应急响应 - 通过PowerShell来识别可疑的DLL服务

Khan安全团队

发布于 2021-10-25 15:21:02

6200

发布于 2021-10-25 15:21:02

文章被收录于专栏：Khan安全团队Khan安全团队

该脚本使用WMI来获取服务的ACL，并识别非管理员的DC、WD或WO权限。

这些权限中的任何一个都允许持有该权限的用户立即提升到localsystem。

$DebugPreference = "Continue"
$services = (Get-WmiObject Win32_Service -EnableAllPrivileges)
foreach ($srv in $services)
{
    $sd = ($srv.GetSecurityDescriptor())
    if ($sd.ReturnValue -ne 0)
    {
        Write-Debug ("Service: "+$srv.name+"`tError "+$sd.ReturnValue) -ErrorAction SilentlyContinue
        continue
    }

    $SDDL = ([wmiclass]"win32_SecurityDescriptorHelper").Win32SDtoSDDL($sd.Descriptor).SDDL
    foreach ($ACE in $sddl.split("()"))
    {
        if ($ACE.Split(";")[0] -ne "A")
        {
            continue #as we have non "allow something" ACE
        }
    
        # we should have set of permissions in the $ACE.Split(";")[2] 
        # and the security principal (user/group/etc) in the $ACE.Split(";")[5]
        
        if ( ($ACE.Split(";")[2]).Contains("WD") -or ($ACE.Split(";")[2]).Contains("WO") -or ($ACE.Split(";")[2]).Contains("DC") )
        {
            if ( (($ACE.Split(";")[5]) -eq "BA") -or (($ACE.Split(";")[5]) -eq "SY"))# we do not care about local administrators and localsystem as they should have such permissions
            {
                continue
            }
            $PrincipalName = ($ACE.Split(";")[5])
            if ($PrincipalName.StartsWith("S-1-5-"))
            {
                $SID = New-Object System.Security.Principal.SecurityIdentifier(($ACE.Split(";")[5]))
                $PrincipalName = $SID.Translate([System.Security.Principal.NTAccount]).Value
            }
            Write-Host $srv.Name - $ACE.Split(";")[2] - $ACE.Split(";")[5] - $PrincipalName
        } 
    }
}

参考：

https://support.microsoft.com/en-us/help/914392/best-practices-and-guidance-for-writers-of-service-discretionary-acces

本文参与腾讯云自媒体分享计划，分享自微信公众号。

原始发表：2021-10-17，如有侵权请联系 cloudcommunity@tencent.com 删除

wmi