Colegas, en el artículo anteriordiscutimos cómo trabajar eficazmente con eventos de auditoría de Windows. Sin embargo, para construir un sistema integrado de gestión de seguridad de la información, es importante no solo responder a los incidentes cibernéticos de manera oportuna, sino que, en primer lugar, es necesario comprender qué es exactamente lo que protegemos. Construir un modelo correcto de amenazas e intrusos, construir un sistema de gestión de riesgos cibernéticos, gestionar vulnerabilidades y muchos otros procesos de seguridad de la información requiere una base fundamental: la gestión de activos de TI. Una visión clara de la infraestructura, teniendo en cuenta el software y el hardware, sus interacciones y dependencias, será la clave para construir un sistema de ciberdefensa competente. En este artículo técnico, le mostraremos cómo hacer un inventario de los activos de TI, mientras se implementa el principio de privilegio mínimo, utilizando la funcionalidad del registro remoto, WMI y WinRM.
Introducción
. – , , , . (, , , ) (, , , , , , , ). (. Asset Management) - , , , , (.. -). . , " " . 2.2 . ")" , , - . « » , , ( .4). №239 « » ( .1). . , ISO 27001:2013 A.8.1.1 ”Inventory of assets”. NIST SP 800-53 CM-8 ”System component inventory” PM-5 ”System inventory”. , NIST “Cybersecurity Framework” ID.AM-1 ID.AM-2, , , NIST SP 1800-5 ”IT Asset Management” (« -») -.
- CMDB (Configuration Management Database, ), , , . (, , , ) (, , , ) CMDB CI (Configuration Items, ). CMDB (ITAM, IT Asset Management), , , , , -. , .
CMDB/ITAM- , " " . ( Windows ) , "least privilege". , , , , ( ).
( , , , ), . : . - , , : , (footprint) , ... , , . , /- Windows- , , Windows- . - .. replay- ( ), Pass-the-Hash Pass-the-Ticket. lsass.exe NTLM- Kerberos- . , , lsass.exe , NTLM- / Kerberos-. , , . , (least privilege), , , «», .
Windows- . domain.local\Scan, , pcname.domain.local, Windows. Protected Users, Kerberos- TGT-, 4 ( 10 ), AES . , , . , IP- Windows NTLM, Kerberos, Active Directory DNS-.
, Windows: WMI. , Windows , , PowerShell Remoting Constrained Endpoints Just Enough Administration. , , , Windows Server 2003 Windows XP, , , WMI, WinRM.
1.
( DACL , ). , human-readable .
1)
: TCP: 135 (MS RPC), 445 (SMB, compmgmt.msc - " " - "" " ").
" " (RemoteRegistry).
, .
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg . , .
HKLM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths Machine , 3. , () . Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network access: Remotely accessible registry paths and sub-paths ( \ Windows \ \ \ \ : ). , , AllowedExactPaths, Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options \ Network access: Remotely accessible registry paths ( \ Windows \ \ \ - : . ). , , , HKLM\Security\Cache ( ), HKLM\SAM\SAM ( ), HKLM\Security\Policy\Secrets ( LSA secrets).
6. ACL " " (RemoteRegistry).
2)
, , :
$list=@()
$pcname = 'pcname.domain.local'
$InstalledSoftwareKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
$InstalledSoftware=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$pcname)
$RegistryKey=$InstalledSoftware.OpenSubKey($InstalledSoftwareKey)
$SubKeys=$RegistryKey.GetSubKeyNames()
Foreach ($key in $SubKeys){
$thisKey=$InstalledSoftwareKey+"\\"+$key
$thisSubKey=$InstalledSoftware.OpenSubKey($thisKey)
$obj = New-Object PSObject
$obj | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value $($thisSubKey.GetValue("DisplayName"))
$obj | Add-Member -MemberType NoteProperty -Name "DisplayVersion" -Value $($thisSubKey.GetValue("DisplayVersion"))
$obj | Add-Member -MemberType NoteProperty -Name "DisplayIcon" -Value $($thisSubKey.GetValue("DisplayIcon"))
$obj | Add-Member -MemberType NoteProperty -Name "InstallLocation" -Value $($thisSubKey.GetValue("InstallLocation"))
$list += $obj
}
$list | FL *
, , WMI- Win32_Product (, Get-WmiObject -Class Win32_Product) , , . (, ), WMI WinRM.
