ืคึผืจืึธื”ืึธืกื˜ืขืจ > ื‘ืœืึธื’ > ืึทื“ืžื™ื ื™ืกื˜ืจืึทืฆื™ืข > ื ื™ืฆืŸ PowerShell ืฆื• ื–ืึทืžืœืขืŸ ืื™ื ืฆื™ื“ืขื ื˜ ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข

ื ื™ืฆืŸ PowerShell ืฆื• ื–ืึทืžืœืขืŸ ืื™ื ืฆื™ื“ืขื ื˜ ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข

PowerShell ืื™ื– ืึท ืคืขืจืœื™ ืคึผืจืึธืกื˜ ืึธื˜ืึทืžื™ื™ืฉืึทืŸ ื’ืขืฆื™ื™ึทื’ ื•ื•ืึธืก ืื™ื– ืึธืคื˜ ื’ืขื ื™ืฆื˜ ื“ื•ืจืš ื‘ื™ื™ื“ืข ืžืึทืœื•ื•ืึทืจืข ื“ืขื•ื•ืขืœืึธืคึผืขืจืก ืื•ืŸ ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข ื–ื™ื›ืขืจื”ื™ื™ื˜ ืกืคึผืขืฉืึทืœืึทืกืฅ.
ื“ืขืจ ืึทืจื˜ื™ืงืœ ื•ื•ืขื˜ ื“ื™ืกืงื•ื˜ื™ืจืŸ ื“ื™ ืึธืคึผืฆื™ืข ืคื•ืŸ โ€‹โ€‹ื ื™ืฆืŸ PowerShell ืฆื• ืจื™ืžืึธื•ื˜ืœื™ ื–ืึทืžืœืขืŸ ื“ืึทื˜ืŸ ืคื•ืŸ ืกื•ืฃ ื“ืขื•ื•ื™ืกืขืก ื•ื•ืขืŸ ืจื™ืกืคึผืึทื ื“ื™ื ื’ ืฆื• ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข ื–ื™ื›ืขืจื”ื™ื™ื˜ ื™ื ืกืึทื“ืึทื ืฅ. ืฆื• ื˜ืึธืŸ ื“ืึธืก, ืื™ืจ ื•ื•ืขื˜ ื“ืึทืจืคึฟืŸ ืฆื• ืฉืจื™ื™ึทื‘ืŸ ืึท ืฉืจื™ืคื˜ ื•ื•ืึธืก ื•ื•ืขื˜ ืœื•ื™ืคืŸ ืื•ื™ืฃ ื“ื™ ืกื•ืฃ ืžื™ื˜ืœ ืื•ืŸ ืขืก ื•ื•ืขื˜ ื–ื™ื™ืŸ ืึท ื“ื™ื˜ื™ื™ืœื“ ื‘ืึทืฉืจื™ื™ึทื‘ื•ื ื’ ืคื•ืŸ ื“ืขื ืฉืจื™ืคื˜.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ะœะฐะนะบั€ะพัะพั„ั‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

ืฆื• ืึธื ื”ื™ื™ื‘ืŸ, ืฉืึทืคึฟืŸ ืึท ืคึฟื•ื ืงืฆื™ืข CSIRT ืคืึทืจืœืขื ื’ืขืจื•ื ื’, ื•ื•ืึธืก ื•ื•ืขื˜ ื ืขืžืขืŸ ืึทืŸ ืึทืจื’ื•ืžืขื ื˜ - ื“ืขืจ ื“ืจืš ืฆื• ืจืึทื˜ืขื•ื•ืขืŸ ื“ื™ ื‘ืืงื•ืžืขืŸ ื“ืึทื˜ืŸ. ืจืขื›ื˜ ืฆื• ื“ืขื ืคืึทืงื˜ ืึทื– ืจื•ื‘ึฟ ืงืžื“ืœืขืฅ ืึทืจื‘ืขื˜ ืื™ืŸ Powershell v5, ื“ื™ PowerShell ื•ื•ืขืจืกื™ืข ืื™ื– ืึธืคึผื’ืขืฉื˜ืขืœื˜ ืคึฟืึทืจ ืจื™ื›ื˜ื™ืง ืึธืคึผืขืจืึทืฆื™ืข.

