同僚、前の記事でWindows監査イベントを効果的に処理する方法について説明しました。ただし、統合された情報セキュリティ管理システムを構築するには、サイバーインシデントにタイムリーに対応するだけでなく、まず何を保護しているのかを正確に理解する必要があります。脅威と侵入者の正しいモデルの構築、サイバーリスク管理システムの構築、脆弱性の管理、およびその他の多くの情報セキュリティプロセスには、基本的な基盤であるIT資産管理が必要です。インフラストラクチャの明確なビジョン、ソフトウェアとハードウェアの説明、それらの相互作用と依存関係は、有能なサイバー防御システムを構築するための鍵となります。この技術記事では、リモートレジストリ、WMI、およびWinRMの機能を使用して、最小特権の原則を実装しながら、IT資産のインベントリを作成する方法を示します。
前書き
. – , , , . (, , , ) (, , , , , , , ). (. Asset Management) - , , , , (.. -). . , " " . 2.2 . ")" , , - . « » , , ( .4). №239 « » ( .1). . , ISO 27001:2013 A.8.1.1 ”Inventory of assets”. NIST SP 800-53 CM-8 ”System component inventory” PM-5 ”System inventory”. , NIST “Cybersecurity Framework” ID.AM-1 ID.AM-2, , , NIST SP 1800-5 ”IT Asset Management” (« -») -.
- CMDB (Configuration Management Database, ), , , . (, , , ) (, , , ) CMDB CI (Configuration Items, ). CMDB (ITAM, IT Asset Management), , , , , -. , .
CMDB/ITAM- , " " . ( Windows ) , "least privilege". , , , , ( ).
( , , , ), . : . - , , : , (footprint) , ... , , . , /- Windows- , , Windows- . - .. replay- ( ), Pass-the-Hash Pass-the-Ticket. lsass.exe NTLM- Kerberos- . , , lsass.exe , NTLM- / Kerberos-. , , . , (least privilege), , , «», .
Windows- . domain.local\Scan, , pcname.domain.local, Windows. Protected Users, Kerberos- TGT-, 4 ( 10 ), AES . , , . , IP- Windows NTLM, Kerberos, Active Directory DNS-.
, Windows: WMI. , Windows , , PowerShell Remoting Constrained Endpoints Just Enough Administration. , , , Windows Server 2003 Windows XP, , , WMI, WinRM.
1.
( DACL , ). , human-readable .
1)
: TCP: 135 (MS RPC), 445 (SMB, compmgmt.msc - " " - "" " ").
" " (RemoteRegistry).
, .
HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg . , .
HKLM\CurrentControlSet\Control\SecurePipeServers\Winreg\AllowedPaths Machine , 3. , () . Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - Network access: Remotely accessible registry paths and sub-paths ( \ Windows \ \ \ \ : ). , , AllowedExactPaths, Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options \ Network access: Remotely accessible registry paths ( \ Windows \ \ \ - : . ). , , , HKLM\Security\Cache ( ), HKLM\SAM\SAM ( ), HKLM\Security\Policy\Secrets ( LSA secrets).
6. ACL " " (RemoteRegistry).
2)
, , :
$list=@()
$pcname = 'pcname.domain.local'
$InstalledSoftwareKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall"
$InstalledSoftware=[microsoft.win32.registrykey]::OpenRemoteBaseKey('LocalMachine',$pcname)
$RegistryKey=$InstalledSoftware.OpenSubKey($InstalledSoftwareKey)
$SubKeys=$RegistryKey.GetSubKeyNames()
Foreach ($key in $SubKeys){
$thisKey=$InstalledSoftwareKey+"\\"+$key
$thisSubKey=$InstalledSoftware.OpenSubKey($thisKey)
$obj = New-Object PSObject
$obj | Add-Member -MemberType NoteProperty -Name "DisplayName" -Value $($thisSubKey.GetValue("DisplayName"))
$obj | Add-Member -MemberType NoteProperty -Name "DisplayVersion" -Value $($thisSubKey.GetValue("DisplayVersion"))
$obj | Add-Member -MemberType NoteProperty -Name "DisplayIcon" -Value $($thisSubKey.GetValue("DisplayIcon"))
$obj | Add-Member -MemberType NoteProperty -Name "InstallLocation" -Value $($thisSubKey.GetValue("InstallLocation"))
$list += $obj
}
$list | FL *
, , WMI- Win32_Product (, Get-WmiObject -Class Win32_Product) , , . (, ), WMI WinRM.
