Skip to content

Instantly share code, notes, and snippets.

@blacklabssecurity

blacklabssecurity/systemBaseline.bat

Last active September 7, 2018 17:29
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save blacklabssecurity/47956c8f69f9ee328ad3da69e1b8a054 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save blacklabssecurity/47956c8f69f9ee328ad3da69e1b8a054 to your computer and use it in GitHub Desktop.
Download ZIP
Windows Batch used to create system baselines
Raw
systemBaseline.bat
@ECHO OFF
@REM Logic used to create system baselines and output to log files
@ECHO OFF
@SETLOCAL ENABLEDELAYEDEXPANSION
@ECHO OFF
@REM Use WMIC to retrieve date and time
FOR /F "skip=1 tokens=1-6" %%A IN ('WMIC Path Win32_LocalTime Get Day^,Hour^,Minute^,Month^,Second^,Year /Format:table') DO (
IF NOT "%%~F"=="" (
SET /A SortDate = 10000 * %%F + 100 * %%D + %%A
set YEAR=!SortDate:~0,4!
set MON=!SortDate:~4,2!
set DAY=!SortDate:~6,2!
)
)
SET TODAY="!MON!-!DAY!-!YEAR!"
@REM Creation of directory to store log files (Requires Admin Rights!)
mkdir "c:\windows\system32\systemBaseline" > nul 2> nul
SET LOGDIR=C:\windows\system32\systemBaseline\"
@REM # Custom Welcome Banner
@echo on
@echo *****************************************************************
@echo * ____ __ ___ ___ *
@echo * / __/_ _____ / /____ __ _ / _ )___ ____ ___ / (_)__ ___ *
@echo * _\ \/ // (_-/ __ / -_) ' \ / _ / _ \`(_-/ -_) / / _ \/ -_)*
@echo * /___/\_, /___/\__/\__/_/_/_/ /____/\_,_/___/\__/_/_/_//_/\__/ *
@echo * /___/ *
@echo * *
@echo *****************************************************************
@ECHO.
@ECHO.
@echo ========= System Baseline Creation for System Monitoring ========
@ECHO OFF
@REM ####################################################
@ECHO OFF
pause
goto PortListeners
:PortListeners
@ECHO OFF
@REM ####################################################
@ECHO.
@echo ===================================
@echo Searching for ports listeners...
@echo ===================================
@ECHO OFF
@echo ############################################################ > %LOGDIR%/portListeners_%TODAY%.log
@echo ############ netstat Analysis for port listeners ########### >> %LOGDIR%/portListeners_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/portListeners_%TODAY%.log
netstat -naob >> %LOGDIR%/portListeners_%TODAY%.log
@REM -na will display listening TCP and UDP ports.
@REM -o flag will display the Process ID associated to the ports.
@REM -b flag works with Win7 - Win10 and will display the associated EXE's and DLL's as well (Requires Elevated Privileges)
@echo on
@echo It is important to discover what ports are usually open on your system to determine if a rouge port has been established.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'portListeners_' & time stamp.
@ECHO.
@echo Be sure to keep an eye out for unusual listening ports on your system.
@REM ####################################################
@ECHO OFF
pause
goto Processes
:Processes
@ECHO OFF
@REM ####################################################
@ECHO.
@echo ===================================
@echo System Processes:
@echo ===================================
@ECHO.
@echo Lets create a baseline at boot to dertermine our 'normal' processes.
@ECHO.
@echo ########################################################### > %LOGDIR%/processes_%TODAY%.log
@echo ############ tasklist View of Running Processes ########### >> %LOGDIR%/processes_%TODAY%.log
@echo ########################################################### >> %LOGDIR%/processes_%TODAY%.log
@echo Querying for all system processes now...
tasklist /v >> %LOGDIR%/processes_%TODAY%.log
@ECHO.
@echo All current running processes are recorded to a .log file in the %LOGDIR% dir with a name of 'processes_' & time stamp.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge processes have been executed.
@ECHO.
@echo You can further investigate any identified process with the 'wmic process list full' command.
@ECHO.
@echo Such information would include the command invocation of the process as well as the ParentProcess ID.
@REM ####################################################
@ECHO OFF
pause
goto Services
:Services
@ECHO.
@REM ####################################################
@ECHO.
@echo ===================================
@echo System Services:
@echo ===================================
@ECHO.
@echo Lets create a baseline at boot to dertermine our 'normal' services.
@ECHO.
@echo ########################################################### > %LOGDIR%/servicesStarted_%TODAY%.log
@echo ############## System View of Started Services ############ >> %LOGDIR%/servicesStarted_%TODAY%.log
@echo ########################################################### >> %LOGDIR%/servicesStarted_%TODAY%.log
@echo Querying for system services files now...
sc query >> %LOGDIR%/servicesStarted_%TODAY%.log
@ECHO.
@echo The output will display the service that have been started on the system.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'servicesStarted_' & time stamp.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge services have been started.
@REM #####################
@ECHO.
@echo ############################################################ > %LOGDIR%/service2Processes_%TODAY%.log
@echo ############# tasklist View of Started Services ############ >> %LOGDIR%/service2Processes_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/service2Processes_%TODAY%.log
@echo Mapping System Services to Process now...
tasklist /svc >> %LOGDIR%/service2Processes_%TODAY%.log
@ECHO.
@echo The output will display how system services are mapping to the system processes they are running out of.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'service2Processes_' & time stamp.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge services have been started.
@REM ####################################################
@ECHO OFF
pause
goto UnusualFiles
:UnusualFiles
@ECHO.
@REM ####################################################
@ECHO.
@echo ================================
@echo Identify LARGE System Files:
@echo ================================
@ECHO.
@echo Lets search the system to identify any 'LARGE' files (Modify file size appropriately).
@ECHO.
@echo ############################################################ > %LOGDIR%/10MB+Files_%TODAY%.log
