π·Π°ΠΏΡΡΠΊΠ΅ ΡΠΊΡΠΈΠΏΡΠ° Π½Π΅ΠΎΠ±Ρ
ΠΎΠ΄ΠΈΠΌΠΎ ΡΠΊΠ°Π·Π°ΡΡ Π΄ΠΈΡΠ΅ΠΊΡΠΎΡΠΈΡ Π΄Π»Ρ ΡΠΎΡ
ΡΠ°Π½Π΅Π½ΠΈΡ
if ($psversiontable.psversion.major -ge 5)For ease of navigation through the created files, two variables are initialized: $date and $Computer, which will be assigned the computer name and the current date.
$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date βItemType 'Directory' -Force | Out-Null
$path = "$path$computer$date"We get the list of running processes on behalf of the current user as follows: create the $process variable by assigning it the get-ciminstance cmdlet with the win32_process class. Using the Select-Object cmdlet, you can add additional output parameters, in our case, these will be parentprocessid (parent process ID PPID), creationdate (process creation date), processed (PID process ID), processname (process name), commandline (start command).
$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessidTo get a list of all TCP and UDP connections, create the $netTCP and $netUDP variables by assigning them the Get-NetTCPConnection and Get-NetTCPConnection cmdlets, respectively.
$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state
$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, stateIt will be important to know the list of scheduled tasks and tasks. To do this, we use the get-ScheduledTask and Get-ScheduledJob cmdlets. Let's assign them the variables $task and $job, because Initially, there are a lot of scheduled tasks in the system, then in order to identify malicious activity, it is worth filtering out legitimate scheduled tasks. The Select-Object cmdlet will help us with this.
$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠΠ°ΠΉΠΊΡΠΎΡΠΎΡΡ*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡΡΠ°Π΅Ρ Π°Π²ΡΠΎΡΠΎΠ², ΡΠΎΠ΄Π΅ΡΠΆΠ°ΡΠΈΡ
βΠΠ°ΠΉΠΊΡΠΎΡΠΎΡΡβ, βMicrosoftβ, β*@%systemroot%*β, Π° ΡΠ°ΠΊΠΆΠ΅ Β«ΠΏΡΡΡΡΡ
Β» Π°Π²ΡΠΎΡΠΎΠ²
$job = Get-ScheduledJobIn the NTFS file system, there is such a thing as alternative data streams (Alternate Data Streams, ADS). This means that a file on NTFS can be further associated with multiple data streams of arbitrary size. With ADS, you can hide data that will not be visible by standard system checks. This can inject malicious code and/or hide data.
To display alternative data streams in PowerShell, we will use the get-item cmdlet and the built-in Windows stream tool with the * symbol to view all possible streams, for this we will create the $ADS variable.
$ADS = get-item * -stream * | where stream βne ':$Data' It will be useful to know the list of users logged into the system, for this we will create a $user variable and assign the execution of the quser program to it.
$user = quser
In order to gain a foothold in the system, attackers can make changes to autorun. You can use the Get-ItemProperty cmdlet to view the items in autoplay.
Let's create two variables: $runUser - to view autoload on behalf of the user and $runMachine - to view autoload on behalf of the computer.
$runUser = Get-ItemProperty
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"In order for all information to be written to different files, we create an array with variables and an array with file names.
$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"And, using a for loop, the resulting data will be written to files.
for ($w = 0; $w -lt $array.count; $w++){
$name = $arrayName[$w]
$array[$w] >> $path$name.txt
After executing the script, 9 text files will be created containing the necessary information.
Nowadays, cybersecurity professionals can use PowerShell to enrich the information they need to solve a variety of tasks in their work. By adding a script to autoload, you can get some information without dumping, images, etc.
Source: habr.com