PowerShell se yon zouti automatisation ase komen ki souvan itilize pa tou de devlopè malveyan ak espesyalis sekirite enfòmasyon.
Atik sa a pral diskite sou opsyon pou itilize PowerShell pou kolekte done ki sòti nan aparèy final yo lè w ap reponn ensidan sekirite enfòmasyon yo. Pou fè sa, w ap bezwen ekri yon script ki pral kouri sou aparèy la fen ak Lè sa a, pral gen yon deskripsyon detaye sou script sa a.
function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
{
$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
$path = "$path$computer$date"
$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
processid, commandline, parentprocessid
$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
localport, remoteaddress, remoteport, owningprocess, state
$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
localport, remoteaddress, remoteport, owningprocess, state
$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
where author -notlike '*Майкрософт*' | where author -ne $null |
where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'
$job = Get-ScheduledJob
$ADS = get-item * -stream * | where stream -ne ':$Data'
$user = quser
$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"
$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "AlternativeDataStream"
for ($w = 0; $w -lt $array.count; $w++){
$name = $arrayName[$w]
$array[$w] >> $path$name.txt
}
}
}Pou kòmanse, kreye yon fonksyon ekstansyon CSIRT, ki pral pran yon agiman - chemen an pou konsève pou done yo resevwa. Akòz lefèt ke pifò cmdlets travay nan Powershell v5, yo te tcheke vèsyon PowerShell la pou operasyon kòrèk.
function CSIRT{
param($path)# при запуске скрипта необходимо указать директорию для сохранения
if ($psversiontable.psversion.major -ge 5)Pou fasil navigasyon nan dosye yo kreye, de varyab yo inisyalize: $date ak $Computer, ki pral bay non òdinatè a ak dat aktyèl la.
$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null
$path = "$path$computer$date"Nou jwenn lis pwosesis k ap kouri sou non itilizatè aktyèl la jan sa a: kreye yon varyab $process, bay li cmdlet get-ciminstance ak klas win32_process. Sèvi ak cmdlet Select-Object la, ou ka ajoute paramèt pwodiksyon adisyonèl, nan ka nou an sa yo pral paranprocessid (ID pwosesis paran PPID), creationdate (dat kreyasyon pwosesis), trete (ID pwosesis PID), processname (non pwosesis), liy kòmand (. kouri kòmand).
$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessidPou jwenn yon lis tout koneksyon TCP ak UDP, kreye varyab $netTCP ak $netUDP lè w bay yo cmdlet Get-NetTCPConnection ak Get-NetTCPConnection, respektivman.
$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state
$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, stateLi pral enpòtan pou chèche konnen lis travay planifye ak devwa yo. Pou fè sa, nou itilize cmdlets get-ScheduledTask ak Get-ScheduledJob. Ann bay yo varyab yo $ travay ak $ travay, paske Okòmansman, gen yon anpil nan travay pwograme nan sistèm nan, Lè sa a, yo nan lòd yo idantifye aktivite move li vo filtraj soti travay lejitim pwograme. Cmdlet Select-Object la ap ede nou ak sa.
$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*Майкрософт*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task исключает авторов, содержащих “Майкрософт”, “Microsoft”, “*@%systemroot%*”, а также «пустых» авторов
$job = Get-ScheduledJobNan sistèm nan dosye NTFS gen yon bagay tankou kouran done altènatif (ADS). Sa vle di ke yon fichye nan NTFS ka si ou vle asosye ak plizyè kouran done nan gwosè abitrè. Sèvi ak ADS, ou ka kache done ki pa ta vizib atravè chèk sistèm estanda. Sa fè li posib pou enjekte kòd move ak / oswa kache done.
Pou montre kouran done altènatif nan PowerShell, nou pral sèvi ak cmdlet get-item la ak zouti Windows stream entegre ak senbòl * pou wè tout kouran posib, pou sa n ap kreye varyab $ADS la.
$ADS = get-item * -stream * | where stream –ne ':$Data' Li pral itil pou chèche konnen lis itilizatè ki konekte nan sistèm nan; pou sa nou pral kreye yon $user varyab epi bay li nan ekzekisyon pwogram quser la.
$user = quser
Atakè yo ka fè chanjman nan autorun pou jwenn yon pye nan sistèm nan. Pou wè objè demaraj, ou ka itilize cmdlet Get-ItemProperty.
Ann kreye de varyab: $runUser - pou wè demaraj sou non itilizatè a ak $runMachine - pou wè demaraj sou non òdinatè a.
$runUser = Get-ItemProperty
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"Pou ke tout enfòmasyon yo ekri nan dosye diferan, nou kreye yon etalaj ak varyab ak yon etalaj ak non dosye.
$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"Epi lè l sèvi avèk yon bouk pou, done yo resevwa yo pral ekri nan dosye.
for ($w = 0; $w -lt $array.count; $w++){
$name = $arrayName[$w]
$array[$w] >> $path$name.txt
Apre egzekite script la, yo pral kreye 9 dosye tèks ki gen enfòmasyon ki nesesè yo.
Jodi a, pwofesyonèl cybersecurity ka itilize PowerShell pou anrichi enfòmasyon yo bezwen pou rezoud yon varyete travay nan travay yo. Lè w ajoute yon script nan demaraj, ou ka jwenn kèk enfòmasyon san yo pa retire pil fatra, imaj, elatriye.
Sous: www.habr.com