win-post-collect.sh

#!/bin/bash

COLLECTIONDIR=~/collection/
USER=XXXX
PASS=YYYY
DOMAIN=ZZZZ

while read HOST
do

 mkdir -p $COLLECTIONDIR/$HOST

 mount -t cifs -o user=$USER,pass=$PASS,domain=$DOMAIN //$HOST/c$ /mnt/

 winexe -U $DOMAIN/$USER%$PASS //$HOST 'netstat -an' | tee $COLLECTIONDIR/$HOST/netstat.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'ipconfig /all' | tee $COLLECTIONDIR/$HOST/ipconfig.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'cmd /C set' | tee $COLLECTIONDIR/$HOST/env.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'systeminfo' | tee $COLLECTIONDIR/$HOST/systeminfo.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'net user' | tee $COLLECTIONDIR/$HOST/netuser.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'net user /domain' | tee $COLLECTIONDIR/$HOST/netuserdomain.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'net localgroup' | tee $COLLECTIONDIR/$HOST/netlocalgroup.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'wmic product' | tee $COLLECTIONDIR/$HOST/installedproducts.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'wmic qfe' | tee $COLLECTIONDIR/$HOST/installedpatches.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'tasklist /V /FO CSV' | tee $COLLECTIONDIR/$HOST/tasklist.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST "cmd /c echo . | powershell -Command \"gdr -PSProvider 'FileSystem' | convertto-csv\"" | tee $COLLECTIONDIR/$HOST/drives.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'cmd /C type \Windows\System32\drivers\etc\hosts' | tee $COLLECTIONDIR/$HOST/hosts.txt
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'reg save hklm\sam c:\sam'
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'reg save hklm\system c:\system'

 echo "Copying SAM/SYSTEM..."
 mv /mnt/sam  $COLLECTIONDIR/$HOST/sam
 mv /mnt/system  $COLLECTIONDIR/$HOST/system

 echo "Doing directory listing..."
 winexe -U $DOMAIN/$USER%$PASS //$HOST 'echo . | powershell -Command "ls -recurse / | convertto-csv" ' > $COLLECTIONDIR/$HOST/directorylisting.txt
 echo "Done."

 echo "Doing AV scan..."
 clamdscan /mnt | tee $COLLECTIONDIR/$HOST/avscan.txt
 echo "Done."

 umount /mnt

done