ProHoster > Blog > Tsamaiso > Ho Sebelisa PowerShell ho Bokella Litaba tsa Ketsahalo

Ho Sebelisa PowerShell ho Bokella Litaba tsa Ketsahalo

PowerShell ke sesebelisoa se tloaelehileng sa othomathike se atisang ho sebelisoa ke baetsi ba malware le litsebi tsa ts'ireletso ea tlhahisoleseling.
Sengoliloeng sena se tla tšohla khetho ea ho sebelisa PowerShell ho bokella data ho tloha lisebelisoa tsa ho qetela ha u arabela liketsahalong tsa ts'ireletso ea tlhahisoleseling. Ho etsa sena, o tla hloka ho ngola mongolo o tla sebetsa sesebelisoa sa ho qetela ebe ho tla ba le tlhaloso e qaqileng ea mongolo ona.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*Майкрософт*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Ho qala, etsa mosebetsi Katoloso ea CSIRT, e tla nka khang - tsela ea ho boloka data e amohetseng. Ka lebaka la hore boholo ba cmdlets e sebetsa ho Powershell v5, mofuta oa PowerShell o ile oa hlahlojoa bakeng sa ts'ebetso e nepahetseng.

function CSIRT{
		
param($path)# при запуске скрипта необходимо указать директорию для сохранения
if ($psversiontable.psversion.major -ge 5)

Bakeng sa boiketlo ba ho tsamaea ka lifaele tse bōpiloeng, mefuta e 'meli e qalisoa: $ date le $ Computer, e tla fuoa lebitso la k'homphieutha le letsatsi la hona joale.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Re fumana lenane la lits'ebetso tse sebetsang molemong oa mosebelisi oa hajoale ka tsela e latelang: theha mofuta oa ts'ebetso ea $, o e abela "get-ciminstance cmdlet" le sehlopha sa win32_process. U sebelisa Select-Object cmdlet, o ka eketsa liparamente tse ling tse hlahisoang, molemong oa rona tsena e tla ba parentprocessid (ID ea ts'ebetso ea motsoali PPID), datedate (letsatsi la tlhahiso ea ts'ebetso), e sebetsitsoeng (process ID PID), processname (lebitso la ts'ebetso), mola oa taelo ( matha taelo).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Ho fumana lethathamo la likhokahano tsohle tsa TCP le UDP, theha $ netTCP le $ netUDP tse fapaneng ka ho li abela li-cmdlets tsa Get-NetTCPConnection le Get-NetTCPConnection, ka ho latellana.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Ho tla ba bohlokoa ho fumana lethathamo la mesebetsi le likabelo tse reriloeng. Ho etsa sena, re sebelisa get-ScheduledTask le Get-ScheduledJob cmdlets. Ha re ba abele mefuta e fapaneng ea $task le $mosebetsi, hobane Qalong, ho na le mesebetsi e mengata e reriloeng tsamaisong, joale e le hore u khetholle liketso tse lonya ho bohlokoa ho sefa mesebetsi e reriloeng ka molao. The Select-Object cmdlet e tla re thusa ka sena.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*Майкрософт*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task исключает авторов, содержащих “Майкрософт”, “Microsoft”, “*@%systemroot%*”, а также «пустых» авторов
$job = Get-ScheduledJob

Sistimi ea faele ea NTFS ho na le ntho e kang mefuta e meng ea data (ADS). Sena se bolela hore faele e ho NTFS e ka ikhethela ho amahanngoa le melapo e mengata ea data ea boholo bo sa tloaelehang. U sebelisa ADS, u ka pata data e neng e ke ke ea bonahala ka licheke tse tloaelehileng tsa sistimi. Sena se etsa hore ho khonehe ho kenya khoutu e kotsi le/kapa ho pata data.

Ho bonts'a mefuta e meng ea data ho PowerShell, re tla sebelisa ntho ea ho fumana cmdlet le sesebelisoa sa Windows se hahiloeng ka har'a letšoao la * ho sheba melapo eohle e ka khonehang, bakeng sa sena re tla theha $ ADS e feto-fetohang.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Ho tla ba molemo ho fumana lenane la basebelisi ba kentsoeng tsamaisong; bakeng sa sena re tla theha $ mosebelisi e fapaneng ebe re e abela ho phethahatsa lenaneo la quser.

$user = quser

Bahlaseli ba ka etsa liphetoho ho autorun ho fumana sebaka sa tsamaiso. Ho sheba lintho tse qalang, o ka sebelisa Get-ItemProperty cmdlet.
Ha re theheng mefuta e 'meli: $runUser - ho sheba ho qala molemong oa mosebelisi le $runMachine - ho bona ho qala molemong oa komporo.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

E le hore tlhahisoleseding eohle e ngoletsoe lifaeleng tse fapaneng, re etsa lethathamo le nang le mefuta-futa le lihlopha tse nang le mabitso a lifaele.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

'Me u sebelisa bakeng sa loop, data e amoheloang e tla ngolloa lifaeleng.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Kamora ho etsa sengoloa, lifaele tse 9 tsa mongolo li tla etsoa tse nang le tlhaiso-leseling e hlokahalang.

Kajeno, litsebi tsa cybersecurity li ka sebelisa PowerShell ho ntlafatsa tlhahisoleseling eo li e hlokang ho rarolla mesebetsi e fapaneng mosebetsing oa bona. Ka ho kenya script ho qala, o ka fumana lintlha ntle le ho tlosa litšila, litšoantšo, joalo-joalo.

Source: www.habr.com

Eketsa ka tlhaloso