3)
Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Object Access \ Audit Registry - Enable ( \ Windows \ \ \ \ \ - ). SACL ( ) , .
GPO. " " (RemoteRegistry) ( , ) "" (Security) EventID=4663 , , .
2. WMI- DCOM
WMI- WMI Microsoft Windows Windows 98 . WMI , WMI . WMI WinRM , Windows XP 2003/2008 - .
1)
1. : WMI – , DCOM, MS RPC. TCP:135 , TCP-. - DCOM- DCOM (dcomcnfg), " " " " " ", ( 1000 ).
Windows Server 2008 WMI DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation". " " "", "TCP/IP " , radio-button " ", TCP-, TCP:31000.
winmgmt -standalonehost
" Windows" (Windows Management Instrumentation, winmgmt ) , ,
net stop winmgmt /yes && net start winmgmt
WMI- TCP:31000 Windows Firewall, "WMIFixedPort"
netsh advfirewall firewall add rule name="WMIFixedPort" dir=in action=allow protocol=TCP localport=31000 enable=yes profile=domain
winmgmt -sharedhost
winmgmt. Windows Firewall .
2. WMI " Windows" (Windows Management Instrumentation, winmgmt ).
3. . Domain Users, Authenticated Users, Interactive. Authenticated Users (SID S-1-5-11) (User accounts) (Computer accounts). , . , Windows UAC.
4. WMI-. WMI- WMI- WMI- "Root" " " (Enable account) " " (Remote enable). WMI-, , " " (Execute method). wmimgmt.msc - WMI - "", "Root".
, WMI "Root" - , , Root\CIMV2\Security\MicrosoftVolumeEncryption, BitLocker- , DACL WMI-.
, , WMI-. ( , Security Descriptor, SD) WMI- "Root" , WMI- , :
wmic /namespace:\\root /output:"C:\folder\sd.txt" path __systemsecurity call getSD
, SD, .. ,
SD = {1, 0, 4, 128, 148, 0, 0, 0, ... 0}
, , VBS- :
strSD = array(1,0,4,128,148,0,0,0,...0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)
.vbs Windows. . DACL WMI-, "Root", . , MicrosoftVolumeEncryption :
wmic /namespace:\\root\CIMV2\Security\MicrosoftVolumeEncryption /output:"C:\folder\sd.txt" path __systemsecurity call getSD
strSD = array(1,0,4,128,148,0,0,0,...0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2\Security\MicrosoftVolumeEncryption")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)
5. DCOM
WMI DCOM, WMI- . " DCOM" (DCOM Users), DCOM. :
1) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - DCOM: Machine Access Restrictions in SDDL syntax ( \ Windows \ \ \ - DCOM: SDDL), " " (Remote Access).
HKLM \ Software \ Policies \ Microsoft \ Windows NT \ DCOM, MachineAccessRestriction, , SDDL-.
dcomcnfg, " ", " COM" " " " ..." " ".
2) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - DCOM: Machine Launch Restrictions in SDDL syntax ( \ Windows \ \ \ - DCOM: SDDL), " " (Remote Launch) " " (Remote Activation).
HKLM - Software - Policies - Microsoft - Windows NT - DCOM, MachineLaunchRestriction, , SDDL-.
dcomcnfg, " ", " COM" " " " ..." " " " ".
3) DCOM DCOM- "Windows Management and Instrumentation": DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation". "" " " ( " " " " ), " " ( " " ), " " ( "" " ", " ", "", " " ).
6. WMI .
, WMI/DCOM, : .
