├── README.md └── dfir.ps1 /README.md: -------------------------------------------------------------------------------- 1 | # dfir-win 2 | 3 | 4 | 5 | ## 简介 6 | 7 | 本项目用途为收集数据,帮助蓝队同学分析、研判、应急Windows安全事件。 8 | 9 | 目前收集的信息有: 10 | 11 | - ✅进程 12 | - ✅网络 13 | 14 | - ✅注册表 15 | - ✅DNS缓存 16 | 17 | - ✅服务 18 | - ✅计划任务 19 | 20 | - ✅Powershell历史记录 21 | - ✅WMI 22 | 23 | - ✅安装软件 24 | - ✅日志 25 | 26 | - ✅命名管道 27 | 28 | 29 | 30 | ## 使用方式 31 | 32 | 1. 下载本项目 33 | 2. Win + X 选择“命令提示符(管理员)” 34 | 3. 输入powershell,进入powershell终端,并cd到本项目目录 35 | 4. powershell -ep Bypass .\dfir.ps1 36 | 5. 对项目文件夹生成的日志进行分析 -------------------------------------------------------------------------------- /dfir.ps1: -------------------------------------------------------------------------------- 1 | ######################################### 2 | # Author : Alex-null 3 | # Tool : Windows应急响应收集脚本 4 | # Version : 0.0.1 5 | # Github : https://github.com/Alex-null/dfir-win 6 | # Tips :对于不熟悉的文件可以在https://winbindex.m417z.com/进行查询;由于调用了大量命令,所以有可能被杀毒软件误报 7 | ######################################### 8 | #=============================== 9 | # V A R I A B L E S | 10 | #=============================== 11 | $UserName = [System.Environment]::UserName 12 | $CurrentPath = pwd | Select-Object | %{$_.ProviderPath} 13 | $TheDate = Get-Date 14 | #=============================== 15 | # B A N N E R | 16 | #=============================== 17 | cls 18 | #=============================== 19 | # S T A R T I N G | 20 | #=============================== 21 | Write-Host "[+] Hi, $UserName,推荐使用管理员权限运行,大部分命令依赖管理员权限" 22 | Write-Host -ForegroundColor Green "[+] 日志应急脚本即将在1s后启动" 23 | Start-Sleep -s 1 24 | #=============================== 25 | # E X E C U T I O N | 26 | #=============================== 27 | echo "========================================================`r`nDFIR Report`r`n$TheDate`r`n========================================================`r`n`r`n" > $CurrentPath\report.txt 28 | $host.UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size(500,5000) 29 | $host.UI.RawUI.BufferSize 30 | #################################################################### 31 | # 主机名 32 | #################################################################### 33 | Write-Host -ForegroundColor Yellow "[+] Collecting computer name" 34 | if (Test-Path -Path HKLM:"\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName") { 35 | $ThePCName = Get-ItemPropertyValue HKLM:"\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name "ComputerName" 36 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nComputer Name: $ThePCName" 37 | } else { 38 | Write-Host -ForegroundColor Red "[-] Could not find the Registry key!" 39 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nComputer Name: Could not find the Registry key!" 40 | } 41 | Remove-Item $CurrentPath\TEMP.txt 2>&1>$null 42 | Remove-Item $CurrentPath\TEMP1.txt 2>&1>$null 43 | 44 | #################################################################### 45 | # 检查域 46 | #################################################################### 47 | Write-Host -ForegroundColor Yellow "[+] Checking if the computer is in domain or workgroup" 48 | $domain = (Get-WmiObject Win32_ComputerSystem).Domain 49 | if ((gwmi win32_computersystem).partofdomain -eq $true) { 50 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nDomain: Part of a domain" 51 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nDomain: $domain" 52 | } else { 53 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nDomain: WORKGROUP" 54 | } 55 | #################################################################### 56 | # IP信息 57 | #################################################################### 58 | Write-Host -ForegroundColor Yellow "[+] get IP" 59 | ipconfig /all >> $CurrentPath\report.txt 60 | #################################################################### 61 | # 通过SID列出账户 62 | #################################################################### 63 | Write-Host -ForegroundColor Yellow "[+] Collecting user accounts list from SID" 64 | if (Test-Path -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") { 65 | Get-ChildItem -Path HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList" | select pschildname > $CurrentPath\TEMP.txt 66 | $FileContent = [System.IO.File]::ReadAllText("$CurrentPath\TEMP.txt") 67 | $FileContent.Trim() > $CurrentPath\TEMP.txt 68 | $TrimmedContent = Get-Content $CurrentPath\TEMP.txt | Select-Object -Skip 2 69 | $TrimmedContent > $CurrentPath\TEMP.txt 70 | $Namex = "" 71 | Get-Content $CurrentPath\TEMP.txt | ForEach-Object { 72 | if ($_ -match "s") { 73 | $_ = $_ -replace '\s','' 74 | $ProfImgPath = Get-ItemPropertyValue HKLM:"\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\$_\" -Name "ProfileImagePath" 75 | $UserN = $ProfImgPath.split("\")[-1] 76 | $Namex = $Namex + "$UserN"+ " " 77 | } 78 | } 79 | Add-Content -Path $CurrentPath\TEMP1.txt -Value $Namex 80 | $TEMPone = Get-Content $CurrentPath\TEMP1.txt 81 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nUser List: $TEMPone" 82 | } else { 83 | Write-Host -ForegroundColor Red "[-] Could not find the Registry key!" 84 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nUser List: Could not find the Registry key!" 85 | } 86 | 87 | #################################################################### 88 | # 检测网络连通性 89 | #################################################################### 90 | Write-Host -ForegroundColor Yellow "[+] Collecting Internet connectivity information" 91 | $NetStatus = [bool](Test-Connection baidu.com -Count 1 -ErrorAction SilentlyContinue) 92 | if ($NetStatus -eq $true) { 93 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nNetwork Status : Connected to Internet" 94 | } else { 95 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nNetwork Status : Not connected to Internet" 96 | } 97 | $PrivIP = Test-Connection -ComputerName (hostname) -Count 1 | select -ExpandProperty IPV4Address 2>$null 98 | $OnlyIP = $PrivIP.IPAddressToString 2>$null 99 | if ($OnlyIP -match "[0-9]") { 100 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nPrivate IP Address : $OnlyIP" 101 | } else { 102 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nPrivate IP Address : No IP address found!" 103 | } 104 | #################################################################### 105 | # 通过WMIC获取用户 106 | #################################################################### 107 | Write-Host -ForegroundColor Yellow "[+] Collecting user accounts list from wmic" 108 | wmic UserAccount get | ft -Property * -AutoSize > $CurrentPath\Users.txt 109 | #################################################################### 110 | # 获取Tcp连接 111 | #################################################################### 112 | Write-Host -ForegroundColor Yellow "[+] Collecting Network TCP " 113 | Get-NetTCPConnection | select LocalAddress,localport,remoteaddress,remoteport,state,@{name="process";Expression={(get-process -id $_.OwningProcess).ProcessName}}, @{Name="cmdline";Expression={(Get-WmiObject Win32_Process -filter "ProcessId = $($_.OwningProcess)").commandline}} | sort Remoteaddress -Descending | ft -wrap -autosize > $CurrentPath\NetworkTcp.txt 114 | #################################################################### 115 | # 获取进程 116 | #################################################################### 117 | #System Idle Process、 System进程以外出现没有命令行的进程可能是当前执行权限不够 118 | #Write-Host -ForegroundColor Yellow "[+] Collecting running process" 119 | gwmi win32_process | Select Name, ProcessID, @{n='Owner';e={$_.GetOwner().User}},CommandLine | ft -wrap -autosize > $CurrentPath\process.txt 120 | #################################################################### 121 | # 获取命名管道 122 | #################################################################### 123 | Write-Host -ForegroundColor Yellow "[+] Collecting pipe" 124 | [System.IO.Directory]::GetFiles("\\.\\pipe\\") |ft -wrap -autosize > $CurrentPath\pipe.txt 125 | #################################################################### 126 | # 获取服务 127 | #################################################################### 128 | Write-Host -ForegroundColor Yellow "[+] Collecting service" 129 | gwmi win32_service | ft -Property Name, DisplayName, PathName, User, State > $CurrentPath\Service.txt 130 | #################################################################### 131 | # 获取计划任务 132 | #################################################################### 133 | Write-Host -ForegroundColor Yellow "[+] Collecting scheduled tasks" 134 | schtasks /query /fo LIST /v |ft > $CurrentPath\task.txt 135 | #################################################################### 136 | # 获取注册表(当前用户) 137 | #################################################################### 138 | Write-Host -ForegroundColor Yellow "[+] Collecting Registry For Current User" 139 | (Gci -Path HKCU:\ -recurse) |ft -wrap -autosize > $CurrentPath\Registry.txt 