ProHoster > ื‘ืœื•ื’ > ืžื™ื ื”ืœ > ืฉื™ืžื•ืฉ ื‘- PowerShell ืœืื™ืกื•ืฃ ืžื™ื“ืข ืขืœ ืื™ืจื•ืข

ืฉื™ืžื•ืฉ ื‘- PowerShell ืœืื™ืกื•ืฃ ืžื™ื“ืข ืขืœ ืื™ืจื•ืข

PowerShell ื”ื•ื ื›ืœื™ ืื•ื˜ื•ืžืฆื™ื” ื ืคื•ืฅ ืœืžื“ื™, ื”ืžืฉืžืฉ ืœืขืชื™ื ืงืจื•ื‘ื•ืช ื’ื ืžืคืชื—ื™ ืชื•ื›ื ื•ืช ื–ื“ื•ื ื™ื•ืช ื•ื’ื ืžื•ืžื—ื™ ืื‘ื˜ื—ืช ืžื™ื“ืข.
ืžืืžืจ ื–ื” ื™ื“ื•ืŸ ื‘ืืคืฉืจื•ืช ืฉืœ ืฉื™ืžื•ืฉ ื‘- PowerShell ืœืื™ืกื•ืฃ ืžืจื—ื•ืง ื ืชื•ื ื™ื ืžืžื›ืฉื™ืจื™ ืงืฆื” ื‘ืขืช ืชื’ื•ื‘ื” ืœืื™ืจื•ืขื™ ืื‘ื˜ื—ืช ืžื™ื“ืข. ืœืฉื ื›ืš ืชืฆื˜ืจื›ื• ืœื›ืชื•ื‘ ืกืงืจื™ืคื˜ ืฉื™ืคืขืœ ืขืœ ืžื›ืฉื™ืจ ื”ืงืฆื” ื•ืœืื—ืจ ืžื›ืŸ ื™ื”ื™ื” ืชื™ืื•ืจ ืžืคื•ืจื˜ ืฉืœ ื”ืกืงืจื™ืคื˜ ื”ื–ื”.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ะœะฐะนะบั€ะพัะพั„ั‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

ื›ื“ื™ ืœื”ืชื—ื™ืœ, ืฆื•ืจ ืคื•ื ืงืฆื™ื” ืกื™ื•ืžืช CSIRT, ืฉื™ื™ืงื— ืืจื’ื•ืžื ื˜ - ื”ื ืชื™ื‘ ืœืฉืžื™ืจืช ื”ื ืชื•ื ื™ื ืฉื”ืชืงื‘ืœื•. ื‘ืฉืœ ื”ืขื•ื‘ื“ื” ืฉืจื•ื‘ ื”-cmdlets ืคื•ืขืœื™ื ื‘-Powershell v5, ื’ืจืกืช PowerShell ื ื‘ื“ืงื” ืœืคืขื•ืœื” ื ื›ื•ื ื”.

function CSIRT{
		
param($path)# ะฟั€ะธ ะทะฐะฟัƒัะบะต ัะบั€ะธะฟั‚ะฐ ะฝะตะพะฑั…ะพะดะธะผะพ ัƒะบะฐะทะฐั‚ัŒ ะดะธั€ะตะบั‚ะพั€ะธัŽ ะดะปั ัะพั…ั€ะฐะฝะตะฝะธั
if ($psversiontable.psversion.major -ge 5)

ื›ื“ื™ ืœื”ืงืœ ืขืœ ื”ื ื™ื•ื•ื˜ ื‘ื™ืŸ ื”ืงื‘ืฆื™ื ืฉื ื•ืฆืจื•, ืฉื ื™ ืžืฉืชื ื™ื ืžืื•ืชื—ืœื™ื: $date ื•-$Computer, ืฉื™ื•ืงืฆื• ืœื”ื ืฉื ื”ืžื—ืฉื‘ ื•ื”ืชืืจื™ืš ื”ื ื•ื›ื—ื™.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date โ€“ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