1) " " (Impersonation level), , . "Impersonate" (""). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level" - "3" "Impersonate", WMI .
, DCOM , "" (Identify), , "" (Impersonate). DCOM (dcomcnfg), " " " ", " " " " "".
, DWORD- "LegacyImpersonationLevel" "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole , "Impersonate".
2) " " (Authentication level), (, ) , WMI/DCOM. WMI Connect (""), Packet Privacy (" "). DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation". "" " " " ".
, " " (App ID) "Windows Management and Instrumentation", , DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation" - "" " " (Application ID).
HKLM\SOFTWARE\Classes\AppID\{ } DWORD- AuthenticationLevel "6", Packet Privacy (" "), .
, DCOM , "" (Connect), , Packet Privacy (" "). DCOM (dcomcnfg), " " " ", " " " " " ".
, DWORD- "LegacyAuthenticationLevel" "6" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole , "Packet Privacy".
7. WMI " Windows" (Windows Management Instrumentation, winmgmt). DCOM .
2)
WMI- WMI- , "" wmic (Windows Management Instrumentation Command) PowerShell- Get-WmiObject. . , wmic Windows (deprecated), .
WMI- .
pcname.domain.local PowerShell- Get-WmiObject :
Get-WmiObject -ComputerName pcname.domain.local -Class Win32_NetworkAdapter | format-list Name
PowerShell-:
gwmi -cn pcname.domain.local Win32_NetworkAdapter| fl Name
PowerShell, wmic. ,
wmic /node:"pcname.domain.local" path Win32_NetworkAdapter get name
WMI- Win32_NetworkAdapter .
wmic /node:"pcname.domain.local" nic get name
WMI- Win32_NetworkAdapter "nic". WMI- wmic alias list full , (, "nic") : wmic alias list brief | findstr /I nic
WMI- get * , , /format , :
wmic /node:"pcname.domain.local" os get * /format:value ( )
wmic /node:"pcname.domain.local" /output:"c:\folder\file.html" computersystem list full /format:htable ( html-)
wmic /node:"pcname.domain.local" /output:"c:\folder\file.csv" path Win32_OperatingSystem get * /format:csv ( csv-)
WMI- list ,
wmic /node:"pcname.domain.local" nic list brief ( )
wmic /node:"pcname.domain.local" nic list status ( )
wmic /node:"pcname.domain.local" nic list full /every:5 ( 5 )
: wmic aliasname list /? ( aliasname - , , nic)
WQL (WMI Query Language), , :
wmic /node:"pcname.domain.local" nic WHERE PhysicalAdapter='true' get * /format:value
wmic /node:"pcname.domain.local" path Win32_NetworkAdapter WHERE PhysicalAdapter='true' get * /format:value
PowerShell
gwmi -cn pcname.domain.local -Query "Select * from Win32_NetworkAdapter WHERE PhysicalAdapter='true' " | fl *
, PowerShell wmic WMI- "Root\Cimv2". , , , WMI . , BitLocker- , WMI- :
wmic /node:"pcname.domain.local" /namespace:"\\Root\CIMV2\Security\MicrosoftVolumeEncryption" path Win32_EncryptableVolume get * /format:list
gwmi -cn pcname.domain.local -namespace:"Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume | fl *
BIOS :
wmic /node:"pcname.domain.local" /namespace:"\\Root\wmi" path MS_SystemInformation get * /format:value
gwmi -cn pcname.domain.local -namespace:"Root\wmi" -class MS_SystemInformation | fl *
Root\SecurityCenter ( Windows XP/2003 ) Root\SecurityCenter2 ( Windows Vista/2008 ):
wmic /namespace:"\\Root\SecurityCenter2" path AntivirusProduct get * /format:value
gwmi -cn pcname.domain.local -namespace:"Root\SecurityCenter2" -class AntivirusProduct | fl *
, wmic , :
wmic /node:@pclist.txt /user:domain.local\Scan /password:P@$$w0rd CommandName
WMI-, " " (Execute method) WMI- "Root". , GetStringValue StdRegProv .