3)
Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Object Access \ Audit Registry - Enable ( \ Windows \ \ \ \ \ - ). SACL ( ) , .
GPO. " " (RemoteRegistry) ( , ) "" (Security) EventID=4663 , , .
2. WMI- DCOM
WMI- WMI Microsoft Windows Windows 98 . WMI , WMI . WMI WinRM , Windows XP 2003/2008 - .
1)
1. : WMI – , DCOM, MS RPC. TCP:135 , TCP-. - DCOM- DCOM (dcomcnfg), " " " " " ", ( 1000 ).
Windows Server 2008 WMI DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation". " " "", "TCP/IP " , radio-button " ", TCP-, TCP:31000.
winmgmt -standalonehost
" Windows" (Windows Management Instrumentation, winmgmt ) , ,
net stop winmgmt /yes && net start winmgmt
WMI- TCP:31000 Windows Firewall, "WMIFixedPort"
netsh advfirewall firewall add rule name="WMIFixedPort" dir=in action=allow protocol=TCP localport=31000 enable=yes profile=domain
winmgmt -sharedhost
winmgmt. Windows Firewall .
2. WMI " Windows" (Windows Management Instrumentation, winmgmt ).
3. . Domain Users, Authenticated Users, Interactive. Authenticated Users (SID S-1-5-11) (User accounts) (Computer accounts). , . , Windows UAC.
4. WMI-. WMI- WMI- WMI- "Root" " " (Enable account) " " (Remote enable). WMI-, , " " (Execute method). wmimgmt.msc - WMI - "", "Root".
, WMI "Root" - , , Root\CIMV2\Security\MicrosoftVolumeEncryption, BitLocker- , DACL WMI-.
, , WMI-. ( , Security Descriptor, SD) WMI- "Root" , WMI- , :
wmic /namespace:\\root /output:"C:\folder\sd.txt" path __systemsecurity call getSD
, SD, .. ,
SD = {1, 0, 4, 128, 148, 0, 0, 0, ... 0}
, , VBS- :
strSD = array(1,0,4,128,148,0,0,0,...0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)
.vbs Windows. . DACL WMI-, "Root", . , MicrosoftVolumeEncryption :
wmic /namespace:\\root\CIMV2\Security\MicrosoftVolumeEncryption /output:"C:\folder\sd.txt" path __systemsecurity call getSD
strSD = array(1,0,4,128,148,0,0,0,...0)
set namespace = createobject("wbemscripting.swbemlocator").connectserver(,"root\CIMV2\Security\MicrosoftVolumeEncryption")
set security = namespace.get("__systemsecurity=@")
nStatus = security.setsd(strSD)
5. DCOM
WMI DCOM, WMI- . " DCOM" (DCOM Users), DCOM. :
1) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - DCOM: Machine Access Restrictions in SDDL syntax ( \ Windows \ \ \ - DCOM: SDDL), " " (Remote Access).
HKLM \ Software \ Policies \ Microsoft \ Windows NT \ DCOM, MachineAccessRestriction, , SDDL-.
dcomcnfg, " ", " COM" " " " ..." " ".
2) GPO Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options - DCOM: Machine Launch Restrictions in SDDL syntax ( \ Windows \ \ \ - DCOM: SDDL), " " (Remote Launch) " " (Remote Activation).
HKLM - Software - Policies - Microsoft - Windows NT - DCOM, MachineLaunchRestriction, , SDDL-.
dcomcnfg, " ", " COM" " " " ..." " " " ".
3) DCOM DCOM- "Windows Management and Instrumentation": DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation". "" " " ( " " " " ), " " ( " " ), " " ( "" " ", " ", "", " " ).
6. WMI .
, WMI/DCOM, : .
1) " " (Impersonation level), , . "Impersonate" (""). HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WBEM\Scripting "Default Impersonation Level" - "3" "Impersonate", WMI .
, DCOM , "" (Identify), , "" (Impersonate). DCOM (dcomcnfg), " " " ", " " " " "".
