ProHoster > blog > Utawala > Kutumia PowerShell Kukusanya Taarifa za Tukio

Kutumia PowerShell Kukusanya Taarifa za Tukio

PowerShell ni zana ya kawaida ya otomatiki ambayo mara nyingi hutumiwa na wasanidi programu hasidi na wataalamu wa usalama wa habari.
Makala haya yatajadili chaguo la kutumia PowerShell kukusanya data kutoka kwa vifaa vya mwisho wakati wa kujibu matukio ya usalama wa habari. Ili kufanya hivyo, utahitaji kuandika hati ambayo itaendesha kwenye kifaa cha mwisho na kisha kutakuwa na maelezo ya kina ya hati hii.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Ili kuanza, unda chaguo la kukokotoa Ugani wa CSIRT, ambayo itachukua hoja - njia ya kuokoa data iliyopokelewa. Kutokana na ukweli kwamba cmdlets nyingi hufanya kazi katika Powershell v5, toleo la PowerShell liliangaliwa kwa uendeshaji sahihi.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Kwa urahisi wa urambazaji kupitia faili zilizoundwa, vigezo viwili vinaanzishwa: $date na $Computer, ambayo itapewa jina la kompyuta na tarehe ya sasa.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Tunapata orodha ya michakato inayoendeshwa kwa niaba ya mtumiaji wa sasa kama ifuatavyo: tengeneza tofauti ya mchakato wa $, ukiikabidhi get-ciminstance cmdlet na darasa la win32_process. Kwa kutumia Select-Object cmdlet, unaweza kuongeza vigezo vya ziada vya pato, kwa upande wetu hizi zitakuwa parentprocessid (Kitambulisho cha mchakato wa mzazi PPID), tarehe ya kuundwa (tarehe ya uundaji wa mchakato), iliyochakatwa (PID ya mchakato), jina la mchakato (jina la mchakato), mstari wa amri ( kukimbia amri).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Ili kupata orodha ya miunganisho yote ya TCP na UDP, unda vigeu vya $netTCP na $netUDP kwa kuzikabidhi cmdlets za Get-NetTCPConnection na Get-NetTCPConnection, mtawalia.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Itakuwa muhimu kujua orodha ya kazi zilizopangwa na kazi. Ili kufanya hivyo, tunatumia get-ScheduledTask na Get-ScheduledJob cmdlets. Wacha tuwape vijiwezo vya $task na $job, kwa sababu Hapo awali, kuna kazi nyingi zilizopangwa kwenye mfumo, basi ili kutambua shughuli mbaya inafaa kuchuja kazi zilizopangwa halali. Chagua-Kitu cmdlet itatusaidia na hili.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

Katika mfumo wa faili wa NTFS kuna kitu kama mitiririko mbadala ya data (ADS). Hii ina maana kwamba faili katika NTFS inaweza kwa hiari kuhusishwa na mitiririko mingi ya data ya ukubwa usio na mpangilio. Kwa kutumia ADS, unaweza kuficha data ambayo isingeonekana kupitia ukaguzi wa kawaida wa mfumo. Hii inafanya uwezekano wa kuingiza msimbo hasidi na/au kuficha data.

Ili kuonyesha mitiririko ya data mbadala katika PowerShell, tutatumia get-item cmdlet na zana ya utiririshaji ya Windows iliyojengewa ndani iliyo na * ishara ili kutazama mitiririko yote inayowezekana, kwa hili tutaunda tofauti ya $ADS.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Itakuwa muhimu kujua orodha ya watumiaji walioingia kwenye mfumo; kwa hili tutaunda tofauti ya $user na kuikabidhi kwa utekelezaji wa programu ya quser.

$user = quser

Wavamizi wanaweza kufanya mabadiliko ya kujiendesha ili kupata nafasi katika mfumo. Kuangalia vitu vya kuanza, unaweza kutumia Get-ItemProperty cmdlet.
Hebu tuunde vigezo viwili: $runUser - kutazama uanzishaji kwa niaba ya mtumiaji na $runMachine - kutazama uanzishaji kwa niaba ya kompyuta.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Ili taarifa zote zimeandikwa kwa faili tofauti, tunaunda safu na vigezo na safu yenye majina ya faili.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Na kwa kutumia kitanzi, data iliyopokelewa itaandikwa kwa faili.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Baada ya kutekeleza hati, faili 9 za maandishi zitaundwa zilizo na habari muhimu.

Leo, wataalamu wa usalama wa mtandao wanaweza kutumia PowerShell kuimarisha taarifa wanazohitaji kutatua kazi mbalimbali katika kazi zao. Kwa kuongeza hati ili kuanza, unaweza kupata maelezo bila kuondoa utupaji, picha n.k.

Chanzo: mapenzi.com

Kuongeza maoni