标签:取证
初版,,测试发明还是有很多问题,继续改造 ::取证应急脚本 v1.0 ::2018年/4/20 del c:\antiy_information.txt del c:\antiy_executablepath.csv del c:\antiy_process.html del c:\antiy_startup.csv chcp 65001 @echo *******************************************>> c:\antiy_information.txt @echo * Antiy Information Gathering *>> c:\antiy_information.txt @echo *******************************************>> c:\antiy_information.txt ::不显示命令行自己 @echo off ::获取系统时间 echo ************************************ System time *******************************>>c:\antiy_information.txt date /t>>c:\antiy_information.txt time /t>>c:\antiy_information.txt echo Get system time Success! ::获取主机信息 echo ************************************ HOST Name *******************************>>c:\antiy_information.txt hostname>>c:\antiy_information.txt echo ************************************ User Name *******************************>>c:\antiy_information.txt whoami>>c:\antiy_information.txt echo ************************************ System Version *******************************>>c:\antiy_information.txt ver>>c:\antiy_information.txt echo Get system information Success! ::获取进程及对应网络信息 echo ********************Get Process Path And Net Information***************************>>c:\antiy_information.txt netstat -bno>>c:\antiy_information.txt echo Get Process Path And Net Information Success! ::进程信息获取 echo ********************Get Process Information (taskkill)***************************>>c:\antiy_information.txt tasklist>>c:\antiy_information.txt echo Get Process Information Success! ::网络信息获取 echo ********************Get net config inforemation ***************************>>c:\antiy_information.txt ipconfig>>c:\antiy_information.txt echo Get net config Information Success! ::网络连接获取 echo ********************Get net connection inforemation ***************************>>c:\antiy_information.txt netstat -ano>>c:\antiy_information.txt echo Get net connection Information Success! ::WMIC 进程路径获取 echo ***********************************WMIC PPROCESS Path*******************************>>c:\antiy_information.txt wmic process list full /format:hform>>c:\antiy_process.html ::wmic process list brief /format:hform>>c:\antiy_information.html ::wmic process get description,executablepath,CommandLine,ProcessId,ParentProcessId /format:hform>>c:\antiy_information2.csv wmic process get executablepath,ProcessId>>c:\antiy_executablepath.csv echo WMIC PPROCESS Path Success! ::启动项 wmic startup >>c:\antiy_startup.csv echo Get startup inforemation Success! ::打算任务 echo ****************************************Task LIST************************************>>c:\antiy_information.txt schtasks /query /FO LIST /V>>c:\antiy_information.txt echo Get tasklist Success! ::处事 echo ***********************************Services LIST************************************>>c:\antiy_information.txt sc query state=all>>c:\antiy_information.txt echo Get services list Success! echo logs save to C:\antiy_*.* path. pause应急取证window脚本(测试中)