-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy path080-OS-enum-after-shell-WIN.bat
101 lines (76 loc) · 2.67 KB
/
080-OS-enum-after-shell-WIN.bat
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
@echo off
REM Run systeminfo command to gather system information
systeminfo > C:\temp\system_info_windows.txt
REM Check for plaintext credentials in files
echo Searching for plaintext credentials...
findstr /S /M /I /C:"password" "C:\*.txt" "C:\*.log"
REM Check for vulnerable backups of SAM and LSA files
echo Checking for vulnerable backups of SAM and LSA files...
if exist "C:\Windows\System32\config\SAM.bak" (
echo SAM backup file found: C:\Windows\System32\config\SAM.bak
) else (
echo SAM backup file not found
)
if exist "C:\Windows\System32\config\SYSTEM.bak" (
echo SYSTEM backup file found: C:\Windows\System32\config\SYSTEM.bak
) else (
echo SYSTEM backup file not found
)
REM Check antivirus status
echo Antivirus Status:
wmic /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName, productState
REM Check firewall status
echo Firewall Status:
netsh advfirewall show allprofiles
REM Check UAC status
echo User Account Control (UAC) Status:
reg query "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA
REM Describe current patches
echo Current Patches:
wmic qfe list brief
REM Describe services
echo Services:
wmic service get caption, name, startmode, state
REM Describe scheduled tasks
echo Scheduled Tasks:
schtasks /query /fo table
REM Describe user permissions
echo User Permissions:
whoami /all
REM Describe network configuration
echo Network Configuration:
ipconfig /all
REM Describe hosts file
echo Hosts File:
type %SystemRoot%\System32\drivers\etc\hosts
REM Describe ARP cache
echo ARP Cache:
arp -a
REM Describe WSUS settings
echo WSUS Settings:
reg query "HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU"
REM Detect open ports
echo Open Ports:
netstat -ano
REM Detect interesting file permissions of binaries being executed
echo Interesting File Permissions of Executed Binaries:
icacls "%SystemRoot%\System32" /T /C /L /Q | findstr "(F)" | findstr /V /I "(N)"
REM Detect interesting file permissions of binaries run at startup
echo Interesting File Permissions of Binaries Run at Startup:
wmic startup get Caption, Command, User, Status, Location | findstr /V /I "C:\Windows\System32"
REM Check the AlwaysInstallElevated setting
echo AlwaysInstallElevated Setting:
reg query "HKCU\Software\Policies\Microsoft\Windows\Installer" /v AlwaysInstallElevated
REM Describe cached DNS entries
echo Cached DNS Entries:
ipconfig /displaydns
REM Describe mounted shares
echo Mounted Shares:
net use
REM Describe Windows Event Forwarding settings
echo Windows Event Forwarding Settings:
wevtutil get-subscriptions
REM Check LAPS installation status
echo LAPS Installation Status:
reg query "HKLM\SOFTWARE\Microsoft\LAPS" /s
pause