wmic:
wmic /node:"pcname.domain.local" /NameSpace:\\root\default Class StdRegProv Call GetStringValue sSubKeyName="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI" sValueName="LastLoggedOnSAMUser" | findstr "sValue"
PowerShell, :
$hklm = 2147483650 # HKLM-
$key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
$values = @('LastLoggedOnUser','LastLoggedOnUserSID','LastLoggedOnDisplayName')
Foreach ($value in $values) {
$wmi = get-wmiobject -list "StdRegProv" -namespace root\default -computername pcname.domain.local
($wmi.GetStringValue($hklm,$key,$value)).svalue
$wmi2 = ($wmi.GetStringValue($hklm,$key,$value)).svalue
}
, WMI " " (Execute method) Create Win32_process. , . SeRestorePrivilege (Restore files and directories , ), WMI «Return Value=8». Computer Configuration\Windows Settings\Security Settings\User rights assignment - Restore files and directories ( \ Windows \ \ \ - ). , , .. , , SeRestorePrivilege , , , , , .. , WMI (, ), , , , , .
WMI:
wmic /node:"pcname.domain.local" path Win32_Process Call Create "cmd.exe /c C:\folder\batch.bat" ( bat- )
Invoke-WmiMethod -ComputerName pcname.domain.local -Class Win32_process -Name Create -ArgumentList 'cmd /c schtasks /run /tn "task1" ' ( "task1" " ")
, , WMI, ( ) , , , - CyberThreat Intelligence. SeDebugPrivilege (Debug Program, ) . Computer Configuration\Windows Settings\Security Settings\User rights assignment - Debug Program ( \ Windows \ \ \ - ). . , LSA ( ) Windows, , mimikatz . ( SeRestorePrivilege) , SeDebugPrivilege, , , .
, :
wmic /node:"pcname.domain.local" path Win32_Process get ExecutablePath
gwmi win32_process -ComputerName pcname.domain.local | fl ExecutablePath
SeRestorePrivilege SeDebugPrivilege, , WMI- Enable account, Remote enable Execute method, , , :
Invoke-WmiMethod -ComputerName pcname.domain.local -Class Win32_Process -Name Create -ArgumentList 'powershell.exe -command "get-process | get-unique | ForEach-Object {Get-FileHash $_.path -Algorithm SHA256} | fl * | out-file C:\folder\$env:COMPUTERNAME.$(get-date -format HH-mm-ss.dd.MM.yyyy).txt" '
Invoke-RestMethod -Method 'POST' -Uri "https://www.virustotal.com/vtapi/v2/file/report?apikey=$VTApiKey&resource=$item"
( VTApiKey - VirusTotal Community API-, item - -). - "" , , xCyclopedia. , , , ( WMI-, SeRestorePrivilege SeDebugPrivilege).
3) WMI-
WMI- Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Object Access \ Audit other object access events - Enable ( \ Windows \ \ \ \ \ - ).
SACL ( ) WMI-, .
WMI- DACL -. VBS-, SACL WMI-. " Windows" (Windows Management Instrumentation, winmgmt) ( , ) WMI- "" (Security) EventID=4662 , WMI-, WMI- WMI.
WMI " \ Windows \ \ \ \ \ - " (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Detailed tracking \ Audit process creation - Enable ), " \ Windows \ \ \ - " (Computer Configuration \ Administrative Templates\System\Audit Process Creation - Include command line in process creation events). "" (Security) EventID=4688 , , ( WMI C:\Windows\System32\wbem\WmiPrvSE.exe).
SeRestorePrivilege " \ Windows \ \ \ \ - , " (Computer Configuration\Windows Settings\Advanced Audit Policy Configuration\Privilege Use - Audit Sensitive Privilege Use) , " \ Windows \ \ \ - : " (Computer Configuration\Windows Settings\Security Settings\Local Policies \ Security Options \ Audit: Audit the use of Backup and Restore privilege) . "" (Security) EventID=4674 (An operation was attempted on a privileged object) .
