干货|蓝队应急响应采集工具

干货|蓝队应急响应采集工具
2023-3-9 08:31:17 Author: 菜鸟学信安(查看原文) 阅读量:13 收藏

Windows下应急响应信息采集工具，适用于蓝队应急响应时的信息采集。

直接运行.bat文件如下

@echo off@echo ================================@echo * 应急响应信息采集工具 *
@echo ================================color 0acd  %~dp0set "filename=%date:~0,4%%date:~5,2%%date:~8,2%"mkdir .\%filename%\echo "开始收集进程列表"wmic process  get name,processid,executablepath /format:htable > ./%filename%/tasklist.htmlecho "进程列表收集完毕"@echo ================================
echo "开始收集系统服务"wmic service get Name,Description,Caption,DisplayName,ProcessId,started,StartMode,StartName,State,Status,AcceptPause,AcceptStop,PathName /format:htable > ./%filename%/service.htmlecho "系统服务收集完毕"@echo ================================
echo "开始收集系统日志"xcopy  C:\Windows\System32\winevt\Logs  .\%filename%\logs\ /Y >nulecho "系统日志收集完毕"@echo ================================
echo "开始收集网络链接"netstat -ano > ./%filename%/netstat.txtecho "网络链接收集完毕"@echo ================================
echo "开始收集账户信息"wmic USERACCOUNT list /format:htable >  ./%filename%/account.htmlecho "账户信息收集完毕"@echo ================================
echo "开始收集共享信息"wmic share list /format:htable > ./%filename%/netshare.htmlecho "共享信息收集完毕"@echo ================================
echo "开始收集路由表"route print > ./%filename%/route.txtecho "路由表收集完毕"@echo ================================
echo "开始收集HOSTS"xcopy  C:\Windows\System32\drivers\etc  .\%filename%\etc\ /Y >nulecho "HOSTS收集完毕"@echo ================================
echo "开始收集mstsc"reg export   "HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default" ".\%filename%\mstsc.txt" /y >nulecho "mstsc收集完毕"@echo ================================
echo "开始收集注册表启动项"reg export  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" ".\%filename%\autorun.txt"  /y >nulecho "注册表启动项收集完毕"@echo ================================
echo "开始收集已安装软件信息"reg export  "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" ".\%filename%\software.txt" /y >nulecho "已安装软件信息收集完毕"@echo ================================
echo "开始收集计划任务"schtasks /query /v /fo list > ./%filename%/schtasks.txtecho "计划任务收集完毕"@echo ================================
echo "开始ARP绑定"arp -a > ./%filename%/arp.txtecho "计划任务收集完毕"@echo ================================
echo "开始收集系统信息"systeminfo > ./%filename%/systeminfo.txtecho "系统信息收集完毕"@echo ================================
echo "开始收集补丁信息"wmic qfe list /format:htable > ./%filename%/hotfix.htmlecho "补丁信息收集完毕"@echo ================================
echo "开始收集powershell历史命令"copy  %userprofile%\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt .\%filename%\ConsoleHost_history.txt /Y >nulcopy  %appdata%\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt .\%filename%\ConsoleHost_history_1.txt /Y >nulecho "开始powershell收集完毕"
echo "信息采集完毕，数据存放在当前目录%filename%中"pause>nul

运行后开始收集信息：

"开始收集进程列表"

"开始收集系统服务"

"开始收集系统日志"

"开始收集网络链接"

"开始收集账户信息"

"开始收集共享信息"

"开始收集路由表"

"开始收集HOSTS"

"开始收集mstsc"

"开始收集注册表启动项"

"开始收集已安装软件信息"

"开始收集计划任务"

"开始ARP绑定"

"开始收集系统信息"

"开始收集补丁信息"

"开始收集powershell历史命令"

相关信息保存在以日期命名的文件夹下

工具获取方式

公众号后台回复关键词：0228

文章来源: http://mp.weixin.qq.com/s?__biz=MzU2NzY5MzI5Ng==&mid=2247495561&idx=1&sn=36ba8550ccb4800611970de4c9631d9e&chksm=fc9bf516cbec7c0010de23d736e9984cf7f6ac08d3ca01918d5e6b09bcc9ff05470303e07d78#rd
如有侵权请联系:admin#unsafe.sh