ProHoster > Blog > Utongi > Kushandisa PowerShell Kuunganidza Chiitiko Ruzivo

Kushandisa PowerShell Kuunganidza Chiitiko Ruzivo

PowerShell chinhu chakajairika chakajairika otomatiki chishandiso chinowanzoshandiswa nevaviri vanogadzira malware uye ruzivo rwekuchengetedza ruzivo.
Ichi chinyorwa chichakurukura sarudzo yekushandisa PowerShell kuunganidza kure data kubva kumidziyo yekupedzisira kana uchipindura kune ruzivo rwekuchengetedza ruzivo. Kuti uite izvi, iwe uchafanirwa kunyora script iyo inomhanya pane yekupedzisira mudziyo uye ipapo pachava netsananguro yakadzama yeiyi script.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Kuti utange, gadzira basa CSIRT kuwedzera, iyo inotora nharo - nzira yekuchengetedza data yakagamuchirwa. Nekuda kwekuti mazhinji cmdlets anoshanda muPowershell v5, iyo PowerShell vhezheni yakatariswa kuti ishande.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Kuti zvive nyore kufamba kuburikidza nemafaira akagadzirwa, zvinyorwa zviviri zvinotangwa: $ date uye $ Computer, iyo ichapiwa zita rekombiyuta uye zuva razvino.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Isu tinowana rondedzero yekumhanyisa maitiro pachinzvimbo chemushandisi aripo sezvizvi: gadzira dhizaini ye $ process, uchipa iyo get-ciminstance cmdlet neiyo win32_process kirasi. Uchishandisa iyo Sarudza-Chinhu cmdlet, unogona kuwedzera mamwe maparamendi ekubuda, mune yedu aya achave evaberekiprocessid (mubereki process ID PPID), kusikwa (process kugadzira zuva), processed (process ID PID), processname (process zita), commandline ( run command).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Kuti uwane runyoro rwezvese TCP neUDP zvinongedzo, gadzira iyo $ netTCP uye $ netUDP akasiyana nekuvapa iwo Get-NetTCPConnection uye Get-NetTCPConnection cmdlets, zvichiteerana.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Zvichave zvakakosha kuwana rondedzero yeakarongwa mabasa uye mabasa. Kuti tiite izvi, tinoshandisa get-ScheduledTask uye Get-ScheduledJob cmdlets. Ngativapei zvinosiyana $task uye $basa, nekuti Pakutanga, kune akawanda mabasa akarongwa muhurongwa, saka kuti uone kuita kwakashata zvakakodzera kusefa mabasa akarongwa ari pamutemo. Iyo Sarudza-Chinhu cmdlet ichatibatsira neizvi.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

Mune iyo NTFS faira system pane chinhu chakadai seimwe nzira yedata hova (ADS). Izvi zvinoreva kuti faira iri muNTFS inogona kuve yakabatana neakawanda data nzizi dzehukuru hwekupokana. Uchishandisa ADS, unogona kuvanza data yaisazoonekwa kuburikidza neyakajairwa system cheki. Izvi zvinoita kuti zvikwanise kubaya kodhi yakaipa uye/kana kuvanza data.

Kuratidza mamwe madhairekisheni edhata muPowerShell, isu tichashandisa tora-chinhu cmdlet uye yakavakirwa-mukati Windows rwizi chishandiso chine * chiratidzo kuona ese angangoita hova, nekuda kweizvi isu tichagadzira iyo $ ADS inoshanduka.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Zvichabatsira kutsvaga rondedzero yevashandisi vakapinda muhurongwa; nekuda kweizvi isu tichagadzira $ mushandisi shanduko uye toigovera kukuita kwequser chirongwa.

$user = quser

Vanorwisa vanogona kuita shanduko kune autorun kuti vawane tsoka muhurongwa. Kuti uone zvinhu zvekutanga, unogona kushandisa Get-ItemProperty cmdlet.
Ngatigadzirei maviri akasiyana: $runUser - kuona kutanga pachinzvimbo chemushandisi uye $runMachine - kuona kutanga pachinzvimbo chekombuta.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Kuitira kuti ruzivo rwese rwunyorwe kune akasiyana mafaera, isu tinogadzira dhizaini ine zvinosiyana uye dhayamu rine mazita emafaira.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Uye uchishandisa loop, iyo yakagamuchirwa data inonyorwa kune mafaera.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Mushure mekuita script, 9 zvinyorwa zvinyorwa zvichagadzirwa zvine ruzivo rwakakosha.

Nhasi, cybersecurity nyanzvi dzinogona kushandisa PowerShell kupfumisa ruzivo rwavanoda kugadzirisa akasiyana emabasa mubasa ravo. Nekuwedzera script kuti utange, unogona kuwana rumwe ruzivo pasina kubvisa marara, mifananidzo, nezvimwe.

Source: www.habr.com

Voeg