SeDebugPrivilege " \ Windows \ \ \ \ / - " (Computer Configuration\Windows Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff - Audit Special Logon ) . "" (Security) EventID=4672 (Special privileges assigned to new logon) .
3. WMI- WinRM
Windows- WMI- DCOM , Windows 7/2008R2, Common Information Model, .. CIM- Windows Remote Management (WinRM, WSMan (WS-Management, Web Services for Management)) PowerShell- Get-CimInstance Invoke-CimMethod, Get-WmiObject Invoke-WmiMethod. CIM- (DCOM WSMan) Test-WSMan, WS-Management. Windows 8/2012 3.0, Windows 7/2008R2 - 2.0, Windows XP/2003/2008 WinRM WS-Management , . WinRM , DCOM.
WSMan- Windows- - SOAP-, WinRM ( HTTP-Kerberos-session-encrypted), TCP:5985 ( Windows 7/2008 TCP:80), HTTP- . HTTPS SSL- , , TCP:5986 ( Windows TCP:443). , .
WinRM winrm qc -q , " Windows" (Windows Remote Management (WS-Management), WinRM) TCP:5985 . WinRM " \ \ Windows \ Windows \ Windows - WinRM" (Computer Configuration \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service - Allow remote server management through WinRM). IP-, , , , , "*". WinRM Windows Firewall, , , :
netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in action=allow protocol=TCP localport=5985 remoteip=X.X.X.X enable=yes profile=domain
X.X.X.X - , .
WinRM winrm get winrm/config , WinRM- - winrm enumerate winrm/config/listener , WSMan - winrm id . "" , winrm qc , " Windows" (Windows Remote Management (WS-Management) , WinRM) WinRM-: winrm delete winrm/config/Listener?Address=*+Transport=HTTP . , winrm qc Windows Remote Shell (WinRS) WinRS. WinRS « / / Windows / Windows / - » (Computer Configuration / Administrative Templates / Windows Components / Windows Remote Shell / Allow Remote Shell Access - Disabled), winrm set winrm/config/winrs @{AllowRemoteShellAccess="false"} .
WinRM. , " " (Remote Management Users), Windows 10/2016, "WinRMRemoteWMIUsers__". , WinRM-, , - , PowerShell Remoting. CIM-,
winrm configsddl http://schemas.dmtf.org/wbem/wscim/1/cim-schema
"" / Read (Get,Enumerate,Subscribe) Get-CimInstance "" / Execute (Invoke) Invoke-CimMethod.
, WMI- Get-CimInstance, WMI- " " (Enable account) " " (Remote enable). Invoke-CimMethod, WMI- " " (Execute method). TCP:5985, SeRestorePrivilege.
CIM- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider ConfigXML, XML, CIM- ( SDDL-). , ConfigXML Architecture, . , GPO. WinRM :
https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=10
https://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/
" Windows" (Windows Remote Management (WS-Management) , WinRM), , , .
CIM :
Get-CimInstance -ComputerName pcname.domain.local -Class Win32_NetworkAdapter
, SeRestorePrivilege SeDebugPrivilege:
Invoke-CimMethod -ComputerName pcname.domain.local -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = 'powershell.exe -command "get-process | get-unique | ForEach-Object {Get-FileHash $_.path -Algorithm SHA256} | fl * | out-file C:\folder\$env:COMPUTERNAME.$(get-date -format HH-mm-ss.dd.MM.yyyy).txt" ' }
, "" WMI-, CIM- , " " - "" (Security) EventID=4662 Get-CimInstance. " " " ", "" (Security) EventID=4688 Invoke-CimMethod.
4.
CIM/WMI- . , Windows , - , . , , , , , , . , .
4.1.
