发布于 

一键Windows应急响应检测脚本

Winscan

一键Windows应急响应检测脚本

实现功能:


说明:运行本脚本需要管理员权限。

信息收集相关:

  • 操作系统信息
  • 系统补丁情况(*)
  • 系统账户和用户组(*)
  • 域密码策略
  • 管理员组
  • 用户上次登录时间
  • 重要的注册表项
  • RDP保存的凭证
  • 是否开启远程桌面服务
  • 本机共享列表(*)
  • 系统启动信息(*)
  • 已安装的反病毒软件
  • 防火墙配置(*)
  • Defender检测到的活动和过去的恶意软件威胁
  • 防火墙日志和系统日志evtx收集
  • 已安装软件(*)
  • 计划任务(*)
  • 服务状态(*)
  • 自启动服务
  • 自启动目录
  • 注册表启动项(*)
  • 网络连接(ipc$ 命名管道连接)
  • 是否启用Windows剪切板历史记录
  • 用户登录初始化、管理员自动登录
  • Logon Scripts
  • 屏幕保护程序
  • AppInit_DLLs
  • COM劫持(*)
  • shim数据库是否被劫持
  • 进程注入
  • exe文件启动相关注册表
  • Lsa
  • 映像劫持
  • 接受最终用户许可协议的程序
  • 安全模式启动相关注册表
  • powershell命令记录(*)
  • IE浏览器记录
  • certutil下载记录
  • 最近访问的文件(*)
  • “我的电脑、此电脑、计算机”的任意文件夹地址栏内的历史记录
  • 【运行】的历史记录
  • 网络连接情况(*)
  • DNS缓存记录(*)
  • 进程(*)
  • 系统日志是否开启

调查取证相关:

  • SAM、SECURITY、SYSTEM(*)
  • Sysmon 日志(*)
  • SRUM (System Resource Usage Monitor)(*)
  • MUICache(*)
  • ShimCache(*)
  • Prefetch(*)
  • 系统日志(*)

Winscan.bat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
@echo off
color 0f
::call:colorys调用底部:colorys
::02为颜色设置,0指定输出文字背景颜色,2指定文字颜色
::输出不能包含符号 / : ? * " > < | \
cd %~dp0
for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A"
if not exist ./eventlog/ (md eventlog)
if not exist ./schtasks/ (md schtasks)
if not exist ./Prefetch/ (md Prefetch)
if not exist ./hive/ (md hive)
if not exist ./CryptnetURLCache/ (md CryptnetURLCache)
if exist out.html (del out.html)
::reg query HKLM\SAM\SAM\Domains\Account\Users\Names
call:colorys 0A "[+] 正在查询系统相关信息:"
@echo.
wmic OS get Caption,CSDVersion,OSArchitecture,Version
wmic computersystem list brief
call:colorys 0A "[+] 正在查询系统补丁情况,并写入文件:"
wmic qfe get Description,HotFixID,InstalledOn /format:"%var%" >> out.html
@echo.
call:colorys 0A "[+] 正在查询系统账户和用户组,并写入文件:"
@echo.
wmic UserAccount get name,description,sid,disabled
wmic UserAccount get Description,Disabled,LocalAccount,Lockout,Name,PasswordChangeable,PasswordExpires,PasswordRequired,SID,Status /format:"%var%" >> out.html
wmic group get Description,Domain,Name,SID,Status /format:"%var%" >> out.html
wmic volume get Label,DeviceID,DriveLetter,FileSystem,FreeSpace /format:"%var%" >> out.html
call:colorys 0A "[+] 正在检查域密码策略:"
@echo.
Net accounts /domain
@echo.
call:colorys 0A "[+] 检查管理员组:"
@echo.
net localgroup administrators
net group "domain admins" /domain
@echo.
call:colorys 0A "[+] 检查用户上次登录时间:"
@echo.
wmic netlogin get name,lastlogon,badpasswordcount
call:colorys 0A "[+] 检查重要的注册表项:"
@echo.
::SSP
reg query hklm\system\currentcontrolset\control\lsa /v "Security Packages"
::WDigest,1代表开启,0代表明文密码不会出现在内存中
reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential
@echo.
call:colorys 0A "[+] 检查RDP保存的凭证:"
@echo.
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s
reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s > rdp_certificate.txt
call:colorys 0A "[+] 检查是否开启远程桌面服务:"
::开启则返回0x00
reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections
call:colorys 0A "[+] 检查本机共享列表,并写入文件:"
net share
Wmic share get name,path,status /format:"%var%" >> out.html
call:colorys 0A "[+] 检查系统启动信息,并写入文件:"
@echo.
wmic startup get command,caption,Location,User
wmic startup get command,caption,Location,User /format:"%var%" >> out.html
@echo.
call:colorys 0A "[+] 检查已安装反病毒软件:"
@echo.
wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe
@echo.
call:colorys 0A "[+] 检查防火墙配置,并写入文件:"
netsh firewall show config
netsh firewall show config > firewall_config.txt
@echo.
call:colorys 0A "[+] 检查Defender检测到的活动和过去的恶意软件威胁:"
@echo.
powershell Get-MpThreatDetection
call:colorys 0A "[+] 正在拷贝防火墙日志和evtx:"
@echo.
if exist %windir%\system32\logfiles\firewall\pfirewall.log (copy /Y %windir%\system32\logfiles\firewall\pfirewall.log)
copy /Y "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%%4Operational.evtx" .\eventlog\
@echo.
call:colorys 0A "[+] 检查已安装软件,并写入文件:"
@echo.
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName | findstr DisplayName
wmic PRODUCT get Description,InstallDate,InstallLocation,Vendor,Version /format:"%var%" >> out.html
@echo.
call:colorys 0A "[+] 检查计划任务,拷贝日志和计划任务文件"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree"
schtasks /query /fo LIST /v > .\schtasks\schtasks.txt
for %%i in (C:\Windows\System32\Tasks\*) do copy /Y %%i schtasks\
::for %%i in (C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskSche*) do copy /Y %%i schtasks\
copy /Y C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%%4Operational.evtx .\eventlog\
copy /Y C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%%4Security.evtx .\eventlog\
@echo.
call:colorys 0A "[+] 检查服务状态,并写入文件:"
powershell Get-Service
powershell $aa="gwmi win32_service | ft -Property Name, DisplayName, PathName, User, State > service.txt";$aa
wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html
call:colorys 0A "[+] 检查自启动服务:"
@echo.
::RunSrvicese:win7、win10、2012
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
reg query HKCU\SOFTWARE\Microsoft\Windows\Currention\RunOnce
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceVers
@echo.
call:colorys 0A "[+] 检查自启动目录:"
@echo.
dir /a "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup"
dir /a "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp"
dir /a "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup"
@echo.
call:colorys 0A "[+] 检查注册表启动项,写入文件中:"
@echo.
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\run >qidong.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce >>qidong.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>qidong.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >>qidong.txt
reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run >>qidong.txt
reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce >>qidong.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run >>qidong.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run >>qidong.txt
reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu >>qidong.txt
reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Load >>qidong.txt
@echo.
call:colorys 0A "[+] 检查网络连接(ipc$ 命名管道连接),并写入文件:"
@echo.
net use
wmic netuse get ConnectionState,Description,DisplayType,LocalName,Name,Persistent,RemoteName,ResourceType,Status,UserName /format:"%var%" >> out.html
call:colorys 0A "[+] 检查是否启用Windows剪切板历史记录:(0x1代表启用,适用Win10):"
@echo.
reg query HKEY_CURRENT_USER\Software\Microsoft\Clipboard /v EnableClipboardHistory
@echo.
call:colorys 0A "[+] 检查用户登录初始化、管理员自动登录:"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon
call:colorys 0A "[+] 检查Logon Scripts:"
reg query HKCU\Environment /v UserInitMprLogonScript
@echo.
call:colorys 0A "[+] 检查屏幕保护程序:"
reg query "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE
@echo.
call:colorys 0A "[+] 检查AppInit_DLLs:"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs
call:colorys 0A "[+] 检查COM劫持,并写入文件:"
::通过修改注册表键值,使特定的clsid指向恶意的dll,程序运行时就会加载恶意的dll
reg query HKCU\Software\Classes\CLSID /s /t REG_SZ > 32os_32pe_and_64os_64pe.txt
reg query HKCU\Software\Classes\Wow6432Node\CLSID /s /t REG_SZ > x86OS_x64pe.txt
@echo.
call:colorys 0A "[+] 检查shim数据库是否被劫持:"
@echo.
::主要解决应用兼容性问题的解决方法,执行被劫持的程序时自动加载数据库中恶意模块(dll,shellcode等)
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom"
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" /s
dir /a /b C:\Windows\AppPatch\Custom
dir /a /b C:\Windows\AppPatch\Custom\Custom64
@echo.
call:colorys 0A "[+] 检查进程注入:"
@echo.
reg query "HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls"
@echo.
call:colorys 0A "[+] 检查exe文件启动相关注册表:"
reg query HKLM\software\classes\exefile\shell\open\command
call:colorys 0A "[+] 检查Lsa,用于hash传递攻击:"
reg query HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin
call:colorys 0A "[+] 检查映像劫持:"
rem 适用于windows 2008/win7
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -s -f ".exe" -v Debugger
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f ".exe" /v GlobalFlag
reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit"
@echo.
call:colorys 0A "[+] 查询接受最终用户许可协议的程序:"
reg query HKCU\Software\SysInternals
@echo.
call:colorys 0A "[+] 查询安全模式启动相关注册表:"
@echo.
reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell
call:colorys 0A "[+] 查询powershell命令记录,拷贝中:"
@echo.
::适用于powershell高版本
if exist %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt
copy /Y C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%%4Operational.evtx .\eventlog\
@echo.
call:colorys 0A "[+] 检查IE浏览器记录:"
reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs"
call:colorys 0A "[+] 检查CryptnetURLCache,查看certutil下载记录:"
::利用工具:CryptnetURLCacheParser
@echo.
if exist C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache (xcopy /s /q /h /o /y C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache .\CryptnetUrlCache\)
if exist C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache (xcopy /s /q /h /o /y C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache .\CryptnetUrlCache\)
if exist %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache (xcopy /s /q /h /o /y %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache .\CryptnetUrlCache\ )
@echo.
call:colorys 0A "[+] 检查最近访问的文件,写入文件中:"
@echo.
dir /a %AppData%\Microsoft\Windows\Recent > Recent.txt
if exist "%SYSTEMROOT%\Documents and Settings\%USERPROFILE%\Recent\" (dir /a %SYSTEMROOT%\Documents and Settings\%USERPROFILE%\Recent\ >>Recent.txt)
dir /a %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\ >>Recent.txt
@echo.
call:colorys 0A "[+] 检查"我的电脑、此电脑、计算机"的任意文件夹地址栏内的历史记录:"
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
call:colorys 0A "[+] 检查【运行】的历史记录:"
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
call:colorys 0A "[+] 检查网络连接情况,并写入文件:"
@echo.
netstat -anob | findstr ESTABLISHED
::适用于Win10,Win7不适用
powershell $aa="Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name=\"process\";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name=\"cmdline\";Expression={(Get-WmiObject Win32_Process -filter \"ProcessId = $($_.OwningProcess)\").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize > network_tcp.txt";$aa
@echo.
call:colorys 0A "[+] 检查DNS缓存记录,并写入文件中:"
::适用win10,win7不适用
@echo.
powershell $aa="Get-DnsClientCache |ft -wrap -autosize";$aa
ipconfig /displaydns > dns_cache.txt
call:colorys 0A "[+] 检查进程,写入文件中:"
wmic process get name,ParentProcessId,processid,executablepath,CreationDate,commandline /format:"%var%" >> out.html
wmic process get name,parentprocessid,processid,executablepath,CreationDate,commandline /format:csv > process.csv
powershell $aa="gwmi win32_process | Select Name, ProcessID, @{n='Owner';e={$_.GetOwner().User}},CommandLine | ft -wrap -autosize > process_ps.txt";$aa
@echo.
call:colorys 0A "[+] 调查取证——导出SAM、SECURITY、SYSTEM(记录系统运行的可执行文件的完整路径和最后的执行日期):"
::可用Registry Explorer对SYSTEM文件进行分析,AppCompatCache记录程序的修改时间,一定程度上可以确定程序的最迟运行时间
@echo.
reg save hklm\system .\hive\SYSTEM /Y
reg save hklm\sam .\hive\SAM /Y
reg save hklm\security .\hive\SECURITY /Y
call:colorys 0A "[+] 调查取证——收集 Sysmon 日志:"
if exist C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx (copy /Y "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx" .\eventlog\)
call:colorys 0A "[+] 调查取证——检查BAM(记录系统运行的可执行文件的完整路径和最后的执行日期,适用于Win10),写入文件中:"
@echo.
reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s > BAM.txt
call:colorys 0A "[+] 调查取证——SRUM (System Resource Usage Monitor),拷贝中:"
if exist C:\Windows\System32\sru\SRUDB.dat (copy /Y C:\Windows\System32\sru\SRUDB.dat)
@echo.
call:colorys 0A "[+] 调查取证——MUICache (从exe文件的版本资源中提取应用程序名、公司名),写入文件中:"
reg query "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" > MuiCache.txt
@echo.
call:colorys 0A "[+] 调查取证——ShimCache (跟踪文件路径、上次修改时间和是否被执行),注册表导出中:"
@echo.
reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" ShimCache.reg /Y
call:colorys 0A "[+] 调查取证——Prefetch (会保存文件第一次和最后一次运行日期、路径和执行次数等信息),拷贝中"
@echo.
::for %%i in (C:\Windows\Prefetch\*) do copy /Y %%i Prefetch\
xcopy /s /q /h /o /y C:\Windows\Prefetch .\Prefetch\
call:colorys 0A "[+] 检查系统日志是否有开启:"
reg query HKLM\SYSTEM\CurrentControlSet\services\eventlog
call:colorys 0A "[+] 正在导出系统日志:"
if exist .\eventlog\system.evtx (del .\eventlog\system.evtx)
wevtutil epl System .\eventlog\system.evtx
if exist .\eventlog\Application.evtx (del .\eventlog\Application.evtx)
wevtutil epl Application .\eventlog\Application.evtx
if exist .\eventlog\Security.evtx (del .\eventlog\Security.evtx)
wevtutil epl Security .\eventlog\Security.evtx
rem 远程桌面日志,筛选1149
if exist .\eventlog\TerminalServices.evtx (del .\eventlog\TerminalServices.evtx)
wevtutil epl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational .\eventlog\TerminalServices.evtx
@echo.
pause
::把以下代码放到批处理底部用call调用
:colorys
pushd %tmp%&echo CCAICCAI>%2-&certutil /f /decode %2- %2- 1>nul 2>nul
findstr /a:%1 . %2- \ 2>nul&del /q /f %2- 1>nul 2>nul&popd&exit /b