ProHoster > Π‘Π»ΠΎΠ³ > administratio > Per PowerShell congregare incident Information

Per PowerShell congregare incident Information

PowerShell est instrumentum satis commune automationis quod saepe ab utroque tincidunt malware et informationis securitatis adhibentur.
Articulus hic disseret de facultate PowerShell utendi ad notitias ab extremis machinis remotas colligendas cum ad res securitatis notitias respondeat. Ad hoc faciendum, necesse erit scribere scripturam quae in fine notae persequetur et tunc accurata huius scripturae descriptio erit.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Ut incipiat, munus creare CSIRT extensio, quod argumentum capiet - via ad datam receptam servandam. Ob quod maxime cmdlets labor in Powershell v5, versio PowerShell ad rectam operationem repressa est.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Ad navigandi facilitatem per tabulas creatas binae variabiles initialized sunt: ​​$date et $Computer, quae nomen computatorii et hodiernum diem assignabitur.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Numerum processuum currentium accipimus pro usore currenti hoc modo: $ processum variabilem crea, ei attribuens ciminstantiam cmdlet emblematis cum classe win32_processus. Utens cmdlet-Objectum selectum, addere potes parametris output additis, in casu nostro haec erunt parentprocessid (processus parentis ID PPID), creatiodata (processus date creatio), processum (processus ID PID), processname (nomen processum), mandatum ( detegere mandatum).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Ut indicem omnium nexus TCP et UDP accipias, variabiles $netTCP et $netUDP creas, eis attribuens Get-NetTCPConnection et Get-NetTCPConnection cmdlets, respective.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Gravis erit invenire indicem operum et destinationum propositorum. Ad hoc utimur adepto-ScheduledTask et Get-ScheduledJob cmdlets. Demus eis variabiles $ negotium et $ officium, quod Initio sunt multae occupationes in systematis, deinde ad cognoscendam malignam actionem eliquare operae legitimae horarium valet. Hoc cmdlet electio-Objectum adiuvabit nos.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

In NTFS systematis fasciculi talis res est ut alternativa notitia rivorum (ADS). Hoc significat fasciculum in NTFS optione coniungi posse cum multiplicibus notitiae quantitatis arbitrariae rivulis. Usura ADS, notitias celare potes quae per regulas normas non visibiles sunt. Quo fit, ut malignum codicem injicere et/vel notitia celare possit.

Ad ostentationem alterius data fluminum in PowerShell, adhibebimus cmdlet-item cmdlet et constructum-in Fenestra stream cum instrumento * symbolo ad omnes rivos possibilis spectandos, hoc enim variabiles $ADS creabimus.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Utile erit inquirere indicem usorum in systematis conclusum, hoc enim variabilem usorem creabimus et eum progressionis quaerentis exsecutioni assignabimus.

$user = quser

Impugnatores mutare possunt autoruni ut locum in systemate obtineant. Prospicere res startup, Get-ItemProperty cmdlet uti potes.
Duas variabiles variabiles crearemus: runUser $ ut inspiciendum satus pro usore et $runMachine - ut satus pro computatorio videas.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Ut omnes informationes diversis scriniis scriptae sint, ordinem variabilium et nomina fasciculorum ordinata creamus.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Et pro fascia utens, data recepta scribetur ad lima.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Post scripturam exequens, 9 fasciculi textus creabuntur in quibus res necessariae cognoscuntur.

Hodie, cybersecuritas professionales potest PowerShell uti ad ditare informationes quas necesse est varias pensas in suo opere solvere. Addendo litteras ad satus, aliqua notitia sine eriminibus, imaginibus, etc.

Source: www.habr.com