ืื ื• ืžืงื‘ืœื™ื ืืช ืจืฉื™ืžืช ื”ืชื”ืœื™ื›ื™ื ื”ืจืฆื™ื ืžื˜ืขื ื”ืžืฉืชืžืฉ ื”ื ื•ื›ื—ื™ ื‘ืื•ืคืŸ ื”ื‘ื: ืฆื•ืจ ืžืฉืชื ื” $process, ืžืงืฆื” ืœื• ืืช ื”-cmdlet get-ciminstance ืขื ื”ืžื—ืœืงื” win32_process. ื‘ืืžืฆืขื•ืช ื”-cmdlet Select-Object, ื ื™ืชืŸ ืœื”ื•ืกื™ืฃ ืคืจืžื˜ืจื™ ืคืœื˜ ื ื•ืกืคื™ื, ื‘ืžืงืจื” ืฉืœื ื• ืืœื• ื™ื”ื™ื• parentprocessid (ืžื–ื”ื” ืชื”ืœื™ืš ืื‘ PPID), ืชืืจื™ืš ื™ืฆื™ืจื” (ืชืืจื™ืš ื™ืฆื™ืจืช ืชื”ืœื™ืš), ืžืขื•ื‘ื“ (ืžื–ื”ื” ืชื”ืœื™ืš PID), ืฉื ืชื”ืœื™ืš (ืฉื ืชื”ืœื™ืš), ืฉื•ืจืช ืคืงื•ื“ื” ( ื”ืคืขืœ ืคืงื•ื“ื”).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

ื›ื“ื™ ืœืงื‘ืœ ืจืฉื™ืžื” ืฉืœ ื›ืœ ื—ื™ื‘ื•ืจื™ TCP ื•-UDP, ืฆื•ืจ ืืช ื”ืžืฉืชื ื™ื $netTCP ื•-$netUDP ืขืœ ื™ื“ื™ ื”ืงืฆืืช ื”-cmdlets Get-NetTCPConnection ื•-Get-NetTCPConnection, ื‘ื”ืชืืžื”.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

ื—ืฉื•ื‘ ื™ื”ื™ื” ืœื‘ืจืจ ืืช ืจืฉื™ืžืช ื”ืžืฉื™ืžื•ืช ื•ื”ืžืฉื™ืžื•ืช ื”ืžืชื•ื›ื ื ื•ืช. ืœืฉื ื›ืš, ืื ื• ืžืฉืชืžืฉื™ื ื‘-cmdlets get-ScheduledTask ื•-Get-ScheduledJob. ื‘ื•ืื• ื ืงืฆื” ืœื”ื ืืช ื”ืžืฉืชื ื™ื $task ื•-$job, ื›ื™ ื‘ืชื—ื™ืœื” ื™ืฉ ื”ืจื‘ื” ืžืฉื™ืžื•ืช ืžืชื•ื–ืžื ื•ืช ื‘ืžืขืจื›ืช, ื•ืื– ื›ื“ื™ ืœื–ื”ื•ืช ืคืขื™ืœื•ืช ื–ื“ื•ื ื™ืช ื›ื“ืื™ ืœืกื ืŸ ืžืฉื™ืžื•ืช ืžืชื•ื–ืžื ื•ืช ืœื’ื™ื˜ื™ืžื™ื•ืช. ื”-cmdlet Select-Object ื™ืขื–ื•ืจ ืœื ื• ื‘ื›ืš.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ะœะฐะนะบั€ะพัะพั„ั‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ะธัะบะปัŽั‡ะฐะตั‚ ะฐะฒั‚ะพั€ะพะฒ, ัะพะดะตั€ะถะฐั‰ะธั… โ€œะœะฐะนะบั€ะพัะพั„ั‚โ€, โ€œMicrosoftโ€, โ€œ*@%systemroot%*โ€, ะฐ ั‚ะฐะบะถะต ยซะฟัƒัั‚ั‹ั…ยป ะฐะฒั‚ะพั€ะพะฒ
$job = Get-ScheduledJob

ื‘ืžืขืจื›ืช ื”ืงื‘ืฆื™ื NTFS ื™ืฉ ื“ื‘ืจ ื›ื–ื” ื›ืžื• ื–ืจืžื™ ื ืชื•ื ื™ื ืืœื˜ืจื ื˜ื™ื‘ื™ื™ื (ADS). ืžืฉืžืขื•ืช ื”ื“ื‘ืจ ื”ื™ื ืฉื ื™ืชืŸ ืœืฉื™ื™ืš ืงื•ื‘ืฅ ื‘-NTFS ืœืžืกืคืจ ื–ืจืžื™ ื ืชื•ื ื™ื ื‘ื’ื•ื“ืœ ืฉืจื™ืจื•ืชื™. ื‘ืืžืฆืขื•ืช ADS, ืืชื” ื™ื›ื•ืœ ืœื”ืกืชื™ืจ ื ืชื•ื ื™ื ืฉืœื ื™ื”ื™ื• ื’ืœื•ื™ื™ื ื‘ืืžืฆืขื•ืช ื‘ื“ื™ืงื•ืช ืžืขืจื›ืช ืจื’ื™ืœื•ืช. ื–ื” ืžืืคืฉืจ ืœื”ื—ื“ื™ืจ ืงื•ื“ ื–ื“ื•ื ื™ ื•/ืื• ืœื”ืกืชื™ืจ ื ืชื•ื ื™ื.