, DWORD- "LegacyImpersonationLevel" "3" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole , "Impersonate".
2) " " (Authentication level), (, ) , WMI/DCOM. WMI Connect (""), Packet Privacy (" "). DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation". "" " " " ".
, " " (App ID) "Windows Management and Instrumentation", , DCOM (dcomcnfg), " " " ", " DCOM" "Windows Management and Instrumentation" - "" " " (Application ID).
HKLM\SOFTWARE\Classes\AppID\{ } DWORD- AuthenticationLevel "6", Packet Privacy (" "), .
, DCOM , "" (Connect), , Packet Privacy (" "). DCOM (dcomcnfg), " " " ", " " " " " ".
, DWORD- "LegacyAuthenticationLevel" "6" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole , "Packet Privacy".
7. WMI " Windows" (Windows Management Instrumentation, winmgmt). DCOM .
2)
WMI- WMI- , "" wmic (Windows Management Instrumentation Command) PowerShell- Get-WmiObject. . , wmic Windows (deprecated), .
WMI- .
pcname.domain.local PowerShell- Get-WmiObject :
Get-WmiObject -ComputerName pcname.domain.local -Class Win32_NetworkAdapter | format-list Name
PowerShell-:
gwmi -cn pcname.domain.local Win32_NetworkAdapter| fl Name
PowerShell, wmic. ,
wmic /node:"pcname.domain.local" path Win32_NetworkAdapter get name
WMI- Win32_NetworkAdapter .
wmic /node:"pcname.domain.local" nic get name
WMI- Win32_NetworkAdapter "nic". WMI- wmic alias list full , (, "nic") : wmic alias list brief | findstr /I nic
WMI- get * , , /format , :
wmic /node:"pcname.domain.local" os get * /format:value ( )
wmic /node:"pcname.domain.local" /output:"c:\folder\file.html" computersystem list full /format:htable ( html-)
wmic /node:"pcname.domain.local" /output:"c:\folder\file.csv" path Win32_OperatingSystem get * /format:csv ( csv-)
WMI- list ,
wmic /node:"pcname.domain.local" nic list brief ( )
wmic /node:"pcname.domain.local" nic list status ( )
wmic /node:"pcname.domain.local" nic list full /every:5 ( 5 )
: wmic aliasname list /? ( aliasname - , , nic)
WQL (WMI Query Language), , :
wmic /node:"pcname.domain.local" nic WHERE PhysicalAdapter='true' get * /format:value
wmic /node:"pcname.domain.local" path Win32_NetworkAdapter WHERE PhysicalAdapter='true' get * /format:value
PowerShell
gwmi -cn pcname.domain.local -Query "Select * from Win32_NetworkAdapter WHERE PhysicalAdapter='true' " | fl *
, PowerShell wmic WMI- "Root\Cimv2". , , , WMI . , BitLocker- , WMI- :
wmic /node:"pcname.domain.local" /namespace:"\\Root\CIMV2\Security\MicrosoftVolumeEncryption" path Win32_EncryptableVolume get * /format:list
gwmi -cn pcname.domain.local -namespace:"Root\CIMV2\Security\MicrosoftVolumeEncryption" -class Win32_EncryptableVolume | fl *
BIOS :
wmic /node:"pcname.domain.local" /namespace:"\\Root\wmi" path MS_SystemInformation get * /format:value
gwmi -cn pcname.domain.local -namespace:"Root\wmi" -class MS_SystemInformation | fl *
Root\SecurityCenter ( Windows XP/2003 ) Root\SecurityCenter2 ( Windows Vista/2008 ):
wmic /namespace:"\\Root\SecurityCenter2" path AntivirusProduct get * /format:value
gwmi -cn pcname.domain.local -namespace:"Root\SecurityCenter2" -class AntivirusProduct | fl *
, wmic , :
wmic /node:@pclist.txt /user:domain.local\Scan /password:P@$$w0rd CommandName
WMI-, " " (Execute method) WMI- "Root". , GetStringValue StdRegProv .