function CSIRT{
		
param($path)# ะฟั€ะธ ะทะฐะฟัƒัะบะต ัะบั€ะธะฟั‚ะฐ ะฝะตะพะฑั…ะพะดะธะผะพ ัƒะบะฐะทะฐั‚ัŒ ะดะธั€ะตะบั‚ะพั€ะธัŽ ะดะปั ัะพั…ั€ะฐะฝะตะฝะธั
if ($psversiontable.psversion.major -ge 5)

ืคึฟืึทืจ ื™ื– ืคื•ืŸ ื ืึทื•ื•ื™ื’ืึทืฆื™ืข ื“ื•ืจืš ื“ื™ ื‘ืืฉืืคืŸ ื˜ืขืงืขืก, ืฆื•ื•ื™ื™ ื•ื•ืขืจื™ืึทื‘ืึทืœื– ื–ืขื ืขืŸ ื™ื ื™ื˜ื™ืึทืœื™ื™ื–ื“: $ ื“ืึทื˜ืข ืื•ืŸ $ ืงืึธืžืคึผื™ื•ื˜ืขืจ, ื•ื•ืึธืก ื•ื•ืขื˜ ื–ื™ื™ืŸ ืึทืกื™ื™ื ื“ ื“ื™ ืงืึธืžืคึผื™ื•ื˜ืขืจ ื ืึธืžืขืŸ ืื•ืŸ ื“ื™ ืงืจืึทื ื˜ ื“ืึทื˜ืข.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date โ€“ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

ืžื™ืจ ื‘ืึทืงื•ืžืขืŸ ื“ื™ ืจืฉื™ืžื” ืคื•ืŸ ืคืœื™ืกื ื“ื™ืง ืคึผืจืึทืกืขืกืึทื– ืื•ื™ืฃ ื‘ื™ื›ืึทืฃ ืคื•ืŸ ื“ืขื ืงืจืึทื ื˜ ื‘ืึทื ื™ืฆืขืจ ื•ื•ื™ ื’ื™ื™ื˜: ืฉืึทืคึฟืŸ ืึท $ ืคึผืจืึธืฆืขืก ื•ื•ืขืจื™ืึทื‘ืึทืœื–, ืึทืกื™ื™ื ื™ื ื’ ืขืก ื“ื™ get-ciminstance cmdlet ืžื™ื˜ ื“ื™ win32_process ืงืœืึทืก. ื ื™ืฆืŸ ื“ื™ ืกืขืœืขืงื˜-ืึธื‘ื“ื–ืฉืขืงื˜ ืงืžื“ืœืขื˜, ืื™ืจ ืงืขื ืขืŸ ืœื™ื™ื’ืŸ ื ืึธืš ืจืขื–ื•ืœื˜ืึทื˜ ืคึผืึทืจืึทืžืขื˜ืขืจืก, ืื™ืŸ ืื•ื ื“ื–ืขืจ ืคืึทืœ ื“ื™ ื•ื•ืขื˜ ื–ื™ื™ืŸ ืคึผืึทืจืขื ื˜ืคึผืจืึธืกืขืกืกื™ื“ (ืคืึธื˜ืขืจ ืคึผืจืึธืฆืขืก ืฉื™ื™ึทืŸ PPID), ืงืจืขืึทื˜ื™ืึธืŸ ื“ืึทื˜ืข (ืคึผืจืึธืกืขืก ืฉืึทืคื•ื ื’ ื“ืึทื˜ืข), ืคึผืจืึทืกืขืกื˜ (ืคึผืจืึธืกืขืก ืฉื™ื™ึทืŸ PID), ืคึผืจืึทืกืขืกื ืึทืžืข (ืคึผืจืึธืฆืขืก ื ืึธืžืขืŸ), ืงืึธืžืžืึทื ื“ืœื™ื ืข ( ืœื•ื™ืคืŸ ื‘ืึทืคึฟืขืœ).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

ืฆื• ื‘ืึทืงื•ืžืขืŸ ืึท ืจืฉื™ืžื” ืคื•ืŸ ืึทืœืข TCP ืื•ืŸ UDP ืงืึทื ืขืงืฉืึทื ื–, ืฉืึทืคึฟืŸ ื“ื™ $ NETTCP ืื•ืŸ $ NETUDP ื•ื•ืขืจื™ืึทื‘ืึทืœื– ื“ื•ืจืš ืึทืกื™ื™ื ื™ื ื’ ื–ื™ื™ ื“ื™ Get-NetTCPConnection ืื•ืŸ Get-NetTCPConnection ืงืžื“ืœืขืฅ ืจื™ืกืคึผืขืงื˜ื™ื•ื•ืœื™.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

ืขืก ื•ื•ืขื˜ ื–ื™ื™ืŸ ื•ื•ื™ื›ื˜ื™ืง ืฆื• ื’ืขืคึฟื™ื ืขืŸ ื“ื™ ืจืฉื™ืžื” ืคื•ืŸ ืคึผืœืึทื ื ืขื“ ื˜ืึทืกืงืก ืื•ืŸ ืึทืกื™ื™ื ืžืึทื ืฅ. ืฆื• ื˜ืึธืŸ ื“ืึธืก, ืžื™ืจ ื ื•ืฆืŸ ื“ื™ ืงืžื“ืœืขืฅ Get-ScheduledTask ืื•ืŸ Get-ScheduledJob. ื–ืืœ ืก ื‘ืึทืฉื˜ื™ืžืขืŸ ื–ื™ื™ ื“ื™ ื•ื•ืขืจื™ืึทื‘ืึทืœื– $ ื˜ืึทืกืง ืื•ืŸ $ ืึทืจื‘ืขื˜, ื•ื•ื™ื™ึทืœ ื˜ื›ื™ืœืขืก, ืขืก ื–ืขื ืขืŸ ืึท ืคึผืœืึทืฅ ืคื•ืŸ ืกืงืขื“ื–ืฉื•ืœื“ ื˜ืึทืกืงืก ืื™ืŸ ื“ื™ ืกื™ืกื˜ืขื, ืื•ืŸ ืื™ืŸ ืกื“ืจ ืฆื• ื™ื“ืขื ื˜ื™ืคื™ืฆื™ืจืŸ ื‘ื™ื™ื–ืข ืึทืงื˜ื™ื•ื•ื™ื˜ืขื˜ืŸ, ืขืก ืื™ื– ื•ื•ืขืจื˜ ืคื™ืœื˜ืขืจื™ื ื’ ืœืึทื“ื–ืฉื™ื˜ืึทืžืึทื˜ ืกืงืขื“ื–ืฉื•ืœื“ ื˜ืึทืกืงืก. ื“ื™ ืกืขืœืขืงื˜-ืึธื‘ื“ื–ืฉืขืงื˜ ืงืžื“ืœืขื˜ ื•ื•ืขื˜ ื”ืขืœืคึฟืŸ ืื•ื ื“ื– ืžื™ื˜ ื“ืขื.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ะœะฐะนะบั€ะพัะพั„ั‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ะธัะบะปัŽั‡ะฐะตั‚ ะฐะฒั‚ะพั€ะพะฒ, ัะพะดะตั€ะถะฐั‰ะธั… โ€œะœะฐะนะบั€ะพัะพั„ั‚โ€, โ€œMicrosoftโ€, โ€œ*@%systemroot%*โ€, ะฐ ั‚ะฐะบะถะต ยซะฟัƒัั‚ั‹ั…ยป ะฐะฒั‚ะพั€ะพะฒ
$job = Get-ScheduledJob

