iamtheky Posted February 18, 2016 Share Posted February 18, 2016 (edited) A simple, quick, audit tool. -Logged On Users -SystemInfo -IPconfig /All -Active Connections (Netstat) -Netstat Names -Privileged Users/Groups -Startup -Services -Processes+Svcs -Drivers (signed?) -Software -Powershell Commands -Logon Failures -All RDP Feel Free to Reply with More. **Requires PowerShell v4.0 or higher to run some of the commands , but those can be converted to WMI without much effort. expandcollapse popup;AuditShot v1.1 -iamtheky #RequireAdmin #include<array.au3> #include<excel.au3> local $aFinal[0] $oXL = _Excel_Open(FALSE) $oXLbook = _Excel_BookNew($oXL , 13) ;----------------------------------------------------------Logged on Users--------------------------------------------------------------------------------------- $sCommand = "powershell Get-CimInstance Win32_LoggedOnUser" $iPID = run($sCommand & " | Format-List", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 1 , $aOut) $oXLBook.WorkSheets(1).Name = "LOGGEDON" _ArrayConcatenate($aFinal , $aOut) ;------------------------------------------------SYS INFO------------------------------------------------------------------------------------------------- $sCommand = "systeminfo" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 2 , $aOut) $oXLBook.WorkSheets(2).Name = "SYSINFO" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;------------------------------------------------IPCONFIG------------------------------------------------------------------------------------------------- $sCommand = "ipconfig /all" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 3 , $aOut) $oXLBook.WorkSheets(3).Name = "IPCONFIG" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;------------------------------------------------ACTIVE NETSTAT------------------------------------------------------------------------------------------------- $sCommand = "netstat -n" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 4 , $aOut) $oXLBook.WorkSheets(4).Name = "NETSTAT" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-----------------------------------------------------NETSTAT_NAMES-------------------------------------------------------------------------------------------------- $sCommand = "netstat -n" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" $sNSLookupOut = "" local $aNSfinal[0] local $aNSLookupFinal[0] While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) For $i = 4 to ubound($aOut) - 1 $aLine = stringsplit($aOut[$i] , " " , 2) For $k = ubound($aLine) - 1 to 0 step - 1 If stringstripWS($aLine[$k] , 8) = "" Then _ArrayDelete($aLine , $k) Next ;~ msgbox(0, '' , stringleft($aLine[2] , stringinstr($aLine[2] , ":" , 0 , -1) - 1)) If ubound($aLine) > 1 Then _ArrayAdd($aNSfinal , stringleft($aLine[2] , stringinstr($aLine[2] , ":" , 0 , -1) - 1)) $aUniqueNS = _ArrayUnique($aNSfinal) _ArrayDelete($aUniqueNS , 0) Next ;~ _ArrayDisplay($aUniqueNS) For $k = 0 to ubound($aUniqueNS) - 1 $iPID = run("nslookup " & $aUniqueNS[$k] , "" , @SW_HIDE , $stdout_child) While 1 $sNSLookupOut &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aNSLookup = stringsplit($sNSLookupOut , @LF , 2) _ArrayDelete($aNSLookup , "0-2") _ArrayAdd($aNSLookupFinal , $aNSLookup) $sNSLookupOut = "" Next ;~ _ArrayDisplay($aNSLookupFinal , "Final") ;~ _ArrayDisplay($aNSLookupFinal , "Final") $aOut = $aNSLookupFinal _Excel_RangeWrite($oXLbook , 5 , $aOut) $oXLBook.WorkSheets(5).Name = "NS_NAMES" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-------------------------------------------------------------Privileged Users And Groups------------------------------------------------------------------------------------ $sOutput = "" local $aSelectedGroups[] = ["Administrators" , "Backup Operators"] ; Array Of Privileged Groups For $i = 0 to ubound($aSelectedGroups) - 1 $PsCommand = '"' & "$([ADSI]'WinNT://localhost/" & stringstripws($aSelectedGroups[$i] , 3) &",group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" & '"' $iPID = run("powershell " & $PsCommand, "" , @SW_HIDE , $stdout_child) While 1 $sOutput &= StdoutRead($iPID) If @Error Then ExitLoop WEnd ProcessClose($iPID) Next $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 6 , $aOut) $oXLBook.WorkSheets(6).Name = "PRIVILEGED" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-------------------------------------------------Startup------------------------------------------------------------------------------------------------ $sCommand = "powershell Get-CimInstance Win32_StartupCommand | format-list" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 7 , $aOut) $oXLBook.WorkSheets(7).Name = "STARTUP" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-------------------------------------------------SERVICES------------------------------------------------------------------------------------------------ $sCommand = "powershell Get-Service | format-list" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 8 , $aOut) $oXLBook.WorkSheets(8).Name = "SERVICES" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;----------------------------------------------------PROCESSES+svc--------------------------------------------------------------------------------------------- $sCommand = "tasklist /svc /FO CSV" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 9 , $aOut) $oXLBook.WorkSheets(9).Name = "PROC+SVC" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------Drivers--------------------------------------------------------------------------------------------- $sCommand = "driverquery -si -FO csv" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 10 , $aOut) $oXLBook.WorkSheets(10).Name = "DRIVERS" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------SOFTWARE--------------------------------------------------------------------------------------------- $iPid = run("powershell Get-CimInstance Win32Reg_AddRemovePrograms", "" , @SW_HIDE , 0x2) $sOutput = "" While ProcessExists($iPid) $sOutput &= StdoutRead($iPID) WEnd $aOut = stringsplit($sOutput, @LF , 2) _Excel_RangeWrite($oXLbook , 11 , $aOut) $oXLBook.WorkSheets(11).Name = "SOFTWARE" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------------PowerShell Commands--------------------------------------------------------------------------------------- $sCommand = "powershell Get-EventLog -logname 'Windows PowerShell'" $sMessage = '-message "Provider*Function*is*Started*"' $iPID = run($sCommand & " " & $sMessage & "| Select -ExpandProperty message", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringregexp($sOutput , "HostApplication=(.*)" , 3) $aOut = _ArrayUnique($aOut , 0 , 0 , 0 , 0) _Excel_RangeWrite($oXLbook , 12 , $aOut) $oXLBook.WorkSheets(12).Name = "POWERSHELL" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------------Logon Failures--------------------------------------------------------------------------------------- $sCommand = "powershell Get-EventLog -logname 'Security'" $sMessage = '-InstanceID "4625"' $iPID = run($sCommand & " " & $sMessage & "| Format-List", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 13 , $aOut) $oXLBook.WorkSheets(13).Name = "LOGONFAIL" _ArrayConcatenate($aFinal , $aOut) ;----------------------------------------------------------ALL RDP--------------------------------------------------------------------------------------- $sCommand = "powershell Get-EventLog -logname 'Security'" $sMessage = '-InstanceID "4778"' $iPID = run($sCommand & " " & $sMessage & "| Format-List", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 14 , $aOut) $oXLBook.WorkSheets(14).Name = "RDP" _ArrayConcatenate($aFinal , $aOut) ;~ ;-------------------------------------------------------------- ;~ _ArrayDisplay($aFinal) $destfile = @ScriptDir & "\" & @MON & @MDAY & @YEAR & @HOUR & @MIN & @SEC & "AuditShot.xlsx" _Excel_BookSaveAs($oXLbook , $destfile) _Excel_Close($oXL) sleep(100) ShellExecute($destfile) Edited April 13, 2016 by iamtheky argumentum and JohnOne 2 ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
JohnOne Posted February 18, 2016 Share Posted February 18, 2016 Does nothing on my pc. Is microsoft excel needed? AutoIt Absolute Beginners Require a serial Pause Script Video Tutorials by Morthawt ipify Monkey's are, like, natures humans. Link to comment Share on other sites More sharing options...
iamtheky Posted February 18, 2016 Author Share Posted February 18, 2016 You can just array display $afinal if you are lacking excel ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
spudw2k Posted February 18, 2016 Share Posted February 18, 2016 Simple and useful. Good job. I see a lot of room for optimization. Spoiler Things I've Made: Always On Top Tool ◊ AU History ◊ Deck of Cards ◊ HideIt ◊ ICU ◊ Icon Freezer ◊ Ipod Ejector ◊ Junos Configuration Explorer ◊ Link Downloader ◊ MD5 Folder Enumerator ◊ PassGen ◊ Ping Tool ◊ Quick NIC ◊ Read OCR ◊ RemoteIT ◊ SchTasksGui ◊ SpyCam ◊ System Scan Report Tool ◊ System UpTime ◊ Transparency Machine ◊ VMWare ESX Builder Misc Code Snippets: ADODB Example ◊ CheckHover ◊ Detect SafeMode ◊ DynEnumArray ◊ GetNetStatData ◊ HashArray ◊ IsBetweenDates ◊ Local Admins ◊ Make Choice ◊ Recursive File List ◊ Remove Sizebox Style ◊ Retrieve PNPDeviceID ◊ Retrieve SysListView32 Contents ◊ Set IE Homepage ◊ Tickle Expired Password ◊ Transpose Array Projects: Drive Space Usage GUI ◊ LEDkIT ◊ Plasma_kIt ◊ Scan Engine Builder ◊ SpeeDBurner ◊ SubnetCalc Cool Stuff: AutoItObject UDF ◊ Extract Icon From Proc ◊ GuiCtrlFontRotate ◊ Hex Edit Funcs ◊ Run binary ◊ Service_UDF Link to comment Share on other sites More sharing options...
iamtheky Posted February 19, 2016 Author Share Posted February 19, 2016 Thank you sir, once I get the amalgamation complete (I know I have missed a couple of common locations, like common ACL mods) I will certainly work on the inefficiencies. And then maybe dress it up all pretty for the UDF dance. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
iamtheky Posted February 26, 2016 Author Share Posted February 26, 2016 (edited) Im going to leave this here so i dont forget, I want to add something of the sort (hand select protected files and folders and the things that malware might change about them) but this method is kind of slow. So far got Attributes, ACLs, Modified, Created, and Accessed. expandcollapse popup#RequireAdmin DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1) #include <WinAPI.au3> #include <WinAPIShellEx.au3> #include <File.au3> ;-------specific paths to be checked---------------- Global $aArray[17] $aArray[0] = "C:\Program Files" $aArray[1] = "C:\Program Files\Common Files" $aArray[2] = "C:\Program Files (x86)" $aArray[3] = "C:\Program Files (x86)\Common Files" $aArray[4] = "C:\ProgramData" $aArray[5] = "C:\Windows" $aArray[6] = "C:\Windows\System32" $aArray[7] = "C:\Windows\System32\Drivers" $aArray[8] = "C:\Windows\System32\Drivers\etc" $aArray[9] = "C:\Windows\System32\Sysprep" $aArray[10] = "C:\Windows\System32\wbem" $aArray[11] = "C:\Windows\System32\WindowsPowerShell\v1.0" $aArray[12] = "C:\Windows\Web" $aArray[13] = "C:\Windows\SysWOW64" $aArray[14] = "C:\Windows\SysWOW64\Drivers" $aArray[15] = "C:\Windows\SysWOW64\wbem" $aArray[16] = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0" ;----------Folders to be recursed and all contents checked----------------------------- ;"C:\Users\Public","C:\Users\" & @UserName & "\AppData\Local","C:\Users\" & @UserName & "\AppData\Local\Temp","C:\Users\" & @UserName & "\AppData\LocalLow" ;"C:\Users\" & @UserName & "\AppData\Roaming" local $aRecThese = ["C:\Boot","C:\Perflogs","C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup", _ "C:\Windows\Scripts","C:\Windows\System","C:\Windows\System32\Tasks", _ "C:\Windows\system32\config\systemprofile\AppData","C:\Windows\sysWOW64\sysprep", _ "C:\Windows\sysWOW64\config\systemprofile\AppData"] ;~ _ArrayDisplay($aRecThese) for $i = 0 to ubound($aRecThese) - 1 local $aList[0] $aList = _FileListToArrayRec($aRecThese[$i] , "*" , 0 , 1 , 0 , 2) ;~ _ArrayDisplay($aList) _ArrayDelete($aList , 0) _ArrayAdd($aArray , $aRecThese[$i]) if ubound($aList) > 1 Then _ArrayAdd($aArray , $aList) ;~ _ArrayDisplay($aArray) next ;------------------------------------------------------------------------------------- Global $aOut = [["PATH","ATTRIB","ACL","Modified","Created","Accessed"]] ; Declare Final Array ;~ _ArrayDisplay($aOut) ;--------START LOOP THROUGH ARRAY OF Files and Folders---------------------------------- For $i = 0 to ubound($aArray) - 1 ;-----------------------------GET ATTRIBUTES------------------------------------------------ $sAttrib = FileGetAttrib($aArray[$i]) ;---------------------------GET ACLs---------------------------------------------------------- $iPID = run ("cmd /c icacls " & '"' & $aArray[$i] & '"' & " /C" , "", @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop EndIf WEnd ProcessClose($iPID) $aSplit = stringsplit($sOutput , @LF , 2) ;-----------------------Get Times-------------- ;------------Add All THat Stuff to the Final Array----------------------------------------------------------- _ArrayAdd($aOut , $aArray[$i]) ; Create a new row, Add the path to column 1 $aOut[ubound($aOut) - 1][1] = $sAttrib ; add the attribute string to column 2 $aOut[ubound($aOut) - 1][2] = stringregexpreplace(_ArrayToString($aSplit , ",," , 1 , ubound($aSplit) - 4) , "\s\s+" , "") ;ACL string in column 3 $aOut[ubound($aOut) - 1][3] = FileGetTime($aArray[$i] , 0 , 1) $aOut[ubound($aOut) - 1][4] = FileGetTime($aArray[$i] , 0 , 1) $aOut[ubound($aOut) - 1][5] = FileGetTime($aArray[$i] , 0 , 1) Next _ArrayDisplay($aOut) Edited February 26, 2016 by iamtheky ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
iamtheky Posted April 13, 2016 Author Share Posted April 13, 2016 Version 1.1 posted Added Netstat Names - this uses netstat -n and Nslookup rather than netstat -f. It is faster in my testing and also allows me to dedup the foreign addresses prior to name resolution further speeding up the routine. ,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-. |(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/ (_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_) | | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) ( | | | | |)| | \ / | | | | | |)| | `--. | |) \ | | `-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_| '-' '-' (__) (__) (_) (__) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now