wmic:
wmic /node:"pcname.domain.local" /NameSpace:\\root\default Class StdRegProv Call GetStringValue sSubKeyName="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Authentication\\LogonUI" sValueName="LastLoggedOnSAMUser" | findstr "sValue"
PowerShell, :
$hklm = 2147483650 # HKLM-
$key = "SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI"
$values = @('LastLoggedOnUser','LastLoggedOnUserSID','LastLoggedOnDisplayName')
Foreach ($value in $values) {
$wmi = get-wmiobject -list "StdRegProv" -namespace root\default -computername pcname.domain.local
($wmi.GetStringValue($hklm,$key,$value)).svalue
$wmi2 = ($wmi.GetStringValue($hklm,$key,$value)).svalue
}
, WMI " " (Execute method) Create Win32_process. , . SeRestorePrivilege (Restore files and directories , ), WMI «Return Value=8». Computer Configuration\Windows Settings\Security Settings\User rights assignment - Restore files and directories ( \ Windows \ \ \ - ). , , .. , , SeRestorePrivilege , , , , , .. , WMI (, ), , , , , .
WMI:
wmic /node:"pcname.domain.local" path Win32_Process Call Create "cmd.exe /c C:\folder\batch.bat" ( bat- )
Invoke-WmiMethod -ComputerName pcname.domain.local -Class Win32_process -Name Create -ArgumentList 'cmd /c schtasks /run /tn "task1" ' ( "task1" " ")
, , WMI, ( ) , , , - CyberThreat Intelligence. SeDebugPrivilege (Debug Program, ) . Computer Configuration\Windows Settings\Security Settings\User rights assignment - Debug Program ( \ Windows \ \ \ - ). . , LSA ( ) Windows, , mimikatz . ( SeRestorePrivilege) , SeDebugPrivilege, , , .
, :
wmic /node:"pcname.domain.local" path Win32_Process get ExecutablePath
gwmi win32_process -ComputerName pcname.domain.local | fl ExecutablePath
SeRestorePrivilege SeDebugPrivilege, , WMI- Enable account, Remote enable Execute method, , , :
Invoke-WmiMethod -ComputerName pcname.domain.local -Class Win32_Process -Name Create -ArgumentList 'powershell.exe -command "get-process | get-unique | ForEach-Object {Get-FileHash $_.path -Algorithm SHA256} | fl * | out-file C:\folder\$env:COMPUTERNAME.$(get-date -format HH-mm-ss.dd.MM.yyyy).txt" '
Invoke-RestMethod -Method 'POST' -Uri "https://www.virustotal.com/vtapi/v2/file/report?apikey=$VTApiKey&resource=$item"
( VTApiKey - VirusTotal Community API-, item - -). - "" , , xCyclopedia. , , , ( WMI-, SeRestorePrivilege SeDebugPrivilege).
3) WMI-
WMI- Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Object Access \ Audit other object access events - Enable ( \ Windows \ \ \ \ \ - ).
SACL ( ) WMI-, .
WMI- DACL -. VBS-, SACL WMI-. " Windows" (Windows Management Instrumentation, winmgmt) ( , ) WMI- "" (Security) EventID=4662 , WMI-, WMI- WMI.
WMI " \ Windows \ \ \ \ \ - " (Computer Configuration\Windows Settings\Security Settings\Advanced Audit Policy Configuration \ Audit Policies \ Detailed tracking \ Audit process creation - Enable ), " \ Windows \ \ \ - " (Computer Configuration \ Administrative Templates\System\Audit Process Creation - Include command line in process creation events). "" (Security) EventID=4688 , , ( WMI C:\Windows\System32\wbem\WmiPrvSE.exe).
SeRestorePrivilege " \ Windows \ \ \ \ - , " (Computer Configuration\Windows Settings\Advanced Audit Policy Configuration\Privilege Use - Audit Sensitive Privilege Use) , " \ Windows \ \ \ - : " (Computer Configuration\Windows Settings\Security Settings\Local Policies \ Security Options \ Audit: Audit the use of Backup and Restore privilege) . "" (Security) EventID=4674 (An operation was attempted on a privileged object) .
SeDebugPrivilege " \ Windows \ \ \ \ / - " (Computer Configuration\Windows Settings\Advanced Audit Policy Configuration\Audit Policies\Logon/Logoff - Audit Special Logon ) . "" (Security) EventID=4672 (Special privileges assigned to new logon) .
