Pulogalamu ya ProHoster > Blog > Ulamuliro > Kugwiritsa Ntchito PowerShell Kusonkhanitsa Zambiri Zochitika

Kugwiritsa Ntchito PowerShell Kusonkhanitsa Zambiri Zochitika

PowerShell ndi chida chodziwika bwino chomwe chimagwiritsidwa ntchito ndi omwe amapanga pulogalamu yaumbanda komanso akatswiri achitetezo azidziwitso.
Nkhaniyi ifotokoza za mwayi wogwiritsa ntchito PowerShell kusonkhanitsa deta kuchokera pazida zomaliza poyankha zochitika zachitetezo. Kuti muchite izi, muyenera kulemba script yomwe idzayendetse pa chipangizo chomaliza ndipo padzakhala tsatanetsatane wa script iyi.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Kuti muyambe, pangani ntchito Zowonjezera za CSIRT, zomwe zidzatenga mkangano - njira yosungira deta yolandiridwa. Chifukwa chakuti ambiri cmdlets ntchito Powershell v5, ndi PowerShell Baibulo anafufuzidwa ntchito yolondola.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Kuti muzitha kuyenda mosavuta pamafayilo opangidwa, zosintha ziwiri zimayambitsidwa: $date ndi $Computer, zomwe zidzapatsidwa dzina la kompyuta ndi tsiku lomwe lilipo.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Timapeza mndandanda wazomwe zikuyenda m'malo mwa wogwiritsa ntchito pano motere: pangani njira yosinthira ya $, ndikugawira kuti get-ciminstance cmdlet ndi win32_process class. Pogwiritsa ntchito Select-Object cmdlet, mutha kuwonjezera magawo owonjezera, kwa ife awa adzakhala parentprocessid (parent process ID PPID), creationdate (process date date), kukonzedwa (process ID PID), processname (process dzina), commandline ( run command).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Kuti mupeze mndandanda wamalumikizidwe onse a TCP ndi UDP, pangani zosintha za $ netTCP ndi $netUDP powapatsa ma cmdlets a Get-NetTCPConnection ndi Get-NetTCPConnection, motsatana.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Zidzakhala zofunikira kupeza mndandanda wa ntchito zomwe zakonzedwa ndi ntchito. Kuti tichite izi, timagwiritsa ntchito get-ScheduledTask ndi Get-ScheduledJob cmdlets. Tiyeni tiwagawire zosintha $task ndi $ntchito, chifukwa Poyambirira, pali ntchito zambiri zomwe zakonzedwa m'dongosolo, ndiye kuti muzindikire zochitika zoyipa ndikofunikira kusefa ntchito zovomerezeka. The Select-Object cmdlet itithandiza ndi izi.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

Mu fayilo ya NTFS pali chinthu chonga mitsinje ya data (ADS). Izi zikutanthauza kuti fayilo mu NTFS ikhoza kulumikizidwa ndi mitsinje yambiri yamitundu yosiyanasiyana. Pogwiritsa ntchito ADS, mutha kubisa zomwe sizikuwoneka kudzera pamacheke wamba. Izi zimapangitsa kuti zikhale zotheka kubaya khodi yoyipa ndi/kapena kubisa deta.

Kuti tiwonetse mitsinje ya data ina mu PowerShell, tidzagwiritsa ntchito cmdlet ndi chida cholumikizira cha Windows chokhala ndi chizindikiro * kuti muwone mitsinje yonse yomwe ingatheke, chifukwa cha izi tidzapanga kusintha kwa $ ADS.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Zidzakhala zothandiza kudziwa mndandanda wa ogwiritsa ntchito omwe adalowa mudongosolo; chifukwa cha izi tidzapanga $ user variable ndikuwagawira kuti azichita pulogalamu ya quser.

$user = quser

Owukira amatha kusintha kusintha kwa autorun kuti alowe mu dongosolo. Kuti muwone zinthu zoyambira, mutha kugwiritsa ntchito Get-ItemProperty cmdlet.
Tiyeni tipange mitundu iwiri: $runUser - kuti muwone zoyambira m'malo mwa wogwiritsa ntchito ndi $runMachine - kuti muwone zoyambira m'malo mwa kompyuta.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Kuti zidziwitso zonse zilembedwe kumafayilo osiyanasiyana, timapanga mndandanda wokhala ndi zosinthika komanso mndandanda wokhala ndi mayina a fayilo.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Ndipo pogwiritsa ntchito loop, zomwe zalandilidwa zidzalembedwa kumafayilo.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Mukamaliza kulemba, mafayilo 9 adzapangidwa omwe ali ndi zofunikira.

Masiku ano, akatswiri a cybersecurity atha kugwiritsa ntchito PowerShell kuti alemeretse zambiri zomwe amafunikira kuti athetse ntchito zosiyanasiyana pantchito yawo. Powonjezera script poyambira, mutha kudziwa zambiri popanda kuchotsa zotayira, zithunzi, ndi zina.

Source: www.habr.com

Kuwonjezera ndemanga