ProHoster > Π‘Π»ΠΎΠ³ > Administrasi > Nggunakake PowerShell kanggo Ngumpulake Informasi Kedadean

Nggunakake PowerShell kanggo Ngumpulake Informasi Kedadean

PowerShell minangka alat otomatisasi sing cukup umum sing asring digunakake dening pangembang malware lan spesialis keamanan informasi.
Artikel iki bakal ngrembug babagan pilihan nggunakake PowerShell kanggo ngumpulake data saka piranti pungkasan nalika nanggapi kedadeyan keamanan informasi. Kanggo nindakake iki, sampeyan kudu nulis skrip sing bakal mbukak ing piranti pungkasan banjur bakal ana katrangan rinci babagan skrip iki.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Kanggo miwiti, nggawe fungsi ekstensi CSIRT, sing bakal njupuk argumentasi - path kanggo nyimpen data sing ditampa. Amarga kasunyatan manawa umume cmdlet bisa digunakake ing Powershell v5, versi PowerShell dicenthang kanggo operasi sing bener.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Kanggo gampang navigasi liwat file sing digawe, rong variabel diwiwiti: $date lan $Computer, sing bakal diwenehi jeneng komputer lan tanggal saiki.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Kita entuk dhaptar proses sing mlaku kanggo pangguna saiki: nggawe variabel $ proses, menehi cmdlet get-ciminstance karo kelas win32_process. Nggunakake cmdlet Pilih-Obyek, sampeyan bisa nambah paramèter output tambahan, ing kasus iki bakal dadi parentprocessid (process ID PPID induk), tanggal nggawe (tanggal nggawe proses), diproses (ID proses PID), jeneng proses (jeneng proses), commandline ( run command).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Kanggo entuk dhaptar kabeh sambungan TCP lan UDP, gawe variabel $netTCP lan $netUDP kanthi menehi cmdlet Get-NetTCPConnection lan Get-NetTCPConnection.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Penting kanggo ngerteni dhaptar tugas lan tugas sing direncanakake. Kanggo nindakake iki, kita nggunakake cmdlet get-ScheduledTask lan Get-ScheduledJob. Ayo padha nemtokake variabel $task lan $job, amarga Kaping pisanan, ana akeh tugas sing dijadwalake ing sistem kasebut, mula kanggo ngenali kegiatan angkoro kudu nyaring tugas sing dijadwalake sing sah. Cmdlet Pilih-Obyek bakal mbantu kita.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

Ing sistem file NTFS ana bab kayata aliran data alternatif (ADS). Iki tegese file ing NTFS opsional bisa digandhengake karo macem-macem aliran data kanthi ukuran sing sewenang-wenang. Nggunakake ADS, sampeyan bisa ndhelikake data sing ora katon liwat pamriksa sistem standar. Iki ndadekake iku bisa kanggo inject kode angkoro lan/utawa ndhelikake data.

Kanggo nampilake aliran data alternatif ing PowerShell, kita bakal nggunakake cmdlet get-item lan alat stream Windows sing dibangun kanthi simbol * kanggo ndeleng kabeh aliran sing bisa ditindakake, mula kita bakal nggawe variabel $ADS.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Bakal migunani kanggo ngerteni dhaptar pangguna sing mlebu ing sistem; kanggo iki, kita bakal nggawe variabel $user lan nemtokake kanggo eksekusi program quser.

$user = quser

Penyerang bisa nggawe owah-owahan ing autorun kanggo entuk pijakan ing sistem kasebut. Kanggo ndeleng obyek wiwitan, sampeyan bisa nggunakake cmdlet Get-ItemProperty.
Ayo nggawe rong variabel: $runUser - kanggo ndeleng wiwitan atas jenenge pangguna lan $runMachine - kanggo ndeleng wiwitan atas jenenge komputer.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Supaya kabeh informasi ditulis menyang file sing beda, kita nggawe array karo variabel lan array karo jeneng file.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Lan nggunakake loop kanggo, data sing ditampa bakal ditulis menyang file.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Sawise nglakokake skrip, 9 file teks bakal digawe ngemot informasi sing dibutuhake.

Saiki, profesional cybersecurity bisa nggunakake PowerShell kanggo nambah informasi sing dibutuhake kanggo ngrampungake macem-macem tugas ing pakaryane. Kanthi nambahake skrip kanggo wiwitan, sampeyan bisa entuk sawetara informasi tanpa mbusak dumps, gambar, lsp.

Source: www.habr.com

Add a comment