3. WMI- WinRM
Windows- WMI- DCOM , Windows 7/2008R2, Common Information Model, .. CIM- Windows Remote Management (WinRM, WSMan (WS-Management, Web Services for Management)) PowerShell- Get-CimInstance Invoke-CimMethod, Get-WmiObject Invoke-WmiMethod. CIM- (DCOM WSMan) Test-WSMan, WS-Management. Windows 8/2012 3.0, Windows 7/2008R2 - 2.0, Windows XP/2003/2008 WinRM WS-Management , . WinRM , DCOM.
WSMan- Windows- - SOAP-, WinRM ( HTTP-Kerberos-session-encrypted), TCP:5985 ( Windows 7/2008 TCP:80), HTTP- . HTTPS SSL- , , TCP:5986 ( Windows TCP:443). , .
WinRM winrm qc -q , " Windows" (Windows Remote Management (WS-Management), WinRM) TCP:5985 . WinRM " \ \ Windows \ Windows \ Windows - WinRM" (Computer Configuration \ Administrative Templates \ Windows Components \ Windows Remote Management (WinRM) \ WinRM Service - Allow remote server management through WinRM). IP-, , , , , "*". WinRM Windows Firewall, , , :
netsh advfirewall firewall add rule name="WinRM-HTTP" dir=in action=allow protocol=TCP localport=5985 remoteip=X.X.X.X enable=yes profile=domain
X.X.X.X - , .
WinRM winrm get winrm/config , WinRM- - winrm enumerate winrm/config/listener , WSMan - winrm id . "" , winrm qc , " Windows" (Windows Remote Management (WS-Management) , WinRM) WinRM-: winrm delete winrm/config/Listener?Address=*+Transport=HTTP . , winrm qc Windows Remote Shell (WinRS) WinRS. WinRS « / / Windows / Windows / - » (Computer Configuration / Administrative Templates / Windows Components / Windows Remote Shell / Allow Remote Shell Access - Disabled), winrm set winrm/config/winrs @{AllowRemoteShellAccess="false"} .
WinRM. , " " (Remote Management Users), Windows 10/2016, "WinRMRemoteWMIUsers__". , WinRM-, , - , PowerShell Remoting. CIM-,
winrm configsddl http://schemas.dmtf.org/wbem/wscim/1/cim-schema
"" / Read (Get,Enumerate,Subscribe) Get-CimInstance "" / Execute (Invoke) Invoke-CimMethod.
, WMI- Get-CimInstance, WMI- " " (Enable account) " " (Remote enable). Invoke-CimMethod, WMI- " " (Execute method). TCP:5985, SeRestorePrivilege.
CIM- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\WMI Provider ConfigXML, XML, CIM- ( SDDL-). , ConfigXML Architecture, . , GPO. WinRM :
https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=10
https://www.bloggingforlogging.com/2018/01/24/demystifying-winrm/
" Windows" (Windows Remote Management (WS-Management) , WinRM), , , .
CIM :
Get-CimInstance -ComputerName pcname.domain.local -Class Win32_NetworkAdapter
, SeRestorePrivilege SeDebugPrivilege:
Invoke-CimMethod -ComputerName pcname.domain.local -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine = 'powershell.exe -command "get-process | get-unique | ForEach-Object {Get-FileHash $_.path -Algorithm SHA256} | fl * | out-file C:\folder\$env:COMPUTERNAME.$(get-date -format HH-mm-ss.dd.MM.yyyy).txt" ' }
, "" WMI-, CIM- , " " - "" (Security) EventID=4662 Get-CimInstance. " " " ", "" (Security) EventID=4688 Invoke-CimMethod.
4.
CIM/WMI- . , Windows , - , . , , , , , , . , .
4.1.
