测试发现还是有很多问题,继续改进中,欢迎大家提供建议,小白学习中
<代码>::取证应急脚本版本 ::2018年/5/02 德尔c: \ antiy_information.txt 德尔c: \ antiy_executablepath.csv 德尔c: \ antiy_process.html 德尔c: \ antiy_startup.csv chcp 65001 @echo * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *在祝辞c: \ antiy_information.txt @echo * Antiy信息采集*祝辞祝辞c: \ antiy_information.txt @echo * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *在祝辞c: \ antiy_information.txt ::不显示命令行本身 @echo掉 ::获取系统时间 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *系统时间* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt 日期/t>在c: \ antiy_information.txt 时间/t>在c: \ antiy_information.txt 回波获取系统时间成功! ::用户组信息 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *用户信息* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,净user>的在c: \ antiy_information.txt 回声* * * * * * * * * * * * * *用户组* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * ,净localgroup>的在c: \ antiy_information.txt 回声* * * * * * * * * * * * * *本地群组管理员* * * * * * * * * * * * * * * * * * * * * * ,净本地群组administrators>的在c: \ antiy_information.txt ::文件共享信息 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *文件共享* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,净share>的在c: \ antiy_information.txt ::获取主机信息 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *主机名称* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,hostname>的在c: \ antiy_information.txt 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *用户名* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,whoami>的在c: \ antiy_information.txt 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *系统版本* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,ver>的在c: \ antiy_information.txt 回波获取系统信息成功! ::获取进程及对应网络信息 回声* * * * * * * * * * * * * * * * * * * *获得过程路径和网络信息* * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt netstat -bno>在c: \ antiy_information.txt 回波得到处理路径和网络信息成功! ::进程信息获取 回声* * * * * * * * * * * * * * * * * * * *获得过程信息(taskkill) * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,tasklist>的在c: \ antiy_information.txt 回波获取过程信息成功! ::网络信息获取 回声* * * * * * * * * * * * * * * * * * * *让网络配置inforemation * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ,ipconfig>的在c: \ antiy_information.txt 回波获取网络配置信息成功! ::网络连接获取 回声* * * * * * * * * * * * * * * * * * * *获得网络连接inforemation * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt netstat -ano>在c: \ antiy_information.txt 回声让网络连接信息成功! ::WMIC进程路径获取 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * WMIC PPROCESS路径* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt wmic进程列表完整/格式:hform>在c: \ antiy_process.html ::wmic进程列表短暂/格式:hform>在c: \ antiy_information.html ::wmic过程得到描述、executablepath命令行,ProcessId, ParentProcessId/格式:hform>在c: \ antiy_information2.csv wmic过程得到executablepath ProcessId>在c: \ antiy_executablepath.csv 回声WMIC PPROCESS路径成功! ::启动项 wmic启动祝辞在c: \ antiy_startup.csv 回波得到启动inforemation成功! ::计划任务 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *任务列表* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt schtasks/查询/FO列表/V>在c: \ antiy_information.txt 回波得到tasklist成功! ::服务 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *服务列表* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt tasklist/svc>在c: \ antiy_information.txt sc查询状态=all>在c: \ antiy_information.txt 回波得到服务列表成功! ::DNS缓存 回声* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * DNS信息* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *的在在c: \ antiy_information.txt ipconfig/displaydns>在c: \ antiy_information.txt 回声获得DNS信息成功! 回声日志保存到C: \ antiy_ *。*路径。 暂停应急取证窗口脚本(测试中)
