Windows 10/windos11远程访问漏洞分析与痕迹检测

Windows 11远程访问漏洞方法
Windows 11存在多种可能被利用进行远程访问的漏洞和方法,以下是主要的几种:

  1. RDP (远程桌面协议)漏洞利用
    CVE-2022-21893 - 远程桌面服务权限提升漏洞
    CVE-2021-34527 (PrintNightmare) - 通过打印服务实现RCE
    弱凭证攻击 - 暴力破解或使用默认/弱密码
  2. SMB协议漏洞
    CVE-2021-36942 - SMB服务器信息泄露漏洞
    永恒之蓝(EternalBlue)变种 - 针对未打补丁系统
  3. WinRM (Windows远程管理)漏洞
    CVE-2021-38666 - WinRM远程代码执行漏洞
    凭证中继攻击 - 利用配置不当的WinRM服务
  4. WMI (Windows管理规范)滥用
    WMI持久化 - 攻击者创建WMI事件订阅实现持久化
    CVE-2021-24084 - WMI服务拒绝服务漏洞
  5. 其他服务漏洞
    LLMNR/NBT-NS欺骗 - 通过名称解析协议攻击
    RPC漏洞 - 远程过程调用接口的多种漏洞
<#
.SYNOPSIS 
检测Windows系统中的远程访问痕迹并生成HTML报告
 
.DESCRIPTION
此脚本检查各种远程访问方法在系统中的痕迹,包括RDP、SMB、WinRM和WMI活动,
并将结果导出到桌面上的HTML文件。
 
.NOTES 
文件名: RemoteAccessForensics.ps1  
作者: 安全分析师 
创建日期: 2025-11-13 
#>
 
# 初始化HTML报告
$reportPath = "$env:USERPROFILE\Desktop\RemoteAccessForensics_Report_$(Get-Date -Format 'yyyyMMdd_HHmmss').html"
$htmlHeader = @"
<!DOCTYPE html>
<html>
<head>
    <title>Windows远程访问痕迹分析报告</title>
    <style>
        body { font-family: Arial, sans-serif; margin: 20px; }
        h1 { color: #0066cc; }
        h2 { color: #0099cc; margin-top: 20px; border-bottom: 1px solid #ddd; padding-bottom: 5px; }
        table { border-collapse: collapse; width: 100%; margin-bottom: 20px; }
        th { background-color: #0066cc; color: white; text-align: left; padding: 8px; }
        td { border: 1px solid #ddd; padding: 8px; }
        tr:nth-child(even) { background-color: #f2f2f2; }
        .critical { background-color: #ffcccc; }
        .warning { background-color: #ffffcc; }
        .info { background-color: #ccffcc; }
    </style>
</head>
<body>
    <h1>Windows远程访问痕迹分析报告</h1>
    <p>生成时间: $(Get-Date)</p>
    <p>计算机名: $env:COMPUTERNAME</p>
"@
 
# 1. 检查RDP痕迹
$rdpResults = @()
$rdpEvents = Get-WinEvent -LogName "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue
$rdpLoginEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624,4625; StartTime=(Get-Date).AddDays(-30)} -MaxEvents 50 -ErrorAction SilentlyContinue 
 
$rdpResults += [PSCustomObject]@{
    "检查项" = "RDP事件日志"
    "结果" = if ($rdpEvents) { "$($rdpEvents.Count)条RDP相关事件找到" } else { "未找到RDP事件日志或未安装远程桌面服务" }
    "状态" = if ($rdpEvents) { "警告" } else { "信息" }
}
 
$rdpResults += [PSCustomObject]@{
    "检查项" = "RDP登录事件"
    "结果" = if ($rdpLoginEvents) { "$($rdpLoginEvents.Count)条RDP登录事件找到" } else { "未找到RDP登录事件" }
    "状态" = if ($rdpLoginEvents) { "警告" } else { "信息" }
}
 
# 检查RDP缓存文件
$rdpCache = Get-ChildItem "$env:USERPROFILE\AppData\Local\Microsoft\Terminal Server Client\Cache" -ErrorAction SilentlyContinue 
$rdpResults += [PSCustomObject]@{
    "检查项" = "RDP缓存文件"
    "结果" = if ($rdpCache) { "找到RDP缓存文件" } else { "未找到RDP缓存文件" }
    "状态" = if ($rdpCache) { "警告" } else { "信息" }
}
 
