라이브 상태에서 배치스크립트를 이용하면 컴퓨터의 많은 정보를 획득할 수 있다.
사실 지금 작성하는 코드는 공격자가 피해자 컴퓨터에 침입했을 때 사용하는 배치 스크립트이다.
이 부분을 포렌식적으로 접근해서 하나씩 확인하도록 한다.
1. 컴퓨터이름, 날짜, 현재시간 확인
echo %computername% %date% %time%
2. 윈도우즈 버전 확인
ver
3. 환경변수 확인
set
4. 로그온 제한사항 및 도메인 정보의 현재 설정 상태
net ACCOUNTS
5. 지정된 도메인 확인
net ACCOUNTS /domain
6. 현재 컴퓨터에 적용되어있는 공유자원 출력
net share
@echo off
if /i {%1} == {info} %systemroot%\system32\dllcache\msinfo32 /nfo C:\%computername%.nfo
echo %computername% %date% %time% >>C:\%computername%.txt
ver >>C:\%computername%.txt
set >>C:\%computername%.txt
net ACCOUNTS >>C:\%computername%.txt
net ACCOUNTS /domain >>C:\%computername%.txt
net share >>C:\%computername%.txt
fsutil fsinfo drives >>C:\%computername%.txt
net use >>C:\%computername%.txt
net file >>C:\%computername%.txt
net session >>C:\%computername%.txt
route print >>C:\%computername%.txt
quser >>C:\%computername%.txt
query user >>C:\%computername%.txt
qwinsta >>C:\%computername%.txt
ipconfig /all >>C:\%computername%.txt
ping -w 2 -n 2 www.google.com >>C:\%computername%.txt
net time /domain >>C:\%computername%.txt
arp -a >>C:\%computername%.txt
net user >>C:\%computername%.txt
net user Administrator >>C:\%computername%.txt
net localgroup Administrators >>C:\%computername%.txt
::netstat -ap tcp >>C:\%computername%.txt
netstat -anop tcp >>C:\%computername%.txt
dir \. /o-d >>C:\%computername%.txt
dir %SystemDrive%\progra~1 /o-d >>C:\%computername%.txt
if exist %SystemDrive%\progra~2 dir %SystemDrive%\progra~2 /o-d >>C:\%computername%.txt
dir %SystemDrive%\docume~1 /o-d >>C:\%computername%.txt
if exist %SystemDrive%\users dir %SystemDrive%\users /o-d >>C:\%computername%.txt
dir %SystemDrive%\docume~1\Default.rdp /s /a >>C:\%computername%.txt
if exist %SystemDrive%\users dir %SystemDrive%\users\Default.rdp /s /a >>C:\%computername%.txt
dir %SystemDrive%\docume~1\%USERNAME%\Recent /a /o-d >>C:\%computername%.txt
dir %SystemDrive%\users\%USERNAME%\AppData\Roaming\Microsoft\Windows\Recent >>C:\%computername%.txt
net start >>C:\%computername%.txt
tasklist /svc >>C:\%computername%.txt
tasklist /v >>C:\%computername%.txt
tasklist /m >>C:\%computername%.txt
net view >>C:\%computername%.txt
net view /domain >>C:\%computername%.txt
systeminfo | find /v "File" >>C:\%computername%.txt
type %systemroot%\system32\drivers\etc\hosts >>C:\%computername%.txt
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>C:\%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>C:\%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings /v ProxyServer >>C:\%computername%.txt
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Internet" "Settings /v AutoConfigURL >>C:\%computername%.txt
reg query "HKCU\Software\Microsoft\Terminal Server Client\Default" >>C:\%computername%.txt
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate >>C:\%computername%.txt
echo.
del C:\uninstall_information >nul
set uninstall=HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
reg query %uninstall% | find /v "KB" >>C:\uninstall_information
echo --SoftWare info------StartTime=%time%------------------->>C:\%computername%.txt
if not exist C:\uninstall_information goto softwareend
for /f "delims=\ tokens=7" %%a in (C:\uninstall_information) do (
reg query "%uninstall%\%%a" | find /i "DisplayName" >>C:\%computername%.txt
reg query "%uninstall%\%%a" | find /i "DisplayVersion" >>C:\%computername%.txt)
del C:\uninstall_information >nul
:softwareend
echo ---------------------EndTime=%time%--------------------->>C:\%computername%.txt
netsh firewall show config >>C:\%computername%.txt
reg query HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List >>C:\\%computername%.txt
schtasks /query /v /fo list >>C:\%computername%.txt
del %0 /q
'보안 > 포렌식' 카테고리의 다른 글
| Windows Search 분석 프로그램 (Windows.edb) (0) | 2018.12.16 |
|---|---|
| 리눅스 주요 로그 (0) | 2016.12.09 |
| 이메일 아티팩트 (0) | 2016.12.09 |
| 외장 저장장치 포렌식 (0) | 2016.12.09 |
| 이미지 파일을 VMWare에서 부팅하기 (0) | 2016.11.03 |
