PowerShell 检测 RDP 扫描安全日志

时间 2021-01-19

标签 shell 安全服务器 ide .net 日志 code xml blog 事件栏目系统安全繁體版

原文原文链接

最近由于疫情，你们都在家工做。为了远程链接，有些小的办公室没有使用虚拟专用网，而是直接在防火墙上进行了端口转发，直接跳转到服务器的3389端口上。并且因为各类缘由，防火墙上也没有限制source IP，这样致使的结果就是互联网上任何人均可以进行访问。即便把外网端口改的特别大，可是对于扫描软件而已，也就是时间的问题，并不能提高太多的安全。shell

豆子今天就碰见了一块儿这样的问题。某诊所的服务器连续重启，登进去一看，发现安全日志里面都是各类失败的验证事件。并且这个服务器也没安装任何安全软件，彻底在裸奔。安全

这样看起来不方便，写个简单的脚本查询一下服务器

function get-hacker{

$eventcritea = @{logname='security';id=4625}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

    # Iterate through each one of the XML message properties            
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { 

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'            
    }            
}            

$events | select TimeCreated, TargetUserName, ipAddress

}

$result=get-hacker

结果以下，能够看见对方尝试了不一样的用户名，可是没有显示IP地址ide

不用急，在对应的RemoteDesktopService-RdpCoreTS/Operation 日志里面，咱们能够查看到真实的IP地址，以下所示，能够看见在看的同时，对方还在不断地扫描，尝试字典破解密码.net

稍微修改一下上面的脚本，从新扫描一下日志

function get-hacker{

$eventcritea = @{logname='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational';id=140}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  IP -Value $eventXML.Event.EventData.Data.'#text'            

}            

$events

}

$result=get-hacker

$result | select timecreated, IP | group-object ip

能够看见对方的恶意扫描来自于这6个地址code

这个诊所的路由器由于过于垃圾，没法配置防火墙策略，因而我干脆在Windows 的防火墙上新建了一条策略，对这几个IP地址进行了Block。xml

以后再扫描日志，没有发现新的报错信息，证实拦截有效。blog

而后在安装杀软，清理了一堆恶意文件出来。事件

过了一会，发现又有新的IP在扫描，因而稍微整理了一下脚本，让他能够自动添加IP到防火墙rule里面

function get-hacker{

    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [string]
        $name,

        # Param2 help description
        [int]
        $id
    )
$eventcritea = @{logname=$name;id=$id}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

    # Iterate through each one of the XML message properties            
    #For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { 

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  IP -Value $eventXML.Event.EventData.Data.'#text'            
    #}            
}            

$events

}

$result=get-hacker -name 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational' -id 140

$ip=$result | select timecreated, ip | Group-Object ip |select -ExpandProperty Name

function Add-MvaNetFirewallRemoteAdressFilter {
    <#
.SYNOPSIS
This function adds one or more ipaddresses to the firewall remote address filter
.DESCRIPTION
With the default Set-NetFirewallAddressFilter you can set an address filter for a firewall rule. You can not use it to
add a ip address to an existing address filter. The existing address filter will be replaced by the new one.
The Add-MvaNetFirewallRemoteAdressFilter function will add the ip address. Which is very usefull when there are already
many ip addresses in de address filter.
.PARAMETER fwAddressFilter
This parameter conntains the AddressFilter that you want to change. It accepts pipeline output from the command
Get-NetFirewallAddressFilter
.PARAMETER IPaddresses
This parameter is mandatory and can contain one or more ip addresses. You can also use a subnet.
.EXAMPLE
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses 192.168.5.5
Add a single IP address to the remote address filter of the firewall rule 'Test-Rule'
.EXAMPLE
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses 192.168.5.5, 192.168.6.6, 192.168.7.0/24
Add multiple IP address to the remote address filter of the firewall rule 'Test-Rule'
.LINK
https://get-note.net/2018/12/31/edit-firewall-rule-scope-with-powershell/
.INPUTS
Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter
.OUTPUTS
None
.NOTES
You need to be Administator to manage the firewall.
#>
    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipeline = $true,
            Mandatory = $True)]
        [psobject]$fwAddressFilter,

        # Parameter help description
        [Parameter(Position = 0,
            Mandatory = $True,
            HelpMessage = "Enter one or more IP Addresses.")]
        [string[]]$IPAddresses
    )

    process {
        try {
            #Get the current list of remote addresses
            [string[]]$remoteAddresses = $fwAddressFilter.RemoteAddress
            Write-Verbose -Message "Current address filter contains: $remoteAddresses"

            #Add new ip address to the current list
            if ($remoteAddresses -in 'Any', 'LocalSubnet', 'LocalSubnet6', 'PlayToDevice') {
                $remoteAddresses = $IPAddresses
            }
            else {
                $remoteAddresses += $IPAddresses
            }
            #set new address filter
            $fwAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress $remoteAddresses -ErrorAction Stop
            Write-Verbose -Message "New remote address filter is set to: $remoteAddresses"
        }
        catch {
            $PSCmdlet.ThrowTerminatingError($PSitem)
        }
    }
}

$current=Get-NetFirewallRule -DisplayName 'blacklist' | Get-NetFirewallAddressFilter 
$lists=$current | select -ExpandProperty RemoteAddress

foreach($i in $ip){

    if ($lists -contains $i){

        Write-Host "$i is already in the scope of blacklist" -ForegroundColor Green
    }
    else{

        $current | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses $i   

    }

}

这样一个临时的绷带疗法就搞定了，稍后须要配置一个新的路由器去替代对方的老古董