# 2. 检查SMB痕迹 
$smbResults = @()
$smbSessions = Get-SmbSession -ErrorAction SilentlyContinue 
$smbShareEvents = Get-WinEvent -FilterHashtable @{LogName='Security'; ID=5140; StartTime=(Get-Date).AddDays(-30)} -MaxEvents 50 -ErrorAction SilentlyContinue 
 
$smbResults += [PSCustomObject]@{
    "检查项" = "当前SMB会话"
    "结果" = if ($smbSessions) { "$($smbSessions.Count)个活跃SMB会话" } else { "无活跃SMB会话" }
    "状态" = if ($smbSessions) { "警告" } else { "信息" }
}
 
$smbResults += [PSCustomObject]@{
    "检查项" = "SMB共享访问事件"
    "结果" = if ($smbShareEvents) { "$($smbShareEvents.Count)条SMB共享访问事件" } else { "未找到SMB共享访问事件" }
    "状态" = if ($smbShareEvents) { "警告" } else { "信息" }
}
 
# 3. 检查WinRM痕迹 
$winrmResults = @()
$winrmEvents = Get-WinEvent -LogName "Microsoft-Windows-WinRM/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue 
$winrmConfig = winrm get winrm/config 2>&1
 
$winrmResults += [PSCustomObject]@{
    "检查项" = "WinRM事件日志"
    "结果" = if ($winrmEvents) { "$($winrmEvents.Count)条WinRM相关事件找到" } else { "未找到WinRM事件日志或WinRM未启用" }
    "状态" = if ($winrmEvents) { "警告" } else { "信息" }
}
 
$winrmResults += [PSCustomObject]@{
    "检查项" = "WinRM配置"
    "结果" = if ($winrmConfig -like "*Error*") { "WinRM可能未配置" } else { "WinRM已配置" }
    "状态" = if ($winrmConfig -like "*Error*") { "信息" } else { "警告" }
}
 
# 4. 检查WMI痕迹
$wmiResults = @()
$wmiEvents = Get-WinEvent -LogName "Microsoft-Windows-WMI-Activity/Operational" -MaxEvents 50 -ErrorAction SilentlyContinue
$wmiSubscriptions = Get-WmiObject -Namespace root\Subscription -Class __EventFilter -ErrorAction SilentlyContinue
 
$wmiResults += [PSCustomObject]@{
    "检查项" = "WMI活动事件"
    "结果" = if ($wmiEvents) { "$($wmiEvents.Count)条WMI活动事件找到" } else { "未找到WMI活动事件" }
    "状态" = if ($wmiEvents) { "警告" } else { "信息" }
}
 
$wmiResults += [PSCustomObject]@{
    "检查项" = "WMI事件订阅"
    "结果" = if ($wmiSubscriptions) { "$($wmiSubscriptions.Count)个WMI事件订阅找到" } else { "未找到WMI事件订阅" }
    "状态" = if ($wmiSubscriptions) { "严重" } else { "信息" }
}
 
# 生成HTML报告 
$htmlBody = @"
    <h2>RDP远程访问痕迹</h2>
    $(($rdpResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="rdp-table">')
    
    <h2>SMB共享访问痕迹</h2>
    $(($smbResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="smb-table">')
    
    <h2>WinRM远程管理痕迹</h2>
    $(($winrmResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="winrm-table">')
    
    <h2>WMI活动痕迹</h2>
    $(($wmiResults | ConvertTo-Html -Fragment) -replace '<table>','<table class="wmi-table">')
    
    <h2>建议</h2>
    <ul>
        <li>定期检查系统日志中的异常登录活动</li>
        <li>确保所有远程访问服务使用强认证机制</li>
        <li>禁用不必要的远程访问服务</li>
        <li>保持系统更新以修补已知漏洞</li>
        <li>监控异常WMI事件订阅</li>
    </ul>
"@ 
 
$htmlFooter = @"
</body>
</html>
"@
 
# 合并HTML内容并保存到文件 
$htmlContent = $htmlHeader + $htmlBody + $htmlFooter 
$htmlContent | Out-File -FilePath $reportPath -Encoding UTF8
 
Write-Host "报告已生成: $reportPath" -ForegroundColor Green
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值