ื›ื“ื™ ืœื”ืฆื™ื’ ื–ืจืžื™ ื ืชื•ื ื™ื ื—ืœื•ืคื™ื™ื ื‘-PowerShell, ื ืฉืชืžืฉ ื‘-get-item cmdlet ื•ื‘ื›ืœื™ ื”ื–ืจื ื”ืžื•ื‘ื ื” ืฉืœ Windows ืขื ื”ืกืžืœ * ื›ื“ื™ ืœื”ืฆื™ื’ ืืช ื›ืœ ื”ื–ืจืžื™ื ื”ืืคืฉืจื™ื™ื, ืœืฉื ื›ืš ื ื™ืฆื•ืจ ืืช ื”ืžืฉืชื ื” $ADS.

$ADS = get-item * -stream * | where stream โ€“ne ':$Data'

ื–ื” ื™ื”ื™ื” ืฉื™ืžื•ืฉื™ ืœื‘ืจืจ ืืช ืจืฉื™ืžืช ื”ืžืฉืชืžืฉื™ื ื”ืžื—ื•ื‘ืจื™ื ืœืžืขืจื›ืช; ืœืฉื ื›ืš ื ื™ืฆื•ืจ ืžืฉืชื ื” $user ื•ื ืงืฆื” ืื•ืชื• ืœื‘ื™ืฆื•ืข ืชื•ื›ื ื™ืช quser.

$user = quser

ืชื•ืงืคื™ื ื™ื›ื•ืœื™ื ืœื‘ืฆืข ืฉื™ื ื•ื™ื™ื ื‘ื”ืคืขืœื” ืื•ื˜ื•ืžื˜ื™ืช ื›ื“ื™ ืœื”ืฉื™ื’ ื“ืจื™ืกืช ืจื’ืœ ื‘ืžืขืจื›ืช. ื›ื“ื™ ืœื”ืฆื™ื’ ืื•ื‘ื™ื™ืงื˜ื™ ื”ืคืขืœื”, ืืชื” ื™ื›ื•ืœ ืœื”ืฉืชืžืฉ ื‘-cmdlet Get-ItemProperty.
ื‘ื•ืื• ื ื™ืฆื•ืจ ืฉื ื™ ืžืฉืชื ื™ื: $runUser - ืœืฆืคื™ื™ื” ื‘ืืชื—ื•ืœ ืžื˜ืขื ื”ืžืฉืชืžืฉ ื•-$runMachine - ืœืฆืคื™ื™ื” ื‘ื”ืคืขืœื” ืžื˜ืขื ื”ืžื—ืฉื‘.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

ื›ื“ื™ ืฉื›ืœ ื”ืžื™ื“ืข ื ื›ืชื‘ ืœืงื‘ืฆื™ื ืฉื•ื ื™ื, ืื ื• ื™ื•ืฆืจื™ื ืžืขืจืš ืขื ืžืฉืชื ื™ื ื•ืžืขืจืš ืขื ืฉืžื•ืช ืงื‘ืฆื™ื.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

ื•ื‘ืืžืฆืขื•ืช ืœื•ืœืืช for, ื”ื ืชื•ื ื™ื ืฉื”ืชืงื‘ืœื• ื™ื™ื›ืชื‘ื• ืœืงื‘ืฆื™ื.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

ืœืื—ืจ ื‘ื™ืฆื•ืข ื”ืกืงืจื™ืคื˜, ื™ื™ื•ื•ืฆืจื• 9 ืงื‘ืฆื™ ื˜ืงืกื˜ ื”ืžื›ื™ืœื™ื ืืช ื”ืžื™ื“ืข ื”ื“ืจื•ืฉ.

ื›ื™ื•ื, ืื ืฉื™ ืื‘ื˜ื—ืช ืกื™ื™ื‘ืจ ื™ื›ื•ืœื™ื ืœื”ืฉืชืžืฉ ื‘-PowerShell ื›ื“ื™ ืœื”ืขืฉื™ืจ ืืช ื”ืžื™ื“ืข ื”ื ื—ื•ืฅ ืœื”ื ืœืคืชืจื•ืŸ ืžื’ื•ื•ืŸ ืžืฉื™ืžื•ืช ื‘ืขื‘ื•ื“ืชื. ืขืœ ื™ื“ื™ ื”ื•ืกืคืช ืกืงืจื™ืคื˜ ืœื”ืคืขืœื”, ืืชื” ื™ื›ื•ืœ ืœืงื‘ืœ ืงืฆืช ืžื™ื“ืข ืžื‘ืœื™ ืœื”ืกื™ืจ dumps, ืชืžื•ื ื•ืช ื•ื›ื•'.

ืžืงื•ืจ: www.habr.com

ื”ื•ืกืคืช ืชื’ื•ื‘ื”