应急响应 - 通过PowerShell来识别可疑的DLL服务

  • A+
所属分类:安全闲碎


应急响应 - 通过PowerShell来识别可疑的DLL服务


        该脚本使用WMI来获取服务的ACL,并识别非管理员的DC、WD或WO权限

        这些权限中的任何一个都允许持有该权限的用户立即提升到localsystem。



$DebugPreference = "Continue"$services = (Get-WmiObject Win32_Service -EnableAllPrivileges)foreach ($srv in $services){    $sd = ($srv.GetSecurityDescriptor())    if ($sd.ReturnValue -ne 0)    {        Write-Debug ("Service: "+$srv.name+"`tError "+$sd.ReturnValue) -ErrorAction SilentlyContinue        continue    }
$SDDL = ([wmiclass]"win32_SecurityDescriptorHelper").Win32SDtoSDDL($sd.Descriptor).SDDL foreach ($ACE in $sddl.split("()")) { if ($ACE.Split(";")[0] -ne "A") { continue #as we have non "allow something" ACE } # we should have set of permissions in the $ACE.Split(";")[2] # and the security principal (user/group/etc) in the $ACE.Split(";")[5] if ( ($ACE.Split(";")[2]).Contains("WD") -or ($ACE.Split(";")[2]).Contains("WO") -or ($ACE.Split(";")[2]).Contains("DC") ) { if ( (($ACE.Split(";")[5]) -eq "BA") -or (($ACE.Split(";")[5]) -eq "SY"))# we do not care about local administrators and localsystem as they should have such permissions { continue } $PrincipalName = ($ACE.Split(";")[5]) if ($PrincipalName.StartsWith("S-1-5-")) { $SID = New-Object System.Security.Principal.SecurityIdentifier(($ACE.Split(";")[5])) $PrincipalName = $SID.Translate([System.Security.Principal.NTAccount]).Value } Write-Host $srv.Name - $ACE.Split(";")[2] - $ACE.Split(";")[5] - $PrincipalName } }}



参考:

https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces



原文始发于微信公众号(Khan安全攻防实验室):应急响应 - 通过PowerShell来识别可疑的DLL服务

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: