Advertisement
opexxx

winAudit.cmd

Nov 7th, 2018
391
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Batch 10.16 KB | None | 0 0
  1. @ECHO OFF
  2.  
  3. :: Audit script v6
  4. ::  v1 : Start
  5. ::  v2 : Fixed fetching all users ; include localgroups
  6. ::           Removed bugs with jumping to wrong subs from v1
  7. ::  v3 : Included scheduled task and startup items
  8. ::  v4 : Fix spaces (line wrapping) for systeminfo_inventory.csv
  9. ::       Add whoami and gpresult data
  10. ::  v5 : Add copy etc/drivers/* files
  11. ::  v6 : Add wmic for software list
  12. ::  v7 : Add directory listing program file for software list, list of hotfixes, list of logicaldisks, fw dump
  13. ::
  14.  
  15. set debug=0
  16.  
  17. :: Step 1
  18. :: Get the computer name
  19. :: Needed to create the output directory
  20. if %debug%==1 echo "Fetching system name"
  21. FOR /f "tokens=2,* delims= " %%a in ('IPCONFIG ^/ALL ^| FINDSTR "Primary Dns"') do set tempsuffix=%%b
  22. FOR /f "tokens=1,2 delims=:" %%a in ('echo %tempsuffix%') do set dnssuffix=%%b
  23. SET FQDN=%COMPUTERNAME%.%DNSSUFFIX:~1%
  24.  
  25. ECHO Server FQDN: %FQDN%
  26. set aud_dir=audit_%FQDN%
  27. mkdir %aud_dir%
  28. cd %aud_dir%
  29.  
  30.  
  31. :: Step 2
  32. :: Operating system version and system information
  33. if %debug%==1 echo "ver"
  34. ver > ver.txt
  35.  
  36. if %debug%==1 echo "systeminfo"
  37. systeminfo > systeminfo.txt
  38. systeminfo /fo CSV > systeminfo.csv
  39.  
  40.  
  41. :: Step 3
  42. :: Grap info from systeminfo for inventory template
  43. set inventory_hostname=
  44. set inventory_osname=
  45. set inventory_osversion=
  46. set inventory_installdate=
  47. set inventory_boottime=
  48. set inventory_system_manufacturer=
  49. set inventory_timezone=
  50. set inventory_productid=
  51.  
  52. for /f "usebackq tokens=2 delims=:" %%s in (`type systeminfo.txt ^| findstr /B /C:"Host Name:"`) do (
  53.  set inventory_hostname=%%s
  54. )
  55. for /f "usebackq tokens=2 delims=:" %%s in (`type systeminfo.txt ^| findstr /B /C:"OS Name:"`) do (
  56.  set inventory_osname=%%s
  57. )
  58. for /f "usebackq tokens=2 delims=:" %%s in (`type systeminfo.txt ^| findstr /B /C:"OS Version:"`) do (
  59.  set inventory_osversion=%%s
  60. )
  61. for /f "usebackq tokens=2,3,4 delims=:" %%s in (`type systeminfo.txt ^| findstr /C:"Original Install Date:"`) do (
  62.  set inventory_installdate=%%s:%%t:%%u
  63. )
  64. for /f "usebackq tokens=2,3,4 delims=:" %%s in (`type systeminfo.txt ^| findstr /C:"System Boot Time:"`) do (
  65.  set inventory_boottime=%%s:%%t:%%u
  66. )
  67. for /f "usebackq tokens=2 delims=:" %%s in (`type systeminfo.txt ^| findstr /B /C:"System Manufacturer:"`) do (
  68.  set inventory_system_manufacturer=%%s
  69. )
  70. for /f "usebackq tokens=2,* delims=:" %%s in (`type systeminfo.txt ^| findstr /B /C:"Time Zone:"`) do (
  71.  set inventory_timezone=%%s:%%t
  72. )
  73. for /f "usebackq tokens=2 delims=:" %%s in (`type systeminfo.txt ^| findstr /B /C:"Product ID:"`) do (
  74.  set inventory_productid=%%s
  75. )
  76.  
  77. for /f "tokens=* delims= " %%G in ("%inventory_hostname%") do set inventory_hostname=%%G
  78. for /f "tokens=* delims= " %%G in ("%inventory_osname%") do set inventory_osname=%%G
  79. for /f "tokens=* delims= " %%G in ("%inventory_osversion%") do set inventory_osversion=%%G
  80. for /f "tokens=* delims= " %%G in ("%inventory_installdate%") do set inventory_installdate=%%G
  81. for /f "tokens=* delims= " %%G in ("%inventory_boottime%") do set inventory_boottime=%%G
  82. for /f "tokens=* delims= " %%G in ("%inventory_system_manufacturer%") do set inventory_system_manufacturer=%%G
  83. for /f "tokens=* delims= " %%G in ("%inventory_timezone%") do set inventory_timezone=%%G
  84. for /f "tokens=* delims= " %%G in ("%inventory_productid%") do set inventory_productid=%%G
  85.  
  86. echo %inventory_hostname% ; %FQDN% ; %inventory_osname% ; %inventory_osversion% ; %inventory_installdate% ; %inventory_boottime% ; %inventory_system_manufacturer% ; %inventory_timezone% ; %inventory_productid%  > systeminfo_inventory.csv
  87.  
  88.  
  89. :: Step 4
  90. :: User and account information
  91. :: Service information
  92. if %debug%==1 echo "net start"
  93. net start > net_start.txt
  94.  
  95.  
  96. if %debug%==1 echo "net user"
  97. net user > net_user.txt
  98. if %debug%==1 echo "net account"
  99. net accounts > net_accounts.txt
  100. if %debug%==1 echo "net use"
  101. net use > net_use.txt
  102. if %debug%==1 echo "net view"
  103. net view > net_view.txt
  104. if %debug%==1 echo "net use"
  105. net config server >> net_config.txt
  106. if %debug%==1 echo "net use"
  107. net config workstation >> net_config.txt
  108. if %debug%==1 echo "net localgroup"
  109. net localgroup >> net_localgroup.txt
  110. echo > net_localgroup_detail.txt
  111.  
  112. for /F "tokens=* eol=- skip=2" %%a in (net_localgroup.txt) do call :processlocalgroup %%a
  113.  
  114.  
  115. if %debug%==1 echo "users"
  116. echo > users_detail.txt
  117.  
  118. for /F "tokens=* delims=  eol=- skip=2" %%a in (net_user.txt) do call :processuser %%a
  119.  
  120.  
  121.  
  122.  
  123. :: Step 5
  124. :: Network information
  125.  
  126. if %debug%==1 echo "ipconfig dns"
  127. ipconfig /displaydns > ipconfig_dnscache.txt
  128.  
  129. if %debug%==1 echo "ipconfig"
  130. ipconfig /all > ipconfig_all.txt
  131. if %debug%==1 echo "route"
  132. route print > route_print.txt
  133. if %debug%==1 echo "fw"
  134. netsh firewall show state >> fw_config.txt
  135. netsh firewall show config >> fw_config.txt
  136. netsh advfirewall firewall show rule name=all > fwadv_config.txt
  137. netsh dump > fw_dump.txt
  138.  
  139. if %debug%==1 echo "rpc"
  140. netsh rpc show >> rpc_config.txt
  141.  
  142. if %debug%==1 echo "netstat"
  143. netstat -nao > netstat.txt
  144.  
  145. if %debug%==1 echo "netstat stats"
  146. netstat -s > netstat_stats.txt
  147.  
  148. if %debug%==1 echo "arp"
  149. arp -a > arp.txt
  150. arp -a -v > arp_verbose.txt
  151.  
  152. if %debug%==1 echo "nbtstat"
  153. nbtstat -n > nbtstat_n.txt
  154. nbtstat -c > nbtstat_c.txt
  155. nbtstat -s > nbtstat_s.txt
  156.  
  157.  
  158. :: Step 6
  159. :: Running procecess
  160. if %debug%==1 echo "ps"
  161. tasklist > tasklist.txt
  162. tasklist /v > tasklist_verbose.txt
  163. tasklist /SVC > tasklist_svc.txt
  164. tasklist /v /FO CSV > tasklist.csv
  165. tasklist /SVC /FO CSV > tasklist_svc.csv
  166.  
  167. :: Step 7
  168. :: Installed software
  169. :: Installed services
  170.  
  171. if %debug%==1 echo "installed"
  172.  
  173. echo ================= >>software_list.txt
  174. reg export HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall temp1.txt
  175. find "DisplayName" temp1.txt| find /V "ParentDisplayName" > temp2.txt
  176. for /f "tokens=2,3 delims==" %%a in (temp2.txt) do (echo %%a >> software_list.txt)
  177. del temp1.txt
  178. del temp2.txt
  179.  
  180. for /f "usebackq tokens=1,2,3 delims=:" %%i in (`sc query state^= all`) do (
  181.  rem echo %%i %%j %%k
  182.   if "%%i"=="SERVICE_NAME" call :%%i %%j %%k
  183. )
  184.  
  185. wmic  /output:software_list_wmic.csv  product get * /format:"%WINDIR%\System32\wbem\en-US\csv"
  186.  
  187. dir /a "C:\Program Files" > software_list_programfiles.txt
  188. dir /a "C:\Program Files (x86)" > software_list_programfiles_x86.txt
  189.  
  190. wmic /output:software_list_hotfixes.csv qfe list /format:"%WINDIR%\System32\wbem\en-US\csv"
  191.  
  192.  
  193. :: Step 8
  194. :: Policies
  195. gpresult /r > gpresult.txt
  196.  
  197.  
  198. :: Step 9
  199. :: Log configuration setup
  200. wevtutil gl Application > log_config_application.txt
  201. wevtutil gli Application >> log_config_application.txt
  202. wevtutil gl Security > log_config_security.txt
  203. wevtutil gli Security >> log_config_security.txt
  204. wevtutil gl Setup > log_config_setup.txt
  205. wevtutil gli Setup >> log_config_setup.txt
  206. wevtutil gl System > log_config_system.txt
  207. wevtutil gli System >> log_config_system.txt
  208.  
  209.  
