Windows 11远程访问漏洞方法
Windows 11存在多种可能被利用进行远程访问的漏洞和方法,以下是主要的几种:
- RDP (远程桌面协议)漏洞利用
CVE-2022-21893 - 远程桌面服务权限提升漏洞
CVE-2021-34527 (PrintNightmare) - 通过打印服务实现RCE
弱凭证攻击 - 暴力破解或使用默认/弱密码 - SMB协议漏洞
CVE-2021-36942 - SMB服务器信息泄露漏洞
永恒之蓝(EternalBlue)变种 - 针对未打补丁系统 - WinRM (Windows远程管理)漏洞
CVE-2021-38666 - WinRM远程代码执行漏洞
凭证中继攻击 - 利用配置不当的WinRM服务 - WMI (Windows管理规范)滥用
WMI持久化 - 攻击者创建WMI事件订阅实现持久化
CVE-2021-24084 - WMI服务拒绝服务漏洞 - 其他服务漏洞
LLMNR/NBT-NS欺骗 - 通过名称解析协议攻击
RPC漏洞 - 远程过程调用接口的多种漏洞
<#
.SYNOPSIS
检测Windows系统中的远程访问痕迹并生成HTML报告
.DESCRIPTION
此脚本检查各种远程访问方法在系统中的痕迹,包括RDP、SMB、WinRM和WMI活动,
并将结果导出到桌面上的HTML文件。
.NOTES
文件名: RemoteAccessForensics.ps1
作者: 安全分析师
创建日期: 2025-11-13
#>
# 初始化HTML报告
$reportPath = "$env:USERPROFILE\Desktop\RemoteAccessForensics_Report_$(Get-Date -Format 'yyyyMMdd_HHmmss').html"
$htmlHeader = @"
<!DOCTYPE html>
<html>
<head>
<title>Windows远程访问痕迹分析报告</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
h1 { color: #0066cc; }
h2 { color: #0099cc; margin-top: 20px; border-bottom: 1px solid #ddd; padding-bottom: 5px; }
table { border-collapse: collapse; width: 100%; margin-bottom: 20px; }
th { background-color: #0066cc; color: white; text-align: left; padding: 8px; }
td { border: 1px solid #ddd; padding: 8px; }
tr:nth-child(even) { background-color: #f2f2f2; }
.critical { background-color: #ffcccc; }
.warning { background-color: #ffffcc; }
.info { background-color: #ccffcc; }
</style>
</head>
<body>
<h1>Windows远程访问痕迹分析报告</h1>
<p>生成时间: $(Get-Date)</p>
<p>计算机名: $env:COMPUTERNAME</p>
"@
# 1. 检查RDP痕迹
$rdpResults = @()
$rdpEvents = Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue
$rdpLoginEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddDays(-30)} -MaxEvents 50 -ErrorAction SilentlyContinue
$rdpResults += [PSCustomObject]@{
"检查项" = "RDP事件日志"
"结果" = if ($rdpEvents) { "$($rdpEvents.Count)条RDP相关事件找到" } else { "未找到RDP事件日志或未安装远程桌面服务" }
"状态" = if ($rdpEvents) { "警告" } else { "信息" }
}
$rdpResults += [PSCustomObject]@{
"检查项" = "RDP登录事件"
"结果" = if ($rdpLoginEvents) { "$($rdpLoginEvents.Count)条RDP登录事件找到" } else { "未找到RDP登录事件" }
"状态" = if ($rdpLoginEvents) { "警告" } else { "信息" }
}
# 检查RDP缓存文件
$rdpCache = Get-ChildItem "$env:USERPROFILE\AppData\Local\Microsoft\Terminal Server Client\Cache" -ErrorAction SilentlyContinue
$rdpResults += [PSCustomObject]@{
"检查项" = "RDP缓存文件"
"结果" = if ($rdpCache) { "找到RDP缓存文件" } else { "未找到RDP缓存文件" }
"状态" = if ($rdpCache) { "警告" } else { "信息" }
}
# 2. 检查SMB痕迹
$smbResults = @()
$smbSessions = Get-SmbSession -ErrorAction SilentlyContinue
$smbShareEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5140; StartTime=(Get-Date).AddDays(-30)} -MaxEvents 50 -ErrorAction SilentlyContinue
$smbResults += [PSCustomObject]@{
"检查项" = "当前SMB会话"
"结果" = if ($smbSessions) { "$($smbSessions.Count)个活跃SMB会话" } else { "无活跃SMB会话" }
"状态" = if ($smbSessions) { "警告" } else { "信息" }
}
$smbResults += [PSCustomObject]@{
"检查项" = "SMB共享访问事件"
"结果" = if ($smbShareEvents) { "$($smbShareEvents.Count)条SMB共享访问事件" } else { "未找到SMB共享访问事件" }
"状态" = if ($smbShareEvents) { "警告" } else { "信息" }
}
# 3. 检查WinRM痕迹
$winrmResults = @()
$winrmEvents = Get-WinEvent -LogName "Microsoft-Windows-WinRM/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue
$winrmConfig = winrm get winrm/config 2>&1
$winrmResults += [PSCustomObject]@{
"检查项" = "WinRM事件日志"
"结果" = if ($winrmEvents) { "$($winrmEvents.Count)条WinRM相关事件找到" } else { "未找到WinRM事件日志或WinRM未启用" }
"状态" = if ($winrmEvents) { "警告" } else { "信息" }
}
$winrmResults += [PSCustomObject]@{
"检查项" = "WinRM配置"
"结果" = if ($winrmConfig -like "*Error*") { "WinRM可能未配置" } else { "WinRM已配置" }
"状态" = if ($winrmConfig -like "*Error*") { "信息" } else { "警告" }
}
# 4. 检查WMI痕迹
$wmiResults = @()
$wmiEvents = Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue
$wmiSubscriptions = Get-WmiObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue
$wmiResults += [PSCustomObject]@{
"检查项" = "WMI活动事件"
"结果" = if ($wmiEvents) { "$($wmiEvents.Count)条WMI活动事件找到" } else { "未找到WMI活动事件" }
"状态" = if ($wmiEvents) { "警告" } else { "信息" }
}
$wmiResults += [PSCustomObject]@{
"检查项" = "WMI事件订阅"
"结果" = if ($wmiSubscriptions) { "$($wmiSubscriptions.Count)个WMI事件订阅找到" } else { "未找到WMI事件订阅" }
"状态" = if ($wmiSubscriptions) { "严重" } else { "信息" }
}
# 生成HTML报告
$htmlBody = @"
<h2>RDP远程访问痕迹</h2>
$(($rdpResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="rdp-table">')
<h2>SMB共享访问痕迹</h2>
$(($smbResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="smb-table">')
<h2>WinRM远程管理痕迹</h2>
$(($winrmResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="winrm-table">')
<h2>WMI活动痕迹</h2>
$(($wmiResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="wmi-table">')
<h2>建议</h2>
<ul>
<li>定期检查系统日志中的异常登录活动</li>
<li>确保所有远程访问服务使用强认证机制</li>
<li>禁用不必要的远程访问服务</li>
<li>保持系统更新以修补已知漏洞</li>
<li>监控异常WMI事件订阅</li>
</ul>
"@
$htmlFooter = @"
</body>
</html>
"@
# 合并HTML内容并保存到文件
$htmlContent = $htmlHeader + $htmlBody + $htmlFooter
$htmlContent | Out-File -FilePath $reportPath -Encoding UTF8
Write-Host "报告已生成: $reportPath" -ForegroundColor Green
858

被折叠的 条评论
为什么被折叠?



