ProHoster > Π‘Π»ΠΎΠ³ > Kev tswj hwm > Siv PowerShell los sau cov ntaub ntawv xwm txheej

Siv PowerShell los sau cov ntaub ntawv xwm txheej

PowerShell yog ib qho cuab yeej siv hluav taws xob zoo sib xws uas feem ntau siv los ntawm ob tus neeg tsim tawm malware thiab cov kws paub txog kev ruaj ntseg cov ntaub ntawv.
Kab lus no yuav tham txog kev xaiv siv PowerShell los khaws cov ntaub ntawv los ntawm cov khoom siv kawg thaum teb cov ntaub ntawv kev nyab xeeb. Ua li no, koj yuav tsum tau sau ib tsab ntawv uas yuav khiav ntawm qhov kawg ntaus ntawv thiab tom qab ntawd yuav muaj cov lus piav qhia ntxaws ntawm tsab ntawv no.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Txhawm rau pib, tsim ib qho haujlwm CSIRT extension, uas yuav siv qhov kev sib cav - txoj hauv kev kom txuag tau cov ntaub ntawv tau txais. Vim qhov tseeb tias feem ntau cmdlets ua haujlwm hauv Powershell v5, PowerShell version raug kuaj xyuas kom raug ua haujlwm.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Rau kev yooj yim ntawm kev taw qhia los ntawm cov ntaub ntawv tsim, ob qhov sib txawv yog pib: $ hnub tim thiab $ Computer, uas yuav muab lub npe lub computer thiab hnub tam sim no.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Peb tau txais cov npe ntawm cov txheej txheem khiav sawv cev ntawm tus neeg siv tam sim no raws li hauv qab no: tsim ib qho $ txheej txheem sib txawv, muab nws tus txais-ciminstance cmdlet nrog rau chav kawm win32_process. Siv cov Select-Object cmdlet, koj tuaj yeem ntxiv cov khoom tso tawm ntxiv, nyob rau hauv peb rooj plaub cov no yuav yog parentprocessid (niam txiv txheej txheem ID PPID), hnub tsim (cov txheej txheem tsim), ua tiav ( txheej txheem ID PID), lub npe txheej txheem (lub npe txheej txheem), cov lus txib ( khiav command).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Txhawm rau kom tau txais cov npe ntawm txhua qhov kev sib txuas TCP thiab UDP, tsim $ netTCP thiab $ netUDP hloov pauv los ntawm kev muab lawv rau Get-NetTCPConnection thiab Get-NetTCPConnection cmdlets, raws li.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Nws yuav yog ib qho tseem ceeb kom paub cov npe ntawm cov haujlwm thiab cov haujlwm uas tau npaj tseg. Txhawm rau ua qhov no, peb siv lub get-ScheduledTask thiab Get-ScheduledJob cmdlets. Cia peb muab lawv qhov sib txawv $task thiab $job, vim Thaum pib, muaj ntau txoj haujlwm tau teem tseg hauv qhov system, tom qab ntawd txhawm rau txheeb xyuas cov haujlwm tsis zoo nws tsim nyog los lim tawm cov haujlwm raug cai. Qhov Xaiv-Object cmdlet yuav pab peb nrog qhov no.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

Hauv NTFS cov ntaub ntawv muaj xws li ib yam li lwm cov ntaub ntawv ntws (ADS). Qhov no txhais tau hais tias cov ntaub ntawv hauv NTFS tuaj yeem xaiv tau txuam nrog ntau cov ntaub ntawv ntws ntawm qhov loj me. Siv ADS, koj tuaj yeem nkaum cov ntaub ntawv uas yuav tsis pom los ntawm kev kuaj xyuas tus qauv. Qhov no ua rau nws muaj peev xwm txhaj cov lej tsis zoo thiab / lossis zais cov ntaub ntawv.

Txhawm rau tso tawm lwm cov ntaub ntawv ntws hauv PowerShell, peb yuav siv cov khoom tau txais cmdlet thiab cov cuab yeej tsim hauv Windows kwj nrog lub cim * los saib tag nrho cov kwj tau, rau qhov no peb yuav tsim $ ADS sib txawv.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Nws yuav pab tau kom paub cov npe ntawm cov neeg siv nkag mus rau hauv lub system; rau qhov no peb yuav tsim ib qho $user variable thiab muab nws rau kev ua tiav ntawm qhov kev pab cuam qus.

$user = quser

Cov neeg tawm tsam tuaj yeem hloov pauv mus rau autorun kom tau txais lub hauv paus hauv qhov system. Txhawm rau saib cov khoom pib, koj tuaj yeem siv Get-ItemProperty cmdlet.
Cia peb tsim ob qhov sib txawv: $runUser - saib kev pib ua haujlwm sawv cev ntawm tus neeg siv thiab $runMachine - saib kev pib ua haujlwm sawv cev ntawm lub computer.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Yog li ntawd txhua cov ntaub ntawv raug sau rau cov ntaub ntawv sib txawv, peb tsim ib qho array nrog kev sib txawv thiab ib qho array nrog cov npe cov ntaub ntawv.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Thiab siv lub voj voog, cov ntaub ntawv tau txais yuav raug sau rau cov ntaub ntawv.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Tom qab ua tiav tsab ntawv, 9 cov ntawv nyeem yuav raug tsim muaj cov ntaub ntawv tsim nyog.

Niaj hnub no, cybersecurity cov kws tshaj lij tuaj yeem siv PowerShell los txhawb cov ntaub ntawv lawv xav tau los daws ntau yam haujlwm hauv lawv txoj haujlwm. Los ntawm kev ntxiv ib tsab ntawv rau kev pib, koj tuaj yeem tau txais qee cov ntaub ntawv yam tsis tau tshem tawm cov khib nyiab, duab, thiab lwm yam.

Tau qhov twg los: www.hab.com

Ntxiv ib saib