Last active
September 7, 2018 17:29
-
-
Save blacklabssecurity/47956c8f69f9ee328ad3da69e1b8a054 to your computer and use it in GitHub Desktop.
Revisions
-
blacklabssecurity revised this gist
Sep 7, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -157,7 +157,7 @@ goto UnusualFiles @echo Querying for LARGE files now... :WAITLOOP forfiles /S /P c:\ /M * /C "cmd /c if @fsize GEQ 10000000 echo @path - [ @fsize ]" >> %LOGDIR%/10MB+Files_%TODAY%.log @REM FOR /R C:\ %I in (*) do @if %~zI gtr 10000000 echo %I %~zI >> %LOGDIR%/10MB+Files_%TODAY%.log if "%ERRORLEVEL%"=="0" goto RUNNING goto NOTRUNNING :RUNNING -
Sep 7, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -157,7 +157,7 @@ goto UnusualFiles @echo Querying for LARGE files now... :WAITLOOP forfiles /S /P c:\ /M * /C "cmd /c if @fsize GEQ 10000000 echo @path - [ @fsize ]" >> %LOGDIR%/10MB+Files_%TODAY%.log @REM FOR /R c:\ %I in (*) do @if %~zI gtr 10000000 echo %I %~zI >> %LOGDIR%/10MB+Files_%TODAY%.log if "%ERRORLEVEL%"=="0" goto RUNNING goto NOTRUNNING :RUNNING -
Sep 7, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -156,7 +156,7 @@ goto UnusualFiles @echo ############################################################ >> %LOGDIR%/10MB+Files_%TODAY%.log @echo Querying for LARGE files now... :WAITLOOP forfiles /S /P c:\ /M * /C "cmd /c if @fsize GEQ 10000000 echo @path - [ @fsize ]" >> %LOGDIR%/10MB+Files_%TODAY%.log @REM FOR /R "C:\" '%I' in (*) do @if "%~zI" gtr 10000000 echo %I %~zI >> %LOGDIR%/10MB+Files_%TODAY%.log if "%ERRORLEVEL%"=="0" goto RUNNING goto NOTRUNNING -
Sep 7, 2018 . 1 changed file with 57 additions and 45 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,25 +1,20 @@ @ECHO OFF @REM Logic used to create system baselines and output to log files @REM Requires elevated privileges @SETLOCAL ENABLEDELAYEDEXPANSION @REM Use WMIC to retrieve date and time @ECHO OFF for /f %%x in ('wmic path win32_localtime get /format:list ^| findstr "="') do set %%x set TODAY=%Month%-%Day%-%Year% @REM Creation of directory to store log files mkdir "c:\windows\system32\systemBaseline" > nul 2> nul SET LOGDIR=C:\windows\system32\systemBaseline @REM # Custom Welcome Banner cls @echo on @echo ***************************************************************** @echo * ____ __ ___ ___ * @@ -60,7 +55,7 @@ netstat -naob >> %LOGDIR%/portListeners_%TODAY%.log @echo on @echo It is important to discover what ports are usually open on your system to determine if a rouge port has been established. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'portListeners_%TODAY%'. @ECHO. @echo Be sure to keep an eye out for unusual listening ports on your system. @@ -87,7 +82,7 @@ goto Processes @echo Querying for all system processes now... tasklist /v >> %LOGDIR%/processes_%TODAY%.log @ECHO. @echo All current running processes are recorded to a .log file in the %LOGDIR% dir with a name of 'processes_%TODAY%'. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge processes have been executed. @ECHO. @@ -120,7 +115,7 @@ sc query >> %LOGDIR%/servicesStarted_%TODAY%.log @ECHO. @echo The output will display the service that have been started on the system. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'servicesStarted_%TODAY%'. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge services have been started. @@ -135,7 +130,7 @@ tasklist /svc >> %LOGDIR%/service2Processes_%TODAY%.log @ECHO. @echo The output will display how system services are mapping to the system processes they are running out of. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'service2Processes_%TODAY%'. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge services have been started. @@ -160,11 +155,19 @@ goto UnusualFiles @echo #################### LARGE System Files #################### >> %LOGDIR%/10MB+Files_%TODAY%.log @echo ############################################################ >> %LOGDIR%/10MB+Files_%TODAY%.log @echo Querying for LARGE files now... :WAITLOOP forfiles /S /P c:\ /M * /C "cmd /c if @fsize GEQ 10000000 echo @path @fsize" >> %LOGDIR%/10MB+Files_%TODAY%.log @REM FOR /R "C:\" '%I' in (*) do @if "%~zI" gtr 10000000 echo %I %~zI >> %LOGDIR%/10MB+Files_%TODAY%.log if "%ERRORLEVEL%"=="0" goto RUNNING goto NOTRUNNING :RUNNING @REM Still querying... goto WAITLOOP :NOTRUNNING @ECHO. @echo Large file archives (10MB+) could be a sign of stolen software, password lists or other potentially malicious files. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of '10MB+Files_%TODAY%'. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if large files appear. @@ -192,22 +195,22 @@ goto RegistryCheck @echo Querying the Local Machine (HKLM) registry entries now... @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( Run ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( RunOnce ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( RunOnceEx ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( END )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log @@ -217,27 +220,27 @@ reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx >> %LOGDIR%/r @echo Querying the Current User registry entries now... @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( Run ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( RunOnce ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( RunOnceEx ENTIRES )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx > nul 2> nul >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ----------((((( END )))))---------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo The registry entries have been queried for all processes executing at system boot and current user logon. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'registryAutoRun_%TODAY%'. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge entries have been added to the registry. @@ -270,9 +273,9 @@ arp -a >> %LOGDIR%/arpAssociations_%TODAY%.log @ECHO. @echo MITM attempts can be countered with static arp entries for a systems GW or AP (deployed through GPO). @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'arpAssociations_%TODAY%'. @ECHO. @echo Be sure to keep an eye out for unusual mappings of known layer 3 addresses. @REM #################################################### @@ -285,9 +288,9 @@ goto ScheduledTasks @ECHO. @echo ===================================== @echo Searching for Scheduled Tasks... @echo ===================================== @ECHO. @echo ############################################################ > %LOGDIR%/scheduledTasks_%TODAY%.log @echo ################## System Scheduled Tasks ################## >> %LOGDIR%/scheduledTasks_%TODAY%.log @@ -296,7 +299,7 @@ schtasks >> %LOGDIR%/scheduledTasks_%TODAY%.log @ECHO. @echo It is important to baseline the systems scheduled tasks to identify rouge tasks added to your system. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'scheduledTasks_%TODAY%'. @ECHO. @echo You can delete tasks through command with elevated privileges: schtasks /delete /tn TaskNameToDelete @@ -318,7 +321,7 @@ net localgroup administrators >> %LOGDIR%/adminGroup_%TODAY%.log @ECHO. @echo It is important to baseline the admin accounts on the system. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'adminGroup_%TODAY%'. @ECHO. @echo Details of the user accounts can be viewed throguh the Local User and Group console. Launching now... start lusrmgr.msc @@ -339,8 +342,17 @@ goto LogEntries start secpol.msc @ECHO OFF @echo =================================== @echo System Baseline has been created. @echo =================================== @ECHO OFF @echo All log outputs have been recorded in the %LOGDIR% directory. start "" "c:\windows\system32\systemBaseline\" @REM #################################################### @ECHO. pause goto end :end -
Sep 7, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,346 @@ @ECHO OFF @REM Logic used to create system baselines and output to log files @ECHO OFF @SETLOCAL ENABLEDELAYEDEXPANSION @ECHO OFF @REM Use WMIC to retrieve date and time FOR /F "skip=1 tokens=1-6" %%A IN ('WMIC Path Win32_LocalTime Get Day^,Hour^,Minute^,Month^,Second^,Year /Format:table') DO ( IF NOT "%%~F"=="" ( SET /A SortDate = 10000 * %%F + 100 * %%D + %%A set YEAR=!SortDate:~0,4! set MON=!SortDate:~4,2! set DAY=!SortDate:~6,2! ) ) SET TODAY="!MON!-!DAY!-!YEAR!" @REM Creation of directory to store log files (Requires Admin Rights!) mkdir "c:\windows\system32\systemBaseline" > nul 2> nul SET LOGDIR=C:\windows\system32\systemBaseline\" @REM # Custom Welcome Banner @echo on @echo ***************************************************************** @echo * ____ __ ___ ___ * @echo * / __/_ _____ / /____ __ _ / _ )___ ____ ___ / (_)__ ___ * @echo * _\ \/ // (_-/ __ / -_) ' \ / _ / _ \`(_-/ -_) / / _ \/ -_)* @echo * /___/\_, /___/\__/\__/_/_/_/ /____/\_,_/___/\__/_/_/_//_/\__/ * @echo * /___/ * @echo * * @echo ***************************************************************** @ECHO. @ECHO. @echo ========= System Baseline Creation for System Monitoring ======== @ECHO OFF @REM #################################################### @ECHO OFF pause goto PortListeners :PortListeners @ECHO OFF @REM #################################################### @ECHO. @echo =================================== @echo Searching for ports listeners... @echo =================================== @ECHO OFF @echo ############################################################ > %LOGDIR%/portListeners_%TODAY%.log @echo ############ netstat Analysis for port listeners ########### >> %LOGDIR%/portListeners_%TODAY%.log @echo ############################################################ >> %LOGDIR%/portListeners_%TODAY%.log netstat -naob >> %LOGDIR%/portListeners_%TODAY%.log @REM -na will display listening TCP and UDP ports. @REM -o flag will display the Process ID associated to the ports. @REM -b flag works with Win7 - Win10 and will display the associated EXE's and DLL's as well (Requires Elevated Privileges) @echo on @echo It is important to discover what ports are usually open on your system to determine if a rouge port has been established. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'portListeners_' & time stamp. @ECHO. @echo Be sure to keep an eye out for unusual listening ports on your system. @REM #################################################### @ECHO OFF pause goto Processes :Processes @ECHO OFF @REM #################################################### @ECHO. @echo =================================== @echo System Processes: @echo =================================== @ECHO. @echo Lets create a baseline at boot to dertermine our 'normal' processes. @ECHO. @echo ########################################################### > %LOGDIR%/processes_%TODAY%.log @echo ############ tasklist View of Running Processes ########### >> %LOGDIR%/processes_%TODAY%.log @echo ########################################################### >> %LOGDIR%/processes_%TODAY%.log @echo Querying for all system processes now... tasklist /v >> %LOGDIR%/processes_%TODAY%.log @ECHO. @echo All current running processes are recorded to a .log file in the %LOGDIR% dir with a name of 'processes_' & time stamp. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge processes have been executed. @ECHO. @echo You can further investigate any identified process with the 'wmic process list full' command. @ECHO. @echo Such information would include the command invocation of the process as well as the ParentProcess ID. @REM #################################################### @ECHO OFF pause goto Services :Services @ECHO. @REM #################################################### @ECHO. @echo =================================== @echo System Services: @echo =================================== @ECHO. @echo Lets create a baseline at boot to dertermine our 'normal' services. @ECHO. @echo ########################################################### > %LOGDIR%/servicesStarted_%TODAY%.log @echo ############## System View of Started Services ############ >> %LOGDIR%/servicesStarted_%TODAY%.log @echo ########################################################### >> %LOGDIR%/servicesStarted_%TODAY%.log @echo Querying for system services files now... sc query >> %LOGDIR%/servicesStarted_%TODAY%.log @ECHO. @echo The output will display the service that have been started on the system. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'servicesStarted_' & time stamp. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge services have been started. @REM ##################### @ECHO. @echo ############################################################ > %LOGDIR%/service2Processes_%TODAY%.log @echo ############# tasklist View of Started Services ############ >> %LOGDIR%/service2Processes_%TODAY%.log @echo ############################################################ >> %LOGDIR%/service2Processes_%TODAY%.log @echo Mapping System Services to Process now... tasklist /svc >> %LOGDIR%/service2Processes_%TODAY%.log @ECHO. @echo The output will display how system services are mapping to the system processes they are running out of. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with a name of 'service2Processes_' & time stamp. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge services have been started. @REM #################################################### @ECHO OFF pause goto UnusualFiles :UnusualFiles @ECHO. @REM #################################################### @ECHO. @echo ================================ @echo Identify LARGE System Files: @echo ================================ @ECHO. @echo Lets search the system to identify any 'LARGE' files (Modify file size appropriately). @ECHO. @echo ############################################################ > %LOGDIR%/10MB+Files_%TODAY%.log @echo #################### LARGE System Files #################### >> %LOGDIR%/10MB+Files_%TODAY%.log @echo ############################################################ >> %LOGDIR%/10MB+Files_%TODAY%.log @echo Querying for LARGE files now... @REM FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 @echo %i %~zi >> %LOGDIR%/10MB+Files_%TODAY%.log @ECHO. @echo Large file archives (10MB+) could be a sign of stolen software, password lists or other potentially malicious files. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of '10MB+Files_' & time stamp. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if large files appear. @REM #################################################### @ECHO OFF pause goto RegistryCheck :RegistryCheck @ECHO. @REM #################################################### @ECHO. @echo =================================== @echo AutoRun Registry Settings: @echo =================================== @ECHO. @echo Lets create a baseline of AutoRun Entries in the 'HKLM' and 'HKCU' Registry Keys @ECHO. @echo ############################################################ > %LOGDIR%/registryAutoRun_%TODAY%.log @echo ################### HKLM Registry Entries ################## >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo Querying the Local Machine (HKLM) registry entries now... @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo --------------((((( Run ENTIRES )))))-------------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------((((( RunOnce ENTIRES )))))------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Runonce >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo -----------((((( RunOnceEx ENTIRES )))))----------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKLM\Software\Microsoft\Windows\CurrentVersion\RunonceEx >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ---((((( END )))))--- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ################### HKCU Registry Entries ################## >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ############################################################ >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo Querying the Current User registry entries now... @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo --------------((((( Run ENTIRES )))))-------------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------((((( RunOnce ENTIRES )))))------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Runonce >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo -----------((((( RunOnceEx ENTIRES )))))----------- >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log reg query HKCU\Software\Microsoft\Windows\CurrentVersion\RunonceEx >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------((((( END )))))------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @echo ------------------------------------------------------------ >> %LOGDIR%/registryAutoRun_%TODAY%.log @ECHO. @echo The registry entries have been queried for all processes executing at system boot and current user logon. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'registryAutoRun_' & time stamp. @ECHO. @echo Be sure to keep an eye on your system overtime to determine if rouge entries have been added to the registry. @REM #################################################### @ECHO OFF pause goto ARPEntries :ARPEntries @ECHO. @REM #################################################### @ECHO. @echo ======================================= @echo Searching for all ARP associations... @echo ======================================= @ECHO. @echo Lets baseline the associated arp entries on the system. @ECHO. @echo ########################################################## > %LOGDIR%/arpAssociations_%TODAY%.log @echo ##################### ARP Associations ################### >> %LOGDIR%/arpAssociations_%TODAY%.log @echo ########################################################## >> %LOGDIR%/arpAssociations_%TODAY%.log @echo Querying for LARGE files now... arp -a >> %LOGDIR%/arpAssociations_%TODAY%.log @ECHO. @echo It is important to know your IP to MAC address associations in order to identify unusual mappings. @ECHO. @echo This may be dynamic on your LAN and ever changing. A baseline can assist in identifying MITM attacks. @ECHO. @echo MITM attempts can be countered with static arp entries for a systems GW or AP (deployed through GPO). @ECHO. echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'arpAssociations_' & time stamp. @ECHO. echo Be sure to keep an eye out for unusual mappings of known layer 3 addresses. @REM #################################################### @ECHO OFF pause goto ScheduledTasks :ScheduledTasks @ECHO OFF @REM #################################################### @ECHO. echo ===================================== echo Searching for Scheduled Tasks... echo ===================================== @ECHO. @echo ############################################################ > %LOGDIR%/scheduledTasks_%TODAY%.log @echo ################## System Scheduled Tasks ################## >> %LOGDIR%/scheduledTasks_%TODAY%.log @echo ############################################################ >> %LOGDIR%/scheduledTasks_%TODAY%.log schtasks >> %LOGDIR%/scheduledTasks_%TODAY%.log @ECHO. @echo It is important to baseline the systems scheduled tasks to identify rouge tasks added to your system. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'scheduledTasks_' & time stamp. @ECHO. @echo You can delete tasks through command with elevated privileges: schtasks /delete /tn TaskNameToDelete @REM #################################################### @ECHO OFF pause goto Accounts :Accounts @ECHO. @REM #################################################### @ECHO. @echo ########################################################### > %LOGDIR%/adminGroup_%TODAY%.log @echo ############### Administrator Group Members ############### >> %LOGDIR%/adminGroup_%TODAY%.log @echo ########################################################### >> %LOGDIR%/adminGroup_%TODAY%.log net localgroup administrators >> %LOGDIR%/adminGroup_%TODAY%.log @ECHO. @echo It is important to baseline the admin accounts on the system. @ECHO. @echo Results have been recorded to a .log file in the %LOGDIR% dir with the name of 'adminGroup_' & time stamp. @ECHO. @echo Details of the user accounts can be viewed throguh the Local User and Group console. Launching now... start lusrmgr.msc @REM #################################################### @ECHO. pause goto LogEntries :LogEntries @ECHO. @REM #################################################### @ECHO. @echo Be sure to regularly review the Event Viewer as well to identify items of consideration, such as failed logon events and unusual login events as well. start secpol.msc @REM #################################################### @ECHO. pause goto end :end