ProHoster > Блог > Ukuphatha > Ukusebenzisa i-PowerShell Ukuqoqa Ulwazi Lwesigameko

Ukusebenzisa i-PowerShell Ukuqoqa Ulwazi Lwesigameko

I-PowerShell iyithuluzi elivamile elizenzakalelayo elivame ukusetshenziswa yibo bobabili abathuthukisi bohlelo olungayilungele ikhompuyutha kanye nochwepheshe bezokuphepha kolwazi.
Lesi sihloko sizoxoxa ngenketho yokusebenzisa i-PowerShell ukuqoqa ukude idatha kusuka kumadivayisi wokugcina lapho uphendula izehlakalo zokuphepha kolwazi. Ukuze wenze lokhu, uzodinga ukubhala iskripthi esizosebenza kudivayisi yokugcina bese kuba nencazelo enemininingwane yalesi script.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*Майкрософт*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Ukuze uqalise, dala umsebenzi Isandiso se-CSIRT, okuzothatha ingxabano - indlela yokugcina idatha etholiwe. Ngenxa yokuthi ama-cmdlets amaningi asebenza ku-Powershell v5, inguqulo ye-PowerShell yahlolelwa ukusebenza okulungile.

function CSIRT{
		
param($path)# при запуске скрипта необходимо указать директорию для сохранения
if ($psversiontable.psversion.major -ge 5)

Ukuze kube lula ukuzulazula ngamafayela adaliwe, okuhlukile okubili kuyaqaliswa: i-$date kanye ne-$Computer, ezonikezwa igama lekhompyutha nedethi yamanje.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Sithola uhlu lwezinqubo ezisebenzayo egameni lomsebenzisi wamanje ngendlela elandelayo: dala i-$process variable, inikeze i-get-ciminstance cmdlet nge-win32_process class. Usebenzisa i-Select-Object cmdlet, ungakwazi ukwengeza amapharamitha okukhiphayo angeziwe, esimweni sethu lokhu kuzoba yiprocessid yomzali (i-ID yenqubo yomzali PPID), usuku lokudala (usuku lokudalwa kwenqubo), lucutshungulwe (i-ID yenqubo ye-PID), igama lenqubo (igama lenqubo), umugqa womyalo ( run command).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Ukuze uthole uhlu lwakho konke ukuxhumana kwe-TCP ne-UDP, dala okuguquguqukayo kwe-$netTCP kanye ne-$netUDP ngokuwanika ama-cmdlets we-Get-NetTCPConnection kanye ne-Get-NetTCPConnection, ngokulandelana.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Kuzobaluleka ukuthola uhlu lwemisebenzi ehleliwe kanye nezabelo. Ukwenza lokhu, sisebenzisa ama-cmdlets we-Get-ScheduledTask kanye ne-Get-ScheduledJob. Ake sibanikeze okuguquguqukayo okungu-$task kanye no-$job, ngoba Ekuqaleni, kunemisebenzi eminingi ehleliwe ohlelweni, khona-ke ukuze uhlonze umsebenzi omubi kufanelekile ukuhlunga imisebenzi ehleliwe esemthethweni. I-Select-Object cmdlet izosisiza ngalokhu.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*Майкрософт*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task исключает авторов, содержащих “Майкрософт”, “Microsoft”, “*@%systemroot%*”, а также «пустых» авторов
$job = Get-ScheduledJob

Ohlelweni lwefayela le-NTFS kunento efana nokusakazwa kwedatha okuhlukile (ADS). Lokhu kusho ukuthi ifayela eliku-NTFS lingase lihlotshaniswe nokusakaza okuningi kwedatha yosayizi ongafanele. Usebenzisa i-ADS, ungafihla idatha ebingeke ibonakale ngokuhlolwa kwesistimu okujwayelekile. Lokhu kwenza kube nokwenzeka ukujova ikhodi enonya kanye/noma ukufihla idatha.

Ukuze sibonise ukusakazwa kwedatha okunye ku-PowerShell, sizosebenzisa i-cmdlet ye-get-item kanye nethuluzi elakhelwe ngaphakathi Windows sakaza ngophawu * ukuze ubuke yonke imifudlana engenzeka, ngalokhu sizodala i-$ADS eguquguqukayo.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Kuzoba usizo ukuthola uhlu lwabasebenzisi abangene ohlelweni; kulokhu sizokwakha i-$user variable futhi sinikeze ekusetshenzisweni kohlelo lwe-quser.

$user = quser

Abahlaseli bangenza izinguquko ku-autorun ukuze bathole ukuma ohlelweni. Ukuze ubuke izinto zokuqalisa, ungasebenzisa i-Get-ItemProperty cmdlet.
Masidale okuguquguqukayo okubili: $runUser - ukubuka ukuqalisa esikhundleni somsebenzisi kanye ne-$runMachine - ukubuka ukuqalisa esikhundleni sekhompyutha.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Ukuze lonke ulwazi lubhalelwe amafayela ahlukene, sakha uhlu oluguquguqukayo kanye nohlelo olunamagama wefayela.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Futhi usebenzisa i-loop, idatha etholiwe izobhalwa kumafayela.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Ngemva kokwenza iskripthi, kuzokwakhiwa amafayela ombhalo angu-9 aqukethe ulwazi oludingekayo.

Namuhla, ochwepheshe be-cybersecurity bangasebenzisa i-PowerShell ukucebisa ulwazi abaludingayo ukuze baxazulule imisebenzi eyahlukene emsebenzini wabo. Ngokungeza umbhalo ekuqaleni, ungathola ulwazi oluthile ngaphandle kokukhipha ukulahlwa, izithombe, njll.

Source: www.habr.com

Thenga ukusingathwa okuthembekile kwamasayithi anokuvikelwa kwe-DDoS, amaseva e-VPS VDS 🔥 Thenga ukusingathwa kwewebhusayithi okuthembekile ngokuvikelwa kwe-DDoS, amaseva e-VPS VDS | ProHoster