ProHoster > Ibhulogi > Ulawulo > Ukusebenzisa i-PowerShell ukuqokelela ulwazi lwesiganeko

Ukusebenzisa i-PowerShell ukuqokelela ulwazi lwesiganeko

I-PowerShell sisixhobo esiqhelekileyo esizenzekelayo esisetyenziswa rhoqo ngabaphuhlisi be-malware kunye neengcali zokhuseleko lolwazi.
Eli nqaku liza kuxubusha ukhetho lokusebenzisa i-PowerShell ukuqokelela idatha ukusuka kwizixhobo zokugqibela xa uphendula kwiziganeko zokhuseleko lolwazi. Ukwenza oku, kuya kufuneka ubhale iskripthi esiza kuqhuba kwisixhobo sokugqibela kwaye emva koko kuya kubakho inkcazo eneenkcukacha yesi script.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*Майкрософт*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Ukuqalisa, yenza umsebenzi CSIRT, eya kuthatha ingxabano - indlela yokugcina idatha efunyenweyo. Ngenxa yokuba uninzi lwe-cmdlets lusebenza kwi-Powershell v5, inguqulelo ye-PowerShell yakhangelwa ukusebenza okuchanekileyo.

function CSIRT{
		
param($path)# при запуске скрипта необходимо указать директорию для сохранения
if ($psversiontable.psversion.major -ge 5)

Ukuze kube lula ukuhamba ngeefayile ezenziweyo, iinguqu ezimbini ziqaliswa: i-$ date kunye ne-$ Computer, eya kunikwa igama lekhompyutheni kunye nomhla wangoku.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Sifumana uluhlu lweenkqubo ezisebenzayo egameni lomsebenzisi wangoku ngolu hlobo lulandelayo: yenza i-$ process variable, inike i-get-ciminstance cmdlet kunye neklasi ye-win32_process. Ukusebenzisa i Khetha-Into cmdlet, unokongeza iiparameters ezongezelelweyo zemveliso, kwimeko yethu ezi ziya kuba ngumzaliprocessid (i-ID yenkqubo yomzali PPID), i-creativedate (umhla wokudala inkqubo), iqhutywe (inkqubo ye-ID ye-PID), igama lenkqubo (igama lenkqubo), umgca womyalelo ( sebenzisa umyalelo).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Ukufumana uluhlu lwazo zonke i-TCP kunye ne-UDP uxhulumaniso, yenza i-$ netTCP kunye ne-$ netUDP eziguquguqukayo ngokuzinika i-Get-NetTCPConnection kunye ne-Get-NetTCPConnection cmdlets, ngokulandelanayo.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Kuya kubaluleka ukufumana uluhlu lwemisebenzi ecwangcisiweyo kunye nezabelo. Ukwenza oku, sisebenzisa i-get-ScheduledTask kunye ne-Get-ScheduledJob cmdlets. Masibanike izinto eziguquguqukayo ze $umsebenzi kunye nomsebenzi we-$, kuba Ekuqaleni, kukho imisebenzi emininzi ecwangcisiweyo kwisistim, ngoko ukuze uchonge umsebenzi onobungozi kuyafaneleka ukucoca imisebenzi ecwangcisiweyo esemthethweni. Khetha-Into cmdlet iya kusinceda ngale nto.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*Майкрософт*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task исключает авторов, содержащих “Майкрософт”, “Microsoft”, “*@%systemroot%*”, а также «пустых» авторов
$job = Get-ScheduledJob

Kwinkqubo yefayile ye-NTFS kukho into efana nemijelo yedatha engenye (ADS). Oku kuthetha ukuba ifayile ekwi-NTFS inokudityaniswa ngokuzithandela nemijelo yedatha emininzi yobungakanani obungenasizathu. Ukusebenzisa i-ADS, unokufihla idatha engayi kubonakala ngokujonga inkqubo eqhelekileyo. Oku kwenza kube lula ukufaka ikhowudi enobungozi kunye/okanye ukufihla idatha.

Ukubonisa iindlela ezahlukeneyo zokusasaza idatha kwiPowerShell, siza kusebenzisa i-cmdlet ye-get-item kunye nesixhobo esakhelwe ngaphakathi. Windows stream nge * symbol ukuze ubone yonke imijelo enokwenzeka, ngenxa yoku siza kudala i-$ADS eguquguqukayo.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Kuya kuba luncedo ukufumanisa uluhlu lwabasebenzisi abangene kwinkqubo;

$user = quser

Abahlaseli banokwenza utshintsho kwi-autorun ukuze bafumane unyawo kwinkqubo. Ukujonga izinto zokuqalisa, ungasebenzisa i Get-ItemProperty cmdlet.
Masenze izinto ezimbini eziguquguqukayo: $runUser - ukujonga ukuqalisa egameni lomsebenzisi kunye ne-$runMachine - ukujonga ukuqalisa egameni lekhompyuter.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Ukuze lonke ulwazi lubhalwe kwiifayile ezahlukeneyo, senza uluhlu olunoguquko kunye noluhlu olunamagama efayile.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Kwaye usebenzisa i-loop, idatha efunyenweyo iya kubhalwa kwiifayile.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Emva kokuphumeza iskripthi, iifayile ze-9 zombhalo ziya kwenziwa ziqulethe ulwazi oluyimfuneko.

Namhlanje, iingcali ze-cybersecurity zinokusebenzisa i-PowerShell ukutyebisa ulwazi abaludingayo ukusombulula imisebenzi eyahlukeneyo emsebenzini wabo. Ngokongeza iskripthi ukuqalisa, unokufumana ulwazi ngaphandle kokususa ukulahla, imifanekiso, njl.

umthombo: www.habr.com

Thenga ukusingathwa okuthembekileyo kwiindawo ezinokhuseleko lweDDoS, iiseva zeVPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekileyo ngokhuseleko lwe-DDoS, iiseva zeVPS VDS | ProHoster