140 | #################################################################### 141 | # 获取WMI信息 142 | #################################################################### 143 | Write-Host -ForegroundColor Yellow "[+] Collecting WMI" 144 | Get-CimInstance -Namespace root\Subscription -Class __FilterToConsumerBinding > $CurrentPath\WMIFilterToConsumerBinding.txt 145 | Get-CimInstance -Namespace root\Subscription -Class __EventFilter > $CurrentPath\WMIEventFilter.txt 146 | Get-CimInstance -Namespace root\Subscription -Class __EventConsumer > $CurrentPath\WMIEventConsumer.txt 147 | #################################################################### 148 | # 获取DNS缓存 149 | #################################################################### 150 | Write-Host -ForegroundColor Yellow "[+] Collecting DnsClientCache" 151 | Get-DnsClientCache |ft -wrap -autosize > $CurrentPath\DnsClientCache.txt 152 | #################################################################### 153 | # 获取安装的软件 154 | #################################################################### 155 | Write-Host -ForegroundColor Yellow "[+] Collecting Software" 156 | gwmi win32_product |ft -wrap -autosize > $CurrentPath\Software.txt 157 | 158 | #################################################################### 159 | # 获取日志 160 | #################################################################### 161 | wevtutil epl System $CurrentPath\system.evtx 162 | wevtutil epl Application $CurrentPath\Application.evtx 163 | wevtutil epl Security $CurrentPath\Security.evtx 164 | wevtutil epl "Windows PowerShell" $CurrentPath\PowerShell.evtx 165 | wevtutil epl Microsoft-Windows-WMI-Activity/Operational $CurrentPath\wmi.evtx 166 | 167 | #################################################################### 168 | # 获取powershell历史记录 169 | #################################################################### 170 | $Users = (Gci C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt).FullName 171 | $Pasts = @($Users); 172 | 173 | foreach ($Past in $Pasts) { 174 | write-host "`n----User Pwsh History Path $Past---`n" -ForegroundColor Magenta; 175 | get-content $Past 176 | copy $Past $CurrentPath\ 177 | Add-Content -Path $CurrentPath\ConsoleHost_history.txt -value "`r`n$Past" 178 | } 179 | 180 | #################################################################### 181 | # 最近打开的文件Top10文件名 182 | #################################################################### 183 | Write-Host -ForegroundColor Yellow "[+] Checking recently used files" 184 | $a = 1 185 | $UsrProfile = $ENV:USERPROFILE 186 | if (Test-Path -Path "$UsrProfile\AppData\Roaming\Microsoft\Windows\Recent") { 187 | cd "$UsrProfile\AppData\Roaming\Microsoft\Windows\Recent" 188 | $RecentFiles = (Get-ChildItem .\ -file).FullName 189 | $RFLength = $RecentFiles.length 190 | if ($RFLength -gt 0) { 191 | if ($RFLength -gt 10) { 192 | Write-Host -ForegroundColor Green "[+] Found Recent Files!" 193 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Found more than 10 files in $UsrProfile\AppData\Roaming\Microsoft\Windows\Recent`r`n Here is the list of 10 files-" 194 | $RecentFiles | ForEach-Object { 195 | if ($a -lt 11) { 196 | $LinkFileName = Get-ChildItem -Path $_ -Name 197 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $LinkFileName" 198 | $a++ 199 | } 200 | } 201 | } elseif ($RFLength -eq 10) { 202 | Write-Host -ForegroundColor Green "[+] Found Recent Files!" 203 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Found more than 10 files in $UsrProfile\AppData\Roaming\Microsoft\Windows\Recent`r`n Here is the list of 10 files-" 204 | $RecentFiles | ForEach-Object { 205 | if ($a -lt 11) { 206 | $LinkFileName = Get-ChildItem -Path $_ -Name 207 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $LinkFileName" 208 | $a++ 209 | } 210 | } 211 | } else { 212 | Write-Host -ForegroundColor Green "[+] Found Recent Files!" 213 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Found less than 10 files in $UsrProfile\AppData\Roaming\Microsoft\Windows\Recent`r`n Here is the list-" 214 | $RecentFiles | ForEach-Object { 215 | if ($a -lt 11) { 216 | $LinkFileName = Get-ChildItem -Path $_ -Name 217 | Add-Content -Path $CurrentPath\report.txt -Value "`r`n $LinkFileName" 218 | $a++ 219 | } 220 | } 221 | } 222 | } else { 223 | Write-Host -ForegroundColor Red "[+] Found Nothing!" 224 | Add-Content -Path $CurrentPath\report.txt -Value "`r`nRecent Files : Nothing found" 225 | } 226 | cd $CurrentPath 