ืื™ืŸ ื“ื™ NTFS ื˜ืขืงืข ืกื™ืกื˜ืขื ืขืก ืื™ื– ืึทื–ืึท ืึท ื–ืึทืš ื•ื•ื™ ืึธืœื˜ืขืจื ืึทื˜ื™ื•ื• ื“ืึทื˜ืŸ ืกื˜ืจื™ืžื– (ืึทื“ืก). ื“ืขื ืžื™ื˜ืœ ืึทื– ืึท ื˜ืขืงืข ืื™ืŸ NTFS ืงืขื ืขืŸ ืึธืคึผื˜ื™ืึธื ืึทืœืœื™ ื–ื™ื™ืŸ ืคืืจื‘ื•ื ื“ืŸ ืžื™ื˜ ืงื™ื™ืคืœ ื“ืึทื˜ืŸ ืกื˜ืจื™ืžื– ืคื•ืŸ ืึทืจื‘ื™ื˜ืจืึทืจื™ืฉ ื’ืจื™ื™ืก. ืžื™ื˜ ืึทื“ืก, ืื™ืจ ืงืขื ืขืŸ ื‘ืึทื”ืึทืœื˜ืŸ ื“ืึทื˜ืŸ ื•ื•ืึธืก ื•ื•ืึธืœื˜ ื ื™ื˜ ื–ื™ื™ืŸ ืงืขื ื˜ื™ืง ื“ื•ืจืš ื ืึธืจืžืึทืœ ืกื™ืกื˜ืขื ื˜ืฉืขืงืก. ื“ืึธืก ืžืื›ื˜ ืขืก ืžืขื’ืœืขืš ืฆื• ืึทืจื™ื™ึทื ืฉืคึผืจื™ืฆืŸ ื‘ื™ื™ื–ืข ืงืึธื“ ืื•ืŸ / ืึธื“ืขืจ ื‘ืึทื”ืึทืœื˜ืŸ ื“ืึทื˜ืŸ.

ืฆื• ื•ื•ื™ื™ึทื–ืŸ ืึธืœื˜ืขืจื ืึทื˜ื™ื•ื• ื“ืึทื˜ืŸ ืกื˜ืจื™ืžื– ืื™ืŸ PowerShell, ืžื™ืจ ื•ื•ืขืœืŸ ื ื•ืฆืŸ ื“ื™ ื‘ืึทืงื•ืžืขืŸ-ื ื•ืฅ ืงืžื“ืœืขื˜ ืื•ืŸ ื“ื™ ื’ืขื‘ื•ื™ื˜-ืื™ืŸ Windows ืกื˜ืจื™ื ื’ืขืฆื™ื™ึทื’ ืžื™ื˜ ื“ื™ * ืกื™ืžื‘ืึธืœ ืฆื• ื–ืขืŸ ืึทืœืข ืžืขื’ืœืขืš ืกื˜ืจื™ืžื–, ืคึฟืึทืจ ื“ืขื ืžื™ืจ ื•ื•ืขืœืŸ ืžืึทื›ืŸ ื“ื™ $ADS ื‘ื™ื™ึทื˜ืขื•ื•ื“ื™ืง.

$ADS = get-item * -stream * | where stream โ€“ne ':$Data'

ืขืก ื•ื•ืขื˜ ื–ื™ื™ืŸ ื ื•ืฆื™ืง ืฆื• ื’ืขืคึฟื™ื ืขืŸ ื“ื™ ืจืฉื™ืžื” ืคื•ืŸ ื™ื•ื–ืขืจื– ืœืึธื’ื“ ืื™ืŸ ื“ื™ ืกื™ืกื˜ืขื; ืคึฟืึทืจ ื“ืขื ืžื™ืจ ื•ื•ืขืœืŸ ืฉืึทืคึฟืŸ ืึท $ ื‘ืึทื ื™ืฆืขืจ ื‘ื™ื™ึทื˜ืขื•ื•ื“ื™ืง ืื•ืŸ ื‘ืึทืฉื˜ื™ืžืขืŸ ืขืก ืฆื• ื“ืขืจ ื“ื•ืจื›ืคื™ืจื•ื ื’ ืคื•ืŸ ื“ื™ ืงื•ื•ืกืขืจ ืคึผืจืึธื’ืจืึทื.