, , .. WMI- win32_QuickFixEngineering . , WMI/DCOM- "TrustedInstaller", . , , DCOM (dcomcnfg), " " " ", " DCOM" , "Trusted Installer Service" "" " " ( " " " " ) " " ( " " ). , « » (Application ID) "Trusted Installer Service", "", HKLM\SOFTWARE\Classes\AppID\{ } . dcomcnfg , "Trusted Installer Service". " " ( " " " ") " " ( " "). HKLM\SOFTWARE\Classes\AppID\{ }. "Trusted Installer Service" AccessPermission LaunchPermission HKLM\SOFTWARE\Classes\AppID\{ } , . " Windows" (Windows Modules Installer, TrustedInstaller). , WMI- :
wmic /node:"pcname.domain.local" qfe list full /format:table
gwmi -ComputerName pcname.domain.local -Class win32_QuickFixEngineering | fl *
Get-CimInstance -ComputerName pcname.domain.local -Class win32_QuickFixEngineering | fl *
4.2. Windows
, , SCM (Service Control Manager), Windows. .
SID , ,
wmic useraccount where (name="Scan" and domain="domain.local") get sid
SCM, - :
sc sdshow scmanager
SDDL-, SCM , , :
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
:
(A;;CCLCRPRC;;;[SID]) , [SID] SID .
("A;;") SCM: CC - , LC - , RP - , RC - .
SDDL-, , DACL ("D:") SACL ("S:"):
D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;[SID])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
, - :
sc sdset scmanager D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)(A;;CCLCRPRC;;;SU)(A;;CCLCRPWPRC;;;SY)(A;;KA;;;BA)(A;;CC;;;AC)(A;;CCLCRPRC;;;[SID])S:(AU;FA;KA;;;WD)(AU;OIIOFA;GA;;;WD)
HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder "Security" , . "Security" SCM . , ( sc sdshow _), .
:
wmic /node:"pcname.domain.local" path Win32_Service get /format:list
gwmi -ComputerName pcname.domain.local -Class Win32_Service | fl *
Get-CimInstance -ComputerName pcname.domain.local -ClassName Win32_Service | fl *
5.
-, , . , Windows 7/2008, PowerShell Remoting Windows Remote Shell. WinRM ( WSMan) . TCP:5985, " Windows" (Windows Remote Management (WS-Management), WinRM) PSRemoting/WinRM, Enable-PSRemoting ( PowerShell Remoting), winrm qc ( Windows Remote Shell), " WinRM".
5.1. PowerShell Remoting
PowerShell Remoting " " (Remote Management Users). , :
Set-PSSessionConfiguration -Name Microsoft.PowerShell -showSecurityDescriptorUI
"" / Read (Get,Enumerate,Subscribe) "" / Execute (Invoke).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Plugin\Microsoft.PowerShell ConfigXML, XML, SDDL-. , ConfigXML Architecture, .
PowerShell Remoting
Enter-PSSession -ComputerName pcname.domain.local
PowerShell cmd .
,
Invoke-Command -ComputerName pcname.domain.local -ScriptBlock {Get-Culture}
Invoke-Command -ComputerName pcname.domain.local -ScriptBlock {ipconfig}
" " " ", "" (Security) EventID=4688 - "C:\Windows\System32\wsmprovhost.exe". Windows cmd, PowerShell-, , . " \ \ Windows \ Windows PowerShell - PowerShell", check-box " ", PowerShell , . " - Windows - - Windows \ Windows PowerShell - " " PowerShell" Microsoft-Windows-PowerShell/Operational, Microsoft-Windows-WinRM/Operational .
, Enter-PSSession Invoke-Command - !
5.2. Windows Remote Shell
Windows Remote Shell
winrm configSDDL default
"" / Read (Get,Enumerate,Subscribe) "" / Execute (Invoke).
KLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WSMAN\Service rootSDDL, SDDL-.
WinRS « / / Windows / Windows / - » (Computer Configuration / Administrative Templates / Windows Components / Windows Remote Shell / Allow Remote Shell Access - Enabled), winrm set winrm/config/winrs @{AllowRemoteShellAccess="true"}.
Windows Remote Shell
winrs -r:pcname.domain.local cmd
Windows cmd .
,
winrs -r:pcname.domain.local netstat -nao
winrs -r:pcname.domain.local tasklist
winrs -r:pcname.domain.local powershell -command "get-culture"
" " " ", "" (Security) EventID=4688 - "C:\Windows\System32\winrshost.exe".
- Windows, . , . , - , -. , , PowerShell, . , " " Security Vision , , , , , , . Security Vision MS Windows. . ( – – ), gMSA (Group Managed Service Account).