测试发现还是有很多问题,继续改进中,欢迎大家提供建议,小白学习中
::取证应急脚本 v2.0
::2018年/5/02
del c:\antiy_information.txt
del c:\antiy_executablepath.csv
del c:\antiy_process.html
del c:\antiy_startup.csv
chcp 65001
@echo *******************************************>> c:\antiy_information.txt
@echo * Antiy Information Gathering *>> c:\antiy_information.txt
@echo *******************************************>> c:\antiy_information.txt
::不显示命令行本身
@echo off
::获取系统时间
echo ************************************ System time *******************************>>c:\antiy_information.txt
date /t>>c:\antiy_information.txt
time /t>>c:\antiy_information.txt
echo Get system time Success!
::用户组信息
echo ************************************ User Information *******************************>>c:\antiy_information.txt
net user>>c:\antiy_information.txt
echo **************User Group*************************************
net localgroup>>c:\antiy_information.txt
echo **************localgroup administrators**********************
net localgroup administrators>>c:\antiy_information.txt
::文件共享信息
echo ************************************ File Share **********************************>>c:\antiy_information.txt
net share>>c:\antiy_information.txt
::获取主机信息
echo ************************************ HOST Name *******************************>>c:\antiy_information.txt
hostname>>c:\antiy_information.txt
echo ************************************ User Name *******************************>>c:\antiy_information.txt
whoami>>c:\antiy_information.txt
echo ************************************ System Version *******************************>>c:\antiy_information.txt
ver>>c:\antiy_information.txt
echo Get system information Success!
::获取进程及对应网络信息
echo ********************Get Process Path And Net Information***************************>>c:\antiy_information.txt
netstat -bno>>c:\antiy_information.txt
echo Get Process Path And Net Information Success!
::进程信息获取
echo ********************Get Process Information (taskkill)***************************>>c:\antiy_information.txt
tasklist>>c:\antiy_information.txt
echo Get Process Information Success!
::网络信息获取
echo ********************Get net config inforemation ***************************>>c:\antiy_information.txt
ipconfig>>c:\antiy_information.txt
echo Get net config Information Success!
::网络连接获取
echo ********************Get net connection inforemation ***************************>>c:\antiy_information.txt
netstat -ano>>c:\antiy_information.txt
echo Get net connection Information Success!
::WMIC 进程路径获取
echo ***********************************WMIC PPROCESS Path*******************************>>c:\antiy_information.txt
wmic process list full /format:hform>>c:\antiy_process.html
::wmic process list brief /format:hform>>c:\antiy_information.html
::wmic process get description,executablepath,CommandLine,ProcessId,ParentProcessId /format:hform>>c:\antiy_information2.csv
wmic process get executablepath,ProcessId>>c:\antiy_executablepath.csv
echo WMIC PPROCESS Path Success!
::启动项
wmic startup >>c:\antiy_startup.csv
echo Get startup inforemation Success!
::计划任务
echo ****************************************Task LIST************************************>>c:\antiy_information.txt
schtasks /query /FO LIST /V>>c:\antiy_information.txt
echo Get tasklist Success!
::服务
echo ***********************************Services LIST************************************>>c:\antiy_information.txt
tasklist /svc>>c:\antiy_information.txt
sc query state=all>>c:\antiy_information.txt
echo Get services list Success!
::DNS缓存
echo ***********************************DNS Information************************************>>c:\antiy_information.txt
ipconfig /displaydns>>c:\antiy_information.txt
echo Get DNS Information Success!
echo logs save to C:\antiy_*.* path.
pause
目前发现的几个问题
(1)服务和计划任务过多,容易被正常的淹没
(2)发现的文件没有更多信息,比如最后修改时间
先告一段落。。。。。。有空再更新一次/
免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@yisu.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。