, , .. WMI- win32_QuickFixEngineering . , WMI/DCOM- "TrustedInstaller", . , , DCOM (dcomcnfg), " " " ", " DCOM" , "Trusted Installer Service" "" " " ( " " " " ) " " ( " " ). , « » (Application ID) "Trusted Installer Service", "", HKLM\SOFTWARE\Classes\AppID\{ } . dcomcnfg , "Trusted Installer Service". " " ( " " " ") " " ( " "). HKLM\SOFTWARE\Classes\AppID\{ }. "Trusted Installer Service" AccessPermission LaunchPermission HKLM\SOFTWARE\Classes\AppID\{ } , . " Windows" (Windows Modules Installer, TrustedInstaller). , WMI- :
wmic /node:"pcname.domain.local" qfe list full /format:table
gwmi -ComputerName pcname.domain.local -Class win32_QuickFixEngineering | fl *
Get-CimInstance -ComputerName pcname.domain.local -Class win32_QuickFixEngineering | fl *
4.2. Windows
, , SCM (Service Control Manager), Windows. .
SID , ,
wmic useraccount where (name="Scan" and domain="domain.local") get sid
SCM, - :
sc sdshow scmanager
SDDL-, SCM , , :
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
:
(A;;CCLCRPRC;;;[SID]) , [SID] SID .
("A;;") SCM: CC - , LC - , RP - , RC - .
SDDL-, , DACL ("D:") SACL ("S:"):
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;[SID])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
, - :
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;[SID])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder "Security" , . "Security" SCM . , ( sc sdshow _), .
:
wmic /node:"pcname.domain.local" path Win32_Service get /format:list
gwmi -ComputerName pcname.domain.local -Class Win32_Service | fl *
Get-CimInstance -ComputerName pcname.domain.local -ClassName Win32_Service | fl *
5.
-, , . , Windows 7/2008, PowerShell Remoting Windows Remote Shell. WinRM ( WSMan) . TCP:5985, " Windows" (Windows Remote Management (WS-Management), WinRM) PSRemoting/WinRM, Enable-PSRemoting ( PowerShell Remoting), winrm qc ( Windows Remote Shell), " WinRM".
5.1. PowerShell Remoting
PowerShell Remoting " " (Remote Management Users). , :
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
"" / Read (Get,Enumerate,Subscribe) "" / Execute (Invoke).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell ConfigXML, XML, SDDL-. , ConfigXML Architecture, .
PowerShell Remoting
Enter-PSSession -ComputerName pcname.domain.local
PowerShell cmd .
,
Invoke-Command -ComputerName pcname.domain.local -ScriptBlock {Get-Culture}
Invoke-Command -ComputerName pcname.domain.local -ScriptBlock {ipconfig}
" " " ", "" (Security) EventID=4688 - "C:\Windows\System32\wsmprovhost.exe". Windows cmd, PowerShell-, , . " \ \ Windows \ Windows PowerShell - PowerShell", check-box " ", PowerShell , . " - Windows - - Windows \ Windows PowerShell - " " PowerShell" Microsoft-Windows-PowerShell/Operational, Microsoft-Windows-WinRM/Operational .
, Enter-PSSession Invoke-Command - !
5.2. Windows Remote Shell
Windows Remote Shell
winrm configSDDL default
"" / Read (Get,Enumerate,Subscribe) "" / Execute (Invoke).
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service rootSDDL, SDDL-.
WinRS « / / Windows / Windows / - » (Computer Configuration / Administrative Templates / Windows Components / Windows Remote Shell / Allow Remote Shell Access - Enabled), winrm set winrm/config/winrs @{AllowRemoteShellAccess="true"}.
Windows Remote Shell
winrs -r:pcname.domain.local cmd
Windows cmd .
,
winrs -r:pcname.domain.local netstat -nao
winrs -r:pcname.domain.local tasklist
winrs -r:pcname.domain.local powershell -command "get-culture"
" " " ", "" (Security) EventID=4688 - "C:\Windows\System32\winrshost.exe".
- Windows, . , . , - , -. , , PowerShell, . , " " Security Vision , , , , , , . Security Vision MS Windows. . ( – – ), gMSA (Group Managed Service Account).