powershell - 为什么来自 PSGallery 的脚本没有 Zone.Identifier 流？

Question

NuGet 存储库(例如 PSGallery)显然是一个远程系统。为什么从那里安装的脚本没有 Zone.Identifier 流？

PS C:\> Find-Script -Repository PSGallery -Name Test-RPC | Install-Script -Scope CurrentUser

Untrusted repository
You are installing the scripts from an untrusted repository. If you trust this repository, change its InstallationPolicy value by running the
Set-PSRepository cmdlet. Are you sure you want to install the scripts from 'https://www.powershellgallery.com/api/v2'?
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "N"): Y

PS C:\> Get-Item -Path $Env:USERPROFILE\Documents\WindowsPowerShell\Scripts\Test-RPC.ps1 -Stream *

PSPath        : Microsoft.PowerShell.Core\FileSystem::C:\Users\lit\Documents\WindowsPowerShell\Scripts\Test-RPC.ps1::$DATA
PSParentPath  : Microsoft.PowerShell.Core\FileSystem::C:\Users\lit\Documents\WindowsPowerShell\Scripts
PSChildName   : Test-RPC.ps1::$DATA
PSDrive       : C
PSProvider    : Microsoft.PowerShell.Core\FileSystem
PSIsContainer : False
FileName      : C:\Users\lit\Documents\WindowsPowerShell\Scripts\Test-RPC.ps1
Stream        : :$DATA
Length        : 7771

问题是:

如何确保具有 RemoteSigned 的 ExecutionPolicy 的用户需要使用签名？ PowerShell 如何知道它是一个没有 Zone.Identifier 流的远程文件？

包提供者，尤其是不受信任的包提供者，是否有任何理由不应创建 Zone.Identifier 流？

Answer 1

继续我的评论。

Clear-Host 

$Url          = 'https://www.powershellgallery.com/packages/Test-RPC/1.0/Content/Test-RPC.ps1'
$output       = 'C:\Temp\Test-RPC.ps1'
$ValidateFile = {
    Try {Get-Item -Path $output -Stream Zone.Identifier -ErrorAction Stop}
    Catch [System.Exception]
    {
        Write-Warning -Message 'Error'
        $PSItem.Exception.Message
    }
}


Remove-Item -Path $output -Force -ErrorAction SilentlyContinue

Invoke-WebRequest -Uri $url -OutFile $output

Remove-Item -Path $output -Force -ErrorAction SilentlyContinue

$wc = New-Object System.Net.WebClient
$wc.DownloadFile($url, $output)
& $ValidateFile

Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
(New-Object System.Net.WebClient).DownloadFile($url, $output)
& $ValidateFile

Import-Module -Name BitsTransfer

Remove-Item -Path $output -Force -ErrorAction SilentlyContinue

Start-BitsTransfer -Source $url -Destination $output
& $ValidateFile

Remove-Item -Path $output -Force -ErrorAction SilentlyContinue
Start-BitsTransfer -Source $url -Destination $output -Asynchronous
& $ValidateFile
# Results
<#
WARNING: Error
Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Temp\Test-RPC.ps1'.
WARNING: Error
Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Temp\Test-RPC.ps1'.
WARNING: Error
Could not open the alternate data stream 'Zone.Identifier' of the file 'C:\Temp\Test-RPC.ps1'.

WARNING: Error
JobId                                DisplayName   TransferType JobState   OwnerAccount                      
-----                                -----------   ------------ --------   ------------                      
f5f04c93-4247-4095-8d9a-587b26d64d26 BITS Transfer Download     Connecting 570A5E12-BA93-4\WDAGUtilityAccount
Cannot find path 'C:\Temp\Test-RPC.ps1' because it does not exist.
#>

使用真正的 curl.exe 进行上述下载也不会添加 Internet ADS 标签。通过浏览器手动下载 curl.exe。

https://curl.se/windows

检查 ADS 数据，注意 internet 标签在那里。

使用真正的curl.exe下载，在cmd.exe中

curl.exe -O https://curl.se/windows/dl-7.76.0/curl-7.76.0-win64-mingw.zip

检查 ADS 数据，不是 internet 标签不存在。

最后，至于这个……

How can I ensure that users with ExecutionPolicy of RemoteSigned.

正如 MSFT 记录和公开声明的那样，EP 不是安全边界，而且这从来不是他们的设计。

RemoteSigned ExecutionPolicy:

• Allows scripts to run

• Requires that all scripts ***downloaded from the Internet*** must be ***digitally signed by a publisher you specified as trusted***. This includes scripts received via email and instant messaging platforms.

• Will not require digital signing of scripts written on a local computer

• May allow running of malicious scripts from other sources

它们的存在是为了防止意外的代码运行。 EP 很容易被绕过，而且也有完整的文档/演示

15 Ways to Bypass the PowerShell Execution Policy: https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy

Detecting Offensive PowerShell Attack Tools: https://adsecurity.org/?p=2604

可以在 ISE/VSCode 等中打开任何脚本，全选，然后点击运行，EP 无法控制它。 EP，用于按名称运行脚本，意思是从控制台主机调用，计划任务等。

没有什么能阻止用户打开脚本、删除信号 block 、用新名称保存脚本、运行它或创建空白脚本、从时钟脚本复制内容、保存并运行。

PowerShell 风险管理/安全控制/缓解是所有正常的网络/客户端内容，以及所有关于完整的企业日志记录、审计和早期警报/发现异常情况时的效果响应。