$user = quser

ืึทื˜ืึทืงืขืจื– ืงืขื ืขืŸ ืžืึทื›ืŸ ืขื ื“ืขืจื•ื ื’ืขืŸ ืฆื• ืึทื•ื˜ืึธืจื•ืŸ ืฆื• ื‘ืึทืงื•ืžืขืŸ ืึท ืคื•ื˜ื›ืึธื•ืœื“ ืื™ืŸ ื“ื™ ืกื™ืกื˜ืขื. ืฆื• ื–ืขืŸ ืกื˜ืึทืจื˜ืึทืคึผ ืึทื‘ื“ื–ืฉืขืงืฅ, ืื™ืจ ืงืขื ืขืŸ ื ื•ืฆืŸ ื“ื™ Get-ItemProperty ืงืžื“ืœืขื˜.
ืœืึธืžื™ืจ ืžืึทื›ืŸ ืฆื•ื•ื™ื™ ื•ื•ืขืจื™ืึทื‘ืึทืœื–: $runUser - ืฆื• ื–ืขืŸ ืกื˜ืึทืจื˜ืึทืคึผ ืื•ื™ืฃ ื‘ื™ื›ืึทืฃ ืคื•ืŸ ื“ื™ ื‘ืึทื ื™ืฆืขืจ ืื•ืŸ $runMachine - ืฆื• ื–ืขืŸ ืกื˜ืึทืจื˜ืึทืคึผ ืคึฟืึทืจ ื“ื™ ืงืึธืžืคึผื™ื•ื˜ืขืจ.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

ืึทื–ื•ื™ ืึทื– ืึทืœืข ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข ืื™ื– ื’ืขืฉืจื™ื‘ืŸ ืฆื• ืคืึทืจืฉื™ื“ืขื ืข ื˜ืขืงืขืก, ืžื™ืจ ืžืึทื›ืŸ ืึท ืžืขื ื’ืข ืžื™ื˜ ื•ื•ืขืจื™ืึทื‘ืึทืœื– ืื•ืŸ ืึท ืžืขื ื’ืข ืžื™ื˜ ื˜ืขืงืข ื ืขืžืขืŸ.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

ืื•ืŸ ื ื™ืฆืŸ ืึท ืคึฟืึทืจ ืฉืœื™ื™ืฃ, ื“ื™ ื‘ืืงื•ืžืขืŸ ื“ืึทื˜ืŸ ื•ื•ืขื˜ ื–ื™ื™ืŸ ื’ืขืฉืจื™ื‘ืŸ ืฆื• ื˜ืขืงืขืก.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

ื ืึธืš ืขืงืกืึทืงื™ื•ื˜ื™ื ื’ ื“ื™ ืฉืจื™ืคื˜, 9 ื˜ืขืงืกื˜ ื˜ืขืงืขืก ื•ื•ืขื˜ ื–ื™ื™ืŸ ื‘ืืฉืืคืŸ ืžื™ื˜ ื“ื™ ื ื™ื™ื˜ื™ืง ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข.

ื”ื™ื™ึทื ื˜, ืกื™ื™ื‘ืขืจืกืขืงื•ืจื™ื˜ื™ ืคึผืจืึธืคืขืกืกื™ืึธื ืึทืœืก ืงืขื ืขืŸ ื ื•ืฆืŸ PowerShell ืฆื• ื‘ืึทืจื™ื™ึทื›ืขืจืŸ ื“ื™ ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข ื–ื™ื™ ื“ืึทืจืคึฟืŸ ืฆื• ืกืึธืœื•ื•ืข ืึท ืคืึทืจืฉื™ื™ื“ื ืงื™ื™ึทื˜ ืคื•ืŸ ื˜ืึทืกืงืก ืื™ืŸ ื–ื™ื™ืขืจ ืึทืจื‘ืขื˜. ื“ื•ืจืš ืึทื“ื™ื ื’ ืึท ืฉืจื™ืคื˜ ืฆื• ืกื˜ืึทืจื˜ืึทืคึผ, ืื™ืจ ืงืขื ืขืŸ ื‘ืึทืงื•ืžืขืŸ ืขื˜ืœืขื›ืข ืื™ื ืคึฟืึธืจืžืึทืฆื™ืข ืึธืŸ ืจื™ืžื•ื•ื•ื™ื ื’ ื“ืึทืžืคึผืก, ื‘ื™ืœื“ืขืจ, ืขื˜ืง.

ืžืงื•ืจ: www.habr.com

ืœื™ื™ื’ืŸ ืึท ื‘ืึทืžืขืจืงื•ื ื’