I-ProHoster > Π‘Π»ΠΎΠ³ > Ukuphatha > Ukusebenzisa i-PowerShell Ukuqoqa Ulwazi Lwesigameko

Ukusebenzisa i-PowerShell Ukuqoqa Ulwazi Lwesigameko

I-PowerShell iyithuluzi elivamile elizenzakalelayo elivame ukusetshenziswa yibo bobabili abathuthukisi bohlelo olungayilungele ikhompuyutha kanye nochwepheshe bezokuphepha kolwazi.
Lesi sihloko sizoxoxa ngenketho yokusebenzisa i-PowerShell ukuqoqa ukude idatha kusuka kumadivayisi wokugcina lapho uphendula izehlakalo zokuphepha kolwazi. Ukuze wenze lokhu, uzodinga ukubhala iskripthi esizosebenza kudivayisi yokugcina bese kuba nencazelo enemininingwane yalesi script.

function CSIRT{
param($path)
if ($psversiontable.psversion.major -ge 5)
	{
	$date = Get-Date -Format dd.MM.yyyy_hh_mm
	$Computer = $env:COMPUTERNAME
	New-Item -Path $path$computer$date -ItemType 'Directory' -Force | Out-Null
	$path = "$path$computer$date"

	$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname,
	processid, commandline, parentprocessid

	$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state
	
	$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress,
	localport, remoteaddress, remoteport, owningprocess, state

	$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname|
	where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null |
	where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*'

	$job = Get-ScheduledJob

	$ADS =  get-item * -stream * | where stream -ne ':$Data'

	$user = quser

	$runUser = Get-ItemProperty "HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"

	$runMachine =  Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

	$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
	$arrayName = "Processes", "TCPConnect", "UDPConnect", "TaskScheduled", "Users", "RunUser", "RunMachine",
	"ScheduledJob", "AlternativeDataStream"


	for ($w = 0; $w -lt $array.count; $w++){
		$name = $arrayName[$w]
		$array[$w] >> $path$name.txt
		}

	}

}

Ukuze uqalise, dala umsebenzi Isandiso se-CSIRT, okuzothatha ingxabano - indlela yokugcina idatha etholiwe. Ngenxa yokuthi ama-cmdlets amaningi asebenza ku-Powershell v5, inguqulo ye-PowerShell yahlolelwa ukusebenza okulungile.

function CSIRT{
		
param($path)# ΠΏΡ€ΠΈ запускС скрипта Π½Π΅ΠΎΠ±Ρ…ΠΎΠ΄ΠΈΠΌΠΎ ΡƒΠΊΠ°Π·Π°Ρ‚ΡŒ Π΄ΠΈΡ€Π΅ΠΊΡ‚ΠΎΡ€ΠΈΡŽ для сохранСния
if ($psversiontable.psversion.major -ge 5)

Ukuze kube lula ukuzulazula ngamafayela adaliwe, okuhlukile okubili kuyaqaliswa: i-$date kanye ne-$Computer, ezonikezwa igama lekhompyutha nedethi yamanje.

$date = Get-Date -Format dd.MM.yyyy_hh_mm
$Computer = $env:COMPUTERNAME
New-Item -Path $path$computer$date –ItemType 'Directory' -Force | Out-Null 
$path = "$path$computer$date"

Sithola uhlu lwezinqubo ezisebenzayo egameni lomsebenzisi wamanje ngendlela elandelayo: dala i-$process variable, inikeze i-get-ciminstance cmdlet nge-win32_process class. Usebenzisa i-Select-Object cmdlet, ungakwazi ukwengeza amapharamitha okukhiphayo angeziwe, esimweni sethu lokhu kuzoba yiprocessid yomzali (i-ID yenqubo yomzali PPID), usuku lokudala (usuku lokudalwa kwenqubo), lucutshungulwe (i-ID yenqubo ye-PID), igama lenqubo (igama lenqubo), umugqa womyalo ( run command).

$process = get-ciminstance -classname win32_process | Select-Object creationdate, processname, processid, commandline, parentprocessid

Ukuze uthole uhlu lwakho konke ukuxhumana kwe-TCP ne-UDP, dala okuguquguqukayo kwe-$netTCP kanye ne-$netUDP ngokuwanika ama-cmdlets we-Get-NetTCPConnection kanye ne-Get-NetTCPConnection, ngokulandelana.

$netTCP = Get-NetTCPConnection | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

$netUDP = Get-NetUDPEndpoint | select-object creationtime, localaddress, localport, remoteaddress, remoteport, owningprocess, state

Kuzobaluleka ukuthola uhlu lwemisebenzi ehleliwe kanye nezabelo. Ukwenza lokhu, sisebenzisa ama-cmdlets we-Get-ScheduledTask kanye ne-Get-ScheduledJob. Ake sibanikeze okuguquguqukayo okungu-$task kanye no-$job, ngoba Ekuqaleni, kunemisebenzi eminingi ehleliwe ohlelweni, khona-ke ukuze uhlonze umsebenzi omubi kufanelekile ukuhlunga imisebenzi ehleliwe esemthethweni. I-Select-Object cmdlet izosisiza ngalokhu.

$task = get-ScheduledTask | Select-Object author, actions, triggers, state, description, taskname| where author -notlike '*ΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚*' | where author -ne $null | where author -notlike '*@%systemroot%*' | where author -notlike '*microsoft*' # $task ΠΈΡΠΊΠ»ΡŽΡ‡Π°Π΅Ρ‚ Π°Π²Ρ‚ΠΎΡ€ΠΎΠ², содСрТащих β€œΠœΠ°ΠΉΠΊΡ€ΠΎΡΠΎΡ„Ρ‚β€, β€œMicrosoft”, β€œ*@%systemroot%*”, Π° Ρ‚Π°ΠΊΠΆΠ΅ «пустых» Π°Π²Ρ‚ΠΎΡ€ΠΎΠ²
$job = Get-ScheduledJob

Ohlelweni lwefayela le-NTFS kunento efana nokusakazwa kwedatha okuhlukile (ADS). Lokhu kusho ukuthi ifayela eliku-NTFS lingase lihlotshaniswe nokusakaza okuningi kwedatha yosayizi ongafanele. Usebenzisa i-ADS, ungafihla idatha ebingeke ibonakale ngokuhlolwa kwesistimu okujwayelekile. Lokhu kwenza kube nokwenzeka ukujova ikhodi enonya kanye/noma ukufihla idatha.

Ukuze sibonise okunye ukusakazwa kwedatha ku-PowerShell, sizosebenzisa i-get-item cmdlet kanye nethuluzi lokusakaza le-Windows elakhelwe ngaphakathi elinophawu * ukuze sibuke konke okungase kube ukusakazwa, kulokhu sizodala okuguquguqukayo kwe-$ADS.

$ADS = get-item * -stream * | where stream –ne ':$Data'

Kuzoba usizo ukuthola uhlu lwabasebenzisi abangene ohlelweni; kulokhu sizokwakha i-$user variable futhi sinikeze ekusetshenzisweni kohlelo lwe-quser.

$user = quser

Abahlaseli bangenza izinguquko ku-autorun ukuze bathole ukuma ohlelweni. Ukuze ubuke izinto zokuqalisa, ungasebenzisa i-Get-ItemProperty cmdlet.
Masidale okuguquguqukayo okubili: $runUser - ukubuka ukuqalisa esikhundleni somsebenzisi kanye ne-$runMachine - ukubuka ukuqalisa esikhundleni sekhompyutha.

$runUser = Get-ItemProperty 
"HKCU:SoftwareMicrosoftWindowsCurrentVersionRun"
$runMachine = Get-ItemProperty 
"HKLM:SoftwareMicrosoftWindowsCurrentVersionRun"

Ukuze lonke ulwazi lubhalelwe amafayela ahlukene, sakha uhlu oluguquguqukayo kanye nohlelo olunamagama wefayela.


$array = $process, $netTCP, $netUDP, $task, $user, $runUser, $runMachine, $job, $ADS
$arrayName = "Processes", "TCPConnect", "UDPConnect" "TaskScheduled", "Users", "RunUser", "RunMachine",
"ScheduledJob", "Alternative Data Stream"

Futhi usebenzisa i-loop, idatha etholiwe izobhalwa kumafayela.

for ($w = 0; $w -lt $array.count; $w++){
	$name = $arrayName[$w]
	$array[$w] >> $path$name.txt

Ngemva kokwenza iskripthi, kuzokwakhiwa amafayela ombhalo angu-9 aqukethe ulwazi oludingekayo.

Namuhla, ochwepheshe be-cybersecurity bangasebenzisa i-PowerShell ukucebisa ulwazi abaludingayo ukuze baxazulule imisebenzi eyahlukene emsebenzini wabo. Ngokungeza umbhalo ekuqaleni, ungathola ulwazi oluthile ngaphandle kokukhipha ukulahlwa, izithombe, njll.

Source: www.habr.com

Engeza amazwana