  210. wevtutil qe Security > log_security.txt
  211. wevtutil qe System > log_system.txt
  212.  
  213.  
  214. :: Step 10
  215. :: USB Information
  216. reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB" reg_enum_usb.txt
  217. copy %SYSTEMROOT%\inf\setupapi.app.log .
  218. copy %SYSTEMROOT%\inf\setupapi.dev.log .
  219.  
  220.  
  221. :: Step 11
  222. :: Driver Information
  223. driverquery > driverquery.txt
  224. driverquery /v /FO CSV > driverquery.csv
  225.  
  226.  
  227. :: Step 12
  228. :: Get scheduled tasks
  229. schtasks /query /FO CSV /V >schtasks.csv
  230.  
  231.  
  232. :: Step 13
  233. :: Get startup items
  234. wmic /output:wmic_startup.csv startup list full /format:"%WINDIR%\System32\wbem\en-us\csv"
  235.  
  236.  
  237. :: Step 14
  238. :: Get whoami information
  239. whoami /user /fo csv > whoami_user.csv
  240. whoami /groups /fo csv > whoami_groups.csv
  241. whoami /priv /fo csv > whoami_priv.csv
  242.  
  243.  
  244. :: Step 15
  245. :: Get group policy results
  246. gpresult /r > gpresult_summary.txt
  247.  
  248.  
  249. :: Step 16
  250. :: Copy files from drivers/drivers_etc_networks
  251. copy %windir%\system32\drivers\etc\networks drivers_etc_networks
  252. copy %windir%\system32\drivers\etc\hosts drivers_etc_hosts
  253.  
  254.  
  255. :: Step 17
  256. :: List of logical disks
  257. wmic /output:logicaldisk.csv logicaldisk get caption, description, providername, filesystem,volumeserialnumber /format:"%WINDIR%\System32\wbem\en-US\csv"
  258.  
  259.  
  260. :: END
  261.  
  262. exit /b
  263.  
  264.  
  265. :: SUBROUTINES
  266.  
  267. :processlocalgroup
  268. set mygroup=%*
  269. set mygroup2=%mygroup:~1,200%
  270.  
  271. echo %mygroup2% >> net_localgroup_detail.txt
  272. echo ------------- >>  net_localgroup_detail.txt
  273. net localgroup %mygroup2% >> net_localgroup_detail.txt
  274. echo >> net_localgroup_detail.txt
  275.  
  276.  
  277. :processuser
  278. if {%1}=={} goto :end_user
  279. net user %1 >> users_detail.txt
  280.  
  281. shift
  282. goto :processuser
  283.  
  284. :end_user
  285.  
  286.  
  287. :SERVICE_NAME
  288. ::  echo %0 %1 %2
  289.   set a=%1
  290.   set a=%a:(=_%
  291.   set a=%a:)=_%
  292.   if     "%2"==""   call :process-service %a%
  293.   if not "%2"=="" call :process-service %a%$%2
  294.  
  295.  
  296. :process-service
  297. ::if %debug%==1 echo service "%1"
  298.  
  299.   set service_display_name=
  300.   set service_name=
  301.   set service_pid=
  302.   set service_properties=
  303.   set service_state=
  304.   set service_type=
  305. :: `sc query` and `sc queryex` will only show DISPLAY_NAME when no SERVICE_NAME is specified
  306. :: so we have to perform `sc query` for ALL services, then grab the DISPLAY_NAME for the matching SERVICE_NAME
  307.   for /f "usebackq tokens=1,* delims=:, " %%s in (`sc query state^= all`) do (
  308.    rem if "%%s"=="STATE" if not !%1!==!! echo %%v state of %1 is %%v
  309.     if "%%s"=="SERVICE_NAME" set service_name=%%t
  310.     if "%%s"=="DISPLAY_NAME" if "!service_name!"=="%1" set service_display_name=%%t
  311.     set first_char=%%s
  312.     set first_char=!first_char:~0,1!
  313.     if "!first_char!"=="(" if "!service_name!"=="%1" set service_properties=%%s, %%t
  314.    rem echo "!first_char!", !service_properties!, %%s, %%t
  315.   )
  316.   set service_name=
  317. :: find all services by SERVICE_NAME, then list STATE, TYPE, DISPLAY_NAME, and "" (this is on the line below STATE)
  318.   for /f "usebackq tokens=1,2,3,4 delims=:, " %%s in (`sc queryex %1`) do (
  319.    rem if "%%s"=="STATE" if not !%1!==!! echo %%v state of %1 is %%v
  320.     if "%%s"=="PID" set service_pid=%%t
  321.     if "%%s"=="SERVICE_NAME" set service_name=%%t
  322.     if "%%s"=="STATE" set service_state=%%u
  323.     if "%%s"=="STATE" set service_state=%%u
  324.     if "%%s"=="TYPE" set service_type=%%u
  325.     if "%%s"=="STATE" set service_state=%%u
  326.    rem echo "%%s", "%%t", "%%u", "%%v"
  327.   )
  328.   echo %service_pid%, %service_state%, %service_type%, %service_name%, %service_properties%, %service_display_name% >> SERVICE_list.txt
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement