ProHoster > Блог > Gudanarwa > Amfani da PowerShell don Tara Bayanin Hatsari

Amfani da PowerShell don Tara Bayanin Hatsari

PowerShell kayan aiki ne na yau da kullun na aiki da kai wanda masu haɓaka malware da ƙwararrun tsaro ke amfani da su.
Wannan labarin zai yi la'akari da amfani da PowerShell don tattara bayanai masu nisa daga na'urori masu ƙarewa lokacin amsa abubuwan tsaro na bayanai. Don yin wannan, kuna buƙatar rubuta rubutun da zai gudana akan na'urar ƙarshe, sannan za a sami cikakken bayanin wannan rubutun.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*Майкрософт*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Don farawa, ƙirƙirar aiki Farashin CSIRT, wanda zai dauki hujja - hanyar da za a adana bayanan da aka karɓa. Saboda gaskiyar cewa yawancin cmdlets suna aiki a cikin Powershell v5, an yi rajistan sigar PowerShell don aiki daidai.

function CSIRT{
		
param($path)# при запуске скрипта необходимо указать директорию для сохранения
if ($psversiontable.psversion.major -ge 5)

Don sauƙin kewayawa ta cikin fayilolin da aka ƙirƙira, ana farawa masu canji guda biyu: $date da $ Computer, waɗanda za a sanya sunan kwamfutar da kwanan wata.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Muna samun jerin hanyoyin tafiyarwa a madadin mai amfani na yanzu kamar haka: ƙirƙiri canjin tsari na $ ta hanyar sanya masa cmdlet get-ciminstance tare da ajin win32_process. Yin amfani da Zaɓi-Object cmdlet, zaku iya ƙara ƙarin sigogin fitarwa, a cikin yanayinmu, waɗannan za su zama tsarin tsarin iyaye (ID PPID na tsari na iyaye), kwanan wata ƙirƙira (ranar tsarin ƙirƙira), sarrafa (ID ɗin tsari na PID), sunan tsari (sunan tsari), layin umarni. (fara umurnin).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Don samun jerin duk haɗin TCP da UDP, ƙirƙiri masu canjin $netTCP da $netUDP ta hanyar sanya musu Get-NetTPCConnection da Get-NetTPCConnection cmdlets, bi da bi.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Zai zama mahimmanci don sanin jerin ayyuka da ayyuka da aka tsara. Don yin wannan, muna amfani da samun-ScheduledTask da Get-ScheduledJob cmdlets. Mu sanya musu masu canji $aiki da $aiki, saboda Da farko, akwai ayyuka da yawa da aka tsara a cikin tsarin, to, don gano ayyukan mugunta, yana da kyau a tace ayyukan da aka tsara. cmdlet Zaɓi-Object zai taimake mu da wannan.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*Майкрософт*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task исключает авторов, содержащих “Майкрософт”, “Microsoft”, “*@%systemroot%*”, а также «пустых» авторов
$job = Get-ScheduledJob

A cikin tsarin fayil na NTFS, akwai wani abu kamar madadin rafukan bayanai (Alternate Data Streams, ADS). Wannan yana nufin cewa fayil akan NTFS na iya ƙara alaƙa da rafukan bayanai da yawa na girman sabani. Tare da ADS, zaku iya ɓoye bayanan da ba za a iya gani ta daidaitaccen tsarin duba tsarin ba. Wannan na iya shigar da lambar mugunta da/ko ɓoye bayanai.

Don nuna madadin rafukan bayanai a cikin PowerShell, za mu yi amfani da cmdlet samu-abu da ginanniyar kayan aikin rafi na Windows tare da alamar * don duba duk rafukan da za su yiwu, saboda wannan za mu ƙirƙiri madaidaicin $ADS.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Zai zama da amfani sanin jerin masu amfani da suka shiga cikin tsarin, saboda wannan za mu ƙirƙiri madaidaicin mai amfani $ kuma mu sanya aiwatar da shirin quser zuwa gare shi.

$user = quser

Domin samun gindin zama a cikin tsarin, maharan na iya yin canje-canje ga autorun. Kuna iya amfani da Get-ItemProperty cmdlet don duba abubuwan da ke cikin wasa ta atomatik.
Bari mu ƙirƙiri masu canji guda biyu: $runUser - don duba autoload a madadin mai amfani da $runMachine - don duba autoload a madadin kwamfuta.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Domin a rubuta duk bayanai zuwa fayiloli daban-daban, muna ƙirƙirar tsararru tare da masu canji da tsararru tare da sunayen fayil.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Kuma, ta amfani da madauki don madauki, za a rubuta sakamakon bayanan zuwa fayiloli.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Bayan aiwatar da rubutun, za a ƙirƙiri fayilolin rubutu guda 9 masu ɗauke da mahimman bayanai.

A zamanin yau, ƙwararrun tsaro na intanet na iya amfani da PowerShell don wadatar da bayanan da suke buƙata don magance ayyuka iri-iri a cikin aikinsu. Ta ƙara rubutun zuwa lodawa ta atomatik, zaku iya samun wasu bayanai ba tare da zubar da hotuna ba, hotuna, da sauransu.

source: www.habr.com

Add a comment