@echo #################### LARGE System Files #################### >> %LOGDIR%/10MB+Files_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/10MB+Files_%TODAY%.log
@echo Querying for LARGE files now...
@REM FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 @echo %i %~zi >> %LOGDIR%/10MB+Files_%TODAY%.log
@ECHO.
@echo Large file archives (10MB+) could be a sign of stolen software, password lists or other potentially malicious files.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of '10MB+Files_' & time stamp.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if large files appear.
@REM ####################################################
@ECHO OFF
pause
goto RegistryCheck
:RegistryCheck
@ECHO.
@REM ####################################################
@ECHO.
@echo ===================================
@echo AutoRun Registry Settings:
@echo ===================================
@ECHO.
@echo Lets create a baseline of AutoRun Entries in the 'HKLM' and 'HKCU' Registry Keys
@ECHO.
@echo ############################################################ > %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ################### HKLM Registry Entries ################## >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo Querying the Local Machine (HKLM) registry entries now...
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo --------------((((( Run ENTIRES )))))-------------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------((((( RunOnce ENTIRES )))))------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo -----------((((( RunOnceEx ENTIRES )))))----------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ---((((( END )))))--- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ################### HKCU Registry Entries ################## >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo Querying the Current User registry entries now...
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo --------------((((( Run ENTIRES )))))-------------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------((((( RunOnce ENTIRES )))))------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo -----------((((( RunOnceEx ENTIRES )))))----------- >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------((((( END )))))------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log
@ECHO.
@echo The registry entries have been queried for all processes executing at system boot and current user logon.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'registryAutoRun_' & time stamp.
@ECHO.
@echo Be sure to keep an eye on your system overtime to determine if rouge entries have been added to the registry.
@REM ####################################################
@ECHO OFF
pause
goto ARPEntries
:ARPEntries
@ECHO.
@REM ####################################################
@ECHO.
@echo =======================================
@echo Searching for all ARP associations...
@echo =======================================
@ECHO.
@echo Lets baseline the associated arp entries on the system.
@ECHO.
@echo ########################################################## > %LOGDIR%/arpAssociations_%TODAY%.log
@echo ##################### ARP Associations ################### >> %LOGDIR%/arpAssociations_%TODAY%.log
@echo ########################################################## >> %LOGDIR%/arpAssociations_%TODAY%.log
@echo Querying for LARGE files now...
arp -a >> %LOGDIR%/arpAssociations_%TODAY%.log
@ECHO.
@echo It is important to know your IP to MAC address associations in order to identify unusual mappings.
@ECHO.
@echo This may be dynamic on your LAN and ever changing. A baseline can assist in identifying MITM attacks.
@ECHO.
@echo MITM attempts can be countered with static arp entries for a systems GW or AP (deployed through GPO).
@ECHO.
echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'arpAssociations_' & time stamp.
@ECHO.
echo Be sure to keep an eye out for unusual mappings of known layer 3 addresses.
@REM ####################################################
@ECHO OFF
pause
goto ScheduledTasks
:ScheduledTasks
@ECHO OFF
@REM ####################################################
@ECHO.
echo =====================================
echo Searching for Scheduled Tasks...
echo =====================================
@ECHO.
@echo ############################################################ > %LOGDIR%/scheduledTasks_%TODAY%.log
@echo ################## System Scheduled Tasks ################## >> %LOGDIR%/scheduledTasks_%TODAY%.log
@echo ############################################################ >> %LOGDIR%/scheduledTasks_%TODAY%.log
schtasks >> %LOGDIR%/scheduledTasks_%TODAY%.log
@ECHO.
@echo It is important to baseline the systems scheduled tasks to identify rouge tasks added to your system.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'scheduledTasks_' & time stamp.
@ECHO.
@echo You can delete tasks through command with elevated privileges: schtasks /delete /tn TaskNameToDelete
@REM ####################################################
@ECHO OFF
pause
goto Accounts
:Accounts
@ECHO.
@REM ####################################################
@ECHO.
@echo ########################################################### > %LOGDIR%/adminGroup_%TODAY%.log
@echo ############### Administrator Group Members ############### >> %LOGDIR%/adminGroup_%TODAY%.log
@echo ########################################################### >> %LOGDIR%/adminGroup_%TODAY%.log
net localgroup administrators >> %LOGDIR%/adminGroup_%TODAY%.log
@ECHO.
@echo It is important to baseline the admin accounts on the system.
@ECHO.
@echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'adminGroup_' & time stamp.
@ECHO.
@echo Details of the user accounts can be viewed throguh the Local User and Group console. Launching now...
start lusrmgr.msc
@REM ####################################################
@ECHO.
pause
goto LogEntries
:LogEntries
@ECHO.
@REM ####################################################
@ECHO.
@echo Be sure to regularly review the Event Viewer as well to identify items of consideration, such as failed logon events and unusual login events as well.
start secpol.msc
@REM ####################################################
@ECHO.
pause
goto end
:end
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment