最近因为疫情,大家都在家工作。为了远程连接,有些小的办公室没有使用虚拟专用网,而是直接在防火墙上进行了端口转发,直接跳转到服务器的3389端口上。而且由于各种原因,防火墙上也没有限制source IP,这样导致的结果就是互联网上任何人都可以进行访问。即使把外网端口改的特别大,但是对于扫描软件而已,也就是时间的问题,并不能提升太多的安全。

豆子今天就遇见了一起这样的问题。某诊所的服务器连续重启,登进去一看,发现安全日志里面都是各种失败的验证事件。而且这个服务器也没安装任何安全软件,完全在裸奔。

PowerShell 检测 RDP 扫描安全日志

这样看起来不方便,写个简单的脚本查询一下


function get-hacker{

$eventcritea = @{logname='security';id=4625}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

    # Iterate through each one of the XML message properties            
    For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { 

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  $eventXML.Event.EventData.Data[$i].name -Value $eventXML.Event.EventData.Data[$i].'#text'            
    }            
}            

$events | select TimeCreated, TargetUserName, ipAddress

}

$result=get-hacker

结果如下,可以看见对方尝试了不同的用户名,但是没有显示IP地址

PowerShell 检测 RDP 扫描安全日志

不用急,在对应的RemoteDesktopService-RdpCoreTS/Operation 日志里面,我们可以查看到真实的IP地址,如下所示,可以看见在看的同时,对方还在不断地扫描,尝试字典破解密码

PowerShell 检测 RDP 扫描安全日志

稍微修改一下上面的脚本,重新扫描一下


function get-hacker{

$eventcritea = @{logname='Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational';id=140}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  IP -Value $eventXML.Event.EventData.Data.'#text'            

}            

$events

}

$result=get-hacker

$result | select timecreated, IP | group-object ip

可以看见对方的恶意扫描来自于这6个地址

PowerShell 检测 RDP 扫描安全日志

这个诊所的路由器因为过于垃圾,无法配置防火墙策略,于是我干脆在Windows 的防火墙上新建了一条策略,对这几个IP地址进行了Block。

PowerShell 检测 RDP 扫描安全日志

之后再扫描日志,没有发现新的报错信息,证明拦截有效。

然后在安装杀软,清理了一堆恶意文件出来。

过了一会,发现又有新的IP在扫描,于是稍微整理了一下脚本,让他可以自动添加IP到防火墙rule里面

function get-hacker{

    Param
    (
        # Param1 help description
        [Parameter(Mandatory=$true,
                   ValueFromPipelineByPropertyName=$true,
                   Position=0)]
        [string]
        $name,

        # Param2 help description
        [int]
        $id
    )
$eventcritea = @{logname=$name;id=$id}

$Events =get-winevent  -FilterHashtable $eventcritea  -MaxEvents 1000

#$Events = Get-WinEvent -ComputerName syddc01 -FilterHashtable $eventcritea     

# Parse out the event message data            
ForEach ($Event in $Events) {    

    # Convert the event to XML            
    $eventXML = [xml]$Event.ToXml()    

    # Iterate through each one of the XML message properties            
    #For ($i=0; $i -lt $eventXML.Event.EventData.Data.Count; $i++) { 

        # Append these as object properties            
        Add-Member -InputObject $Event -MemberType NoteProperty -Force -Name  IP -Value $eventXML.Event.EventData.Data.'#text'            
    #}            
}            

$events

}

$result=get-hacker -name 'Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational' -id 140

$ip=$result | select timecreated, ip | Group-Object ip |select -ExpandProperty Name

function Add-MvaNetFirewallRemoteAdressFilter {
    <#
.SYNOPSIS
This function adds one or more ipaddresses to the firewall remote address filter
.DESCRIPTION
With the default Set-NetFirewallAddressFilter you can set an address filter for a firewall rule. You can not use it to
add a ip address to an existing address filter. The existing address filter will be replaced by the new one.
The Add-MvaNetFirewallRemoteAdressFilter function will add the ip address. Which is very usefull when there are already
many ip addresses in de address filter.
.PARAMETER fwAddressFilter
This parameter conntains the AddressFilter that you want to change. It accepts pipeline output from the command
Get-NetFirewallAddressFilter
.PARAMETER IPaddresses
This parameter is mandatory and can contain one or more ip addresses. You can also use a subnet.
.EXAMPLE
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses 192.168.5.5
Add a single IP address to the remote address filter of the firewall rule 'Test-Rule'
.EXAMPLE
Get-NetFirewallrule -DisplayName 'Test-Rule' | Get-NetFirewallAddressFilter | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses 192.168.5.5, 192.168.6.6, 192.168.7.0/24
Add multiple IP address to the remote address filter of the firewall rule 'Test-Rule'
.LINK
https://get-note.net/2018/12/31/edit-firewall-rule-scope-with-powershell/
.INPUTS
Microsoft.Management.Infrastructure.CimInstance#root/standardcimv2/MSFT_NetAddressFilter
.OUTPUTS
None
.NOTES
You need to be Administator to manage the firewall.
#>
    [CmdletBinding()]
    param(
        [Parameter(ValueFromPipeline = $true,
            Mandatory = $True)]
        [psobject]$fwAddressFilter,

        # Parameter help description
        [Parameter(Position = 0,
            Mandatory = $True,
            HelpMessage = "Enter one or more IP Addresses.")]
        [string[]]$IPAddresses
    )

    process {
        try {
            #Get the current list of remote addresses
            [string[]]$remoteAddresses = $fwAddressFilter.RemoteAddress
            Write-Verbose -Message "Current address filter contains: $remoteAddresses"

            #Add new ip address to the current list
            if ($remoteAddresses -in 'Any', 'LocalSubnet', 'LocalSubnet6', 'PlayToDevice') {
                $remoteAddresses = $IPAddresses
            }
            else {
                $remoteAddresses += $IPAddresses
            }
            #set new address filter
            $fwAddressFilter | Set-NetFirewallAddressFilter -RemoteAddress $remoteAddresses -ErrorAction Stop
            Write-Verbose -Message "New remote address filter is set to: $remoteAddresses"
        }
        catch {
            $PSCmdlet.ThrowTerminatingError($PSitem)
        }
    }
}

$current=Get-NetFirewallRule -DisplayName 'blacklist' | Get-NetFirewallAddressFilter 
$lists=$current | select -ExpandProperty RemoteAddress

foreach($i in $ip){

    if ($lists -contains $i){

        Write-Host "$i is already in the scope of blacklist" -ForegroundColor Green
    }
    else{

        $current | Add-MvaNetFirewallRemoteAdressFilter -IPAddresses $i   

    }

}

这样一个临时的绷带疗法就搞定了,稍后需要配置一个新的路由器去替代对方的老古董