1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259
| @echo off color 0f ::call:colorys调用底部:colorys ::02为颜色设置,0指定输出文字背景颜色,2指定文字颜色 ::输出不能包含符号 / : ? * " > < | \ cd %~dp0 for /f "delims=" %%A in ('dir /s /b %WINDIR%\system32\*htable.xsl') do set "var=%%A" if not exist ./eventlog/ (md eventlog) if not exist ./schtasks/ (md schtasks) if not exist ./Prefetch/ (md Prefetch) if not exist ./hive/ (md hive) if not exist ./CryptnetURLCache/ (md CryptnetURLCache) if exist out.html (del out.html) ::reg query HKLM\SAM\SAM\Domains\Account\Users\Names call:colorys 0A "[+] 正在查询系统相关信息:" @echo. wmic OS get Caption,CSDVersion,OSArchitecture,Version wmic computersystem list brief call:colorys 0A "[+] 正在查询系统补丁情况,并写入文件:" wmic qfe get Description,HotFixID,InstalledOn /format:"%var%" >> out.html @echo. call:colorys 0A "[+] 正在查询系统账户和用户组,并写入文件:" @echo. wmic UserAccount get name,description,sid,disabled wmic UserAccount get Description,Disabled,LocalAccount,Lockout,Name,PasswordChangeable,PasswordExpires,PasswordRequired,SID,Status /format:"%var%" >> out.html wmic group get Description,Domain,Name,SID,Status /format:"%var%" >> out.html wmic volume get Label,DeviceID,DriveLetter,FileSystem,FreeSpace /format:"%var%" >> out.html call:colorys 0A "[+] 正在检查域密码策略:" @echo. Net accounts /domain @echo. call:colorys 0A "[+] 检查管理员组:" @echo. net localgroup administrators net group "domain admins" /domain @echo. call:colorys 0A "[+] 检查用户上次登录时间:" @echo. wmic netlogin get name,lastlogon,badpasswordcount call:colorys 0A "[+] 检查重要的注册表项:" @echo. ::SSP reg query hklm\system\currentcontrolset\control\lsa /v "Security Packages" ::WDigest,1代表开启,0代表明文密码不会出现在内存中 reg query HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential @echo. call:colorys 0A "[+] 检查RDP保存的凭证:" @echo. reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s reg query "HKCU\Software\Microsoft\Terminal Server Client\Servers" /s > rdp_certificate.txt call:colorys 0A "[+] 检查是否开启远程桌面服务:" ::开启则返回0x00 reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections call:colorys 0A "[+] 检查本机共享列表,并写入文件:" net share Wmic share get name,path,status /format:"%var%" >> out.html call:colorys 0A "[+] 检查系统启动信息,并写入文件:" @echo. wmic startup get command,caption,Location,User wmic startup get command,caption,Location,User /format:"%var%" >> out.html @echo. call:colorys 0A "[+] 检查已安装反病毒软件:" @echo. wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe @echo. call:colorys 0A "[+] 检查防火墙配置,并写入文件:" netsh firewall show config netsh firewall show config > firewall_config.txt @echo. call:colorys 0A "[+] 检查Defender检测到的活动和过去的恶意软件威胁:" @echo. powershell Get-MpThreatDetection call:colorys 0A "[+] 正在拷贝防火墙日志和evtx:" @echo. if exist %windir%\system32\logfiles\firewall\pfirewall.log (copy /Y %windir%\system32\logfiles\firewall\pfirewall.log) copy /Y "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%%4Operational.evtx" .\eventlog\ @echo. call:colorys 0A "[+] 检查已安装软件,并写入文件:" @echo. reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall /s /v DisplayName | findstr DisplayName wmic PRODUCT get Description,InstallDate,InstallLocation,Vendor,Version /format:"%var%" >> out.html @echo. call:colorys 0A "[+] 检查计划任务,拷贝日志和计划任务文件" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree" schtasks /query /fo LIST /v > .\schtasks\schtasks.txt for %%i in (C:\Windows\System32\Tasks\*) do copy /Y %%i schtasks\ ::for %%i in (C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskSche*) do copy /Y %%i schtasks\ copy /Y C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%%4Operational.evtx .\eventlog\ copy /Y C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%%4Security.evtx .\eventlog\ @echo. call:colorys 0A "[+] 检查服务状态,并写入文件:" powershell Get-Service powershell $aa="gwmi win32_service | ft -Property Name, DisplayName, PathName, User, State > service.txt";$aa wmic service get Caption,Name,PathName,ServiceType,Started,StartMode,StartName /format:"%var%" >> out.html call:colorys 0A "[+] 检查自启动服务:" @echo. ::RunSrvicese:win7、win10、2012 reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices reg query HKCU\SOFTWARE\Microsoft\Windows\Currention\RunOnce reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceVers @echo. call:colorys 0A "[+] 检查自启动目录:" @echo. dir /a "%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup" dir /a "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" dir /a "%SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\Startup" @echo. call:colorys 0A "[+] 检查注册表启动项,写入文件中:" @echo. reg query HKCU\Software\Microsoft\Windows\CurrentVersion\run >qidong.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce >>qidong.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>qidong.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >>qidong.txt reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run >>qidong.txt reg query HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce >>qidong.txt reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run >>qidong.txt reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\run >>qidong.txt reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartMenu >>qidong.txt reg query "HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v Load >>qidong.txt @echo. call:colorys 0A "[+] 检查网络连接(ipc$ 命名管道连接),并写入文件:" @echo. net use wmic netuse get ConnectionState,Description,DisplayType,LocalName,Name,Persistent,RemoteName,ResourceType,Status,UserName /format:"%var%" >> out.html call:colorys 0A "[+] 检查是否启用Windows剪切板历史记录:(0x1代表启用,适用Win10):" @echo. reg query HKEY_CURRENT_USER\Software\Microsoft\Clipboard /v EnableClipboardHistory @echo. call:colorys 0A "[+] 检查用户登录初始化、管理员自动登录:" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v Userinit reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon call:colorys 0A "[+] 检查Logon Scripts:" reg query HKCU\Environment /v UserInitMprLogonScript @echo. call:colorys 0A "[+] 检查屏幕保护程序:" reg query "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE @echo. call:colorys 0A "[+] 检查AppInit_DLLs:" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs reg query "HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows" /v AppInit_DLLs call:colorys 0A "[+] 检查COM劫持,并写入文件:" ::通过修改注册表键值,使特定的clsid指向恶意的dll,程序运行时就会加载恶意的dll reg query HKCU\Software\Classes\CLSID /s /t REG_SZ > 32os_32pe_and_64os_64pe.txt reg query HKCU\Software\Classes\Wow6432Node\CLSID /s /t REG_SZ > x86OS_x64pe.txt @echo. call:colorys 0A "[+] 检查shim数据库是否被劫持:" @echo. ::主要解决应用兼容性问题的解决方法,执行被劫持的程序时自动加载数据库中恶意模块(dll,shellcode等) reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom" reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\InstalledSDB" /s dir /a /b C:\Windows\AppPatch\Custom dir /a /b C:\Windows\AppPatch\Custom\Custom64 @echo. call:colorys 0A "[+] 检查进程注入:" @echo. reg query "HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls" @echo. call:colorys 0A "[+] 检查exe文件启动相关注册表:" reg query HKLM\software\classes\exefile\shell\open\command call:colorys 0A "[+] 检查Lsa,用于hash传递攻击:" reg query HKLM\System\CurrentControlSet\Control\Lsa /v DisableRestrictedAdmin call:colorys 0A "[+] 检查映像劫持:" rem 适用于windows 2008/win7 reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" -s -f ".exe" -v Debugger reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /s /f ".exe" /v GlobalFlag reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit" @echo. call:colorys 0A "[+] 查询接受最终用户许可协议的程序:" reg query HKCU\Software\SysInternals @echo. call:colorys 0A "[+] 查询安全模式启动相关注册表:" @echo. reg query HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot /v AlternateShell call:colorys 0A "[+] 查询powershell命令记录,拷贝中:" @echo. ::适用于powershell高版本 if exist %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt type %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt copy /Y C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%%4Operational.evtx .\eventlog\ @echo. call:colorys 0A "[+] 检查IE浏览器记录:" reg query "HKCU\SOFTWARE\Microsoft\Internet Explorer\TypedURLs" call:colorys 0A "[+] 检查CryptnetURLCache,查看certutil下载记录:" ::利用工具:CryptnetURLCacheParser @echo. if exist C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache (xcopy /s /q /h /o /y C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache .\CryptnetUrlCache\) if exist C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache (xcopy /s /q /h /o /y C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache .\CryptnetUrlCache\) if exist %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache (xcopy /s /q /h /o /y %USERPROFILE%\AppData\LocalLow\Microsoft\CryptnetUrlCache .\CryptnetUrlCache\ ) @echo. call:colorys 0A "[+] 检查最近访问的文件,写入文件中:" @echo. dir /a %AppData%\Microsoft\Windows\Recent > Recent.txt if exist "%SYSTEMROOT%\Documents and Settings\%USERPROFILE%\Recent\" (dir /a %SYSTEMROOT%\Documents and Settings\%USERPROFILE%\Recent\ >>Recent.txt) dir /a %USERPROFILE%\AppData\Roaming\Microsoft\Office\Recent\ >>Recent.txt @echo. call:colorys 0A "[+] 检查"我的电脑、此电脑、计算机"的任意文件夹地址栏内的历史记录:" reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths call:colorys 0A "[+] 检查【运行】的历史记录:" reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU call:colorys 0A "[+] 检查网络连接情况,并写入文件:" @echo. netstat -anob | findstr ESTABLISHED ::适用于Win10,Win7不适用 powershell $aa="Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name=\"process\";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name=\"cmdline\";Expression={(Get-WmiObject Win32_Process -filter \"ProcessId = $($_.OwningProcess)\").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize > network_tcp.txt";$aa @echo. call:colorys 0A "[+] 检查DNS缓存记录,并写入文件中:" ::适用win10,win7不适用 @echo. powershell $aa="Get-DnsClientCache |ft -wrap -autosize";$aa ipconfig /displaydns > dns_cache.txt call:colorys 0A "[+] 检查进程,写入文件中:" wmic process get name,ParentProcessId,processid,executablepath,CreationDate,commandline /format:"%var%" >> out.html wmic process get name,parentprocessid,processid,executablepath,CreationDate,commandline /format:csv > process.csv powershell $aa="gwmi win32_process | Select Name, ProcessID, @{n='Owner';e={$_.GetOwner().User}},CommandLine | ft -wrap -autosize > process_ps.txt";$aa @echo. call:colorys 0A "[+] 调查取证——导出SAM、SECURITY、SYSTEM(记录系统运行的可执行文件的完整路径和最后的执行日期):" ::可用Registry Explorer对SYSTEM文件进行分析,AppCompatCache记录程序的修改时间,一定程度上可以确定程序的最迟运行时间 @echo. reg save hklm\system .\hive\SYSTEM /Y reg save hklm\sam .\hive\SAM /Y reg save hklm\security .\hive\SECURITY /Y call:colorys 0A "[+] 调查取证——收集 Sysmon 日志:" if exist C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx (copy /Y "C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%%4Operational.evtx" .\eventlog\) call:colorys 0A "[+] 调查取证——检查BAM(记录系统运行的可执行文件的完整路径和最后的执行日期,适用于Win10),写入文件中:" @echo. reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s > BAM.txt call:colorys 0A "[+] 调查取证——SRUM (System Resource Usage Monitor),拷贝中:" if exist C:\Windows\System32\sru\SRUDB.dat (copy /Y C:\Windows\System32\sru\SRUDB.dat) @echo. call:colorys 0A "[+] 调查取证——MUICache (从exe文件的版本资源中提取应用程序名、公司名),写入文件中:" reg query "HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache" > MuiCache.txt @echo. call:colorys 0A "[+] 调查取证——ShimCache (跟踪文件路径、上次修改时间和是否被执行),注册表导出中:" @echo. reg export "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache" ShimCache.reg /Y call:colorys 0A "[+] 调查取证——Prefetch (会保存文件第一次和最后一次运行日期、路径和执行次数等信息),拷贝中" @echo. ::for %%i in (C:\Windows\Prefetch\*) do copy /Y %%i Prefetch\ xcopy /s /q /h /o /y C:\Windows\Prefetch .\Prefetch\ call:colorys 0A "[+] 检查系统日志是否有开启:" reg query HKLM\SYSTEM\CurrentControlSet\services\eventlog call:colorys 0A "[+] 正在导出系统日志:" if exist .\eventlog\system.evtx (del .\eventlog\system.evtx) wevtutil epl System .\eventlog\system.evtx if exist .\eventlog\Application.evtx (del .\eventlog\Application.evtx) wevtutil epl Application .\eventlog\Application.evtx if exist .\eventlog\Security.evtx (del .\eventlog\Security.evtx) wevtutil epl Security .\eventlog\Security.evtx rem 远程桌面日志,筛选1149 if exist .\eventlog\TerminalServices.evtx (del .\eventlog\TerminalServices.evtx) wevtutil epl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational .\eventlog\TerminalServices.evtx @echo. pause ::把以下代码放到批处理底部用call调用 :colorys pushd %tmp%&echo CCAICCAI>%2-&certutil /f /decode %2- %2- 1>nul 2>nul findstr /a:%1 . %2- \ 2>nul&del /q /f %2- 1>nul 2>nul&popd&exit /b
|