NuGet 存储库(例如 PSGallery)显然是一个远程系统。为什么从那里安装的脚本没有 Zone.Identifier 流?
PS C:\> Find-Script -Repository PSGallery -Name Test-RPC | Install-Script -Scope CurrentUser
Untrusted repository
You are installing the scripts from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the
Set-PSRepository cmdlet. Are you sure you want to install the scripts from 'https://www.powershellgallery.com/api/v2'?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y
PS C:\> Get-Item -Path $Env:USERPROFILE\Documents\WindowsPowerShell\Scripts\Test-RPC.ps1 -Stream *
PSPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\lit\Documents\WindowsPowerShell\Scripts\Test-RPC.ps1::$DATA
PSParentPath : Microsoft.PowerShell.Core\FileSystem::C:\Users\lit\Documents\WindowsPowerShell\Scripts
PSChildName : Test-RPC.ps1::$DATA
PSDrive : C
PSProvider : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName : C:\Users\lit\Documents\WindowsPowerShell\Scripts\Test-RPC.ps1
Stream : :$DATA
Length : 7771
问题是:
如何确保具有 RemoteSigned 的 ExecutionPolicy 的用户需要使用签名? PowerShell 如何知道它是一个没有 Zone.Identifier 流的远程文件?
包提供者,尤其是不受信任的包提供者,是否有任何理由不应创建 Zone.Identifier 流?
最佳答案
继续我的评论。
Clear-Host
$Url = 'https://www.powershellgallery.com/packages/Test-RPC/1.0/Content/Test-RPC.ps1'
$output = 'C:\Temp\Test-RPC.ps1'
$ValidateFile = {
Try {Get-Item -Path $output -Stream Zone.Identifier -ErrorAction Stop}
Catch [System.Exception]
{
Write-Warning -Message 'Error'
$PSItem.Exception.Message
}
}
Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
Invoke-WebRequest -Uri $url -OutFile $output
Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
& $ValidateFile
Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
(New-Object System.Net.WebClient).DownloadFile($url, $output)
& $ValidateFile
Import-Module -Name BitsTransfer
Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
Start-BitsTransfer -Source $url -Destination $output
& $ValidateFile
Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
& $ValidateFile
# Results
<#
WARNING: Error
Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Temp\Test-RPC.ps1'.
WARNING: Error
Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Temp\Test-RPC.ps1'.
WARNING: Error
Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Temp\Test-RPC.ps1'.
WARNING: Error
JobId DisplayName TransferType JobState OwnerAccount
----- ----------- ------------ -------- ------------
f5f04c93-4247-4095-8d9a-587b26d64d26 BITS Transfer Download Connecting 570A5E12-BA93-4\WDAGUtilityAccount
Cannot find path 'C:\Temp\Test-RPC.ps1' because it does not exist.
#>
使用真正的 curl.exe 进行上述下载也不会添加 Internet ADS 标签。通过浏览器手动下载 curl.exe。
https://curl.se/windows
检查 ADS 数据,注意 internet 标签在那里。
使用真正的curl.exe下载,在cmd.exe中
curl.exe -O https://curl.se/windows/dl-7.76.0/curl-7.76.0-win64-mingw.zip
检查 ADS 数据,不是 internet 标签不存在。
最后,至于这个……
How can I ensure that users with ExecutionPolicy of RemoteSigned
.
正如 MSFT 记录和公开声明的那样,EP 不是安全边界,而且这从来不是他们的设计。
RemoteSigned ExecutionPolicy:
• Allows scripts to run
• Requires that all scripts
***downloaded from the Internet***
must be***digitally signed by a publisher you specified as trusted***
. This includes scripts received via email and instant messaging platforms.• Will not require digital signing of scripts written on a local computer
• May allow running of malicious scripts from other sources
它们的存在是为了防止意外的代码运行。 EP 很容易被绕过,而且也有完整的文档/演示
15 Ways to Bypass the PowerShell Execution Policy: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy
Detecting Offensive PowerShell Attack Tools: https://adsecurity.org/?p=2604
可以在 ISE/VSCode 等中打开任何脚本,全选,然后点击运行,EP 无法控制它。 EP,用于按名称运行脚本,意思是从控制台主机调用,计划任务等。
没有什么能阻止用户打开脚本、删除信号 block 、用新名称保存脚本、运行它或创建空白脚本、从时钟脚本复制内容、保存并运行。
PowerShell 风险管理/安全控制/缓解是所有正常的网络/客户端内容,以及所有关于完整的企业日志记录、审计和早期警报/发现异常情况时的效果响应。
关于powershell - 为什么来自 PSGallery 的脚本没有 Zone.Identifier 流?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/66925403/