ʻO PowerShell kahi mea hana maʻamau maʻamau i hoʻohana pinepine ʻia e nā mea hoʻomohala malware a me nā loea palekana ʻike.
E kūkākūkā kēia ʻatikala i ke koho o ka hoʻohana ʻana iā PowerShell e hōʻiliʻili mamao i ka ʻikepili mai nā mea hoʻopau i ka wā e pane ai i nā hanana palekana ʻike. No ka hana ʻana i kēia, pono ʻoe e kākau i kahi palapala e holo ana ma ka ʻaoʻao hope a laila e loaʻa kahi wehewehe kikoʻī o kēia ʻatikala.
function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
{
$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
$path = "$path$computer$date"
$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
processid, commandline, parentprocessid
$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
localport, remoteaddress, remoteport, owningprocess, state
$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
localport, remoteaddress, remoteport, owningprocess, state
$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
where author -notlike '*Майкрософт*' | where author -ne $null |
where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'
$job = Get-ScheduledJob
$ADS = get-item * -stream * | where stream -ne ':$Data'
$user = quser
$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"
$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "AlternativeDataStream"
for ($w = 0; $w -lt $array.count; $w++){
$name = $arrayName[$w]
$array[$w] >> $path$name.txt
}
}
}No ka hoʻomaka, hana i kahi hana Hoʻonui CSIRT, e hoʻopaʻapaʻa - ke ala e mālama ai i ka ʻikepili i loaʻa. Ma muli o ka hana ʻana o ka hapa nui o nā cmdlet ma Powershell v5, ua nānā ʻia ka mana PowerShell no ka hana pololei.
function CSIRT{
param($path)# при запуске скрипта необходимо указать директорию для сохранения
if ($psversiontable.psversion.major -ge 5)No ka maʻalahi o ka hoʻokele ʻana ma o nā faila i hana ʻia, ua hoʻomaka ʻia ʻelua mau ʻano: $date a me $Computer, e hāʻawi ʻia i ka inoa kamepiula a me ka lā o kēia manawa.
$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null
$path = "$path$computer$date"Loaʻa iā mākou ka papa inoa o nā kaʻina hana ma ka inoa o ka mea hoʻohana o kēia manawa penei: hana i kahi $ kaʻina hana, hāʻawi iā ia i ka get-ciminstance cmdlet me ka papa win32_process. Ke hoʻohana nei i ka cmdlet Select-Object, hiki iā ʻoe ke hoʻohui i nā ʻāpana hoʻopuka hou, i kā mākou hihia e lilo kēia i parentprocessid (kaʻina makua ID PPID), ka lā hana (lā hana hana), kaʻina (PID kaʻina hana), inoa kaʻina (inoa kaʻina hana), laina kauoha ( kauoha holo).
$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessidNo ka loaʻa ʻana o kahi papa inoa o nā pilina TCP a me UDP, hana i nā ʻano hoʻololi $ netTCP a me $ netUDP ma o ka hāʻawi ʻana iā lākou i nā cmdlet Get-NetTCPConnection a me Get-NetTCPConnection cmdlet.
$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state
$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, stateHe mea nui e ʻike i ka papa inoa o nā hana i hoʻolālā ʻia a me nā hana. No ka hana ʻana i kēia, hoʻohana mākou i nā cmdlets get-ScheduledTask a me Get-ScheduledJob. E hāʻawi iā lākou i nā mea hoʻololi $task a me $job, no ka mea I ka hoʻomaka ʻana, nui nā hana i hoʻonohonoho ʻia i loko o ka ʻōnaehana, a laila i mea e ʻike ai i ka hana ʻino e pono ke kānana ʻana i nā hana i hoʻonohonoho pono ʻia. E kōkua ka Select-Object cmdlet iā mākou i kēia.
$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*Майкрософт*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task исключает авторов, содержащих “Майкрософт”, “Microsoft”, “*@%systemroot%*”, а также «пустых» авторов
$job = Get-ScheduledJobMa ka ʻōnaehana faila NTFS aia kekahi mea e like me nā kahawai data ʻokoʻa (ADS). 'O ia ho'i, hiki ke ho'opili 'ia kahi faila ma NTFS me nā kahawai 'ikepili he nui. Ke hoʻohana nei i ka ADS, hiki iā ʻoe ke hūnā i ka ʻikepili i ʻike ʻole ʻia ma o nā loiloi ʻōnaehana maʻamau. ʻO kēia ka mea hiki ke hoʻokomo i nā code malicious a/a i ʻole huna ʻikepili.
No ka hōʻike ʻana i nā kahawai ʻikepili ʻē aʻe ma PowerShell, e hoʻohana mākou i ka cmdlet get-item a me ka hāmeʻa kahawai Windows i kūkulu ʻia me ka hōʻailona * e ʻike i nā kahawai āpau, no kēia mea mākou e hana ai i ka $ADS variable.
$ADS = get-item * -stream * | where stream –ne ':$Data' He mea pono ke ʻike i ka papa inoa o nā mea hoʻohana i komo i loko o ka ʻōnaehana; no kēia e hana mākou i kahi $ mea hoʻohana hoʻololi a hāʻawi iā ia i ka hoʻokō ʻana o ka papahana quser.
$user = quser
Hiki i nā mea hoʻouka ke hoʻololi i ka autorun e loaʻa kahi paʻa i ka ʻōnaehana. E nānā i nā mea hoʻomaka, hiki iā ʻoe ke hoʻohana i ka Get-ItemProperty cmdlet.
E hana kākou i ʻelua mau ʻano hoʻololi: $runUser - e nānā i ka hoʻomaka ma ka inoa o ka mea hoʻohana a me $runMachine - e nānā i ka hoʻomaka ʻana ma ka inoa o ke kamepiula.
$runUser = Get-ItemProperty
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"No laila ua kākau ʻia nā ʻike āpau i nā faila like ʻole, hana mākou i kahi ʻano me nā ʻano like ʻole a me kahi ʻano me nā inoa faila.
$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"A me ka hoʻohana ʻana i ka loop loop, e kākau ʻia ka ʻikepili i loaʻa i nā faila.
for ($w = 0; $w -lt $array.count; $w++){
$name = $arrayName[$w]
$array[$w] >> $path$name.txt
Ma hope o ka hoʻokō ʻana i ka palapala, e hana ʻia nā faila 9 me ka ʻike pono.
I kēia lā, hiki i nā poʻe loea cybersecurity ke hoʻohana i ka PowerShell e hoʻonui i ka ʻike e pono ai lākou e hoʻoponopono i nā hana like ʻole i kā lākou hana. Ma ka hoʻohui ʻana i kahi palapala i ka hoʻomaka ʻana, hiki iā ʻoe ke loaʻa kekahi ʻike me ka ʻole e wehe i nā dumps, nā kiʻi, a pēlā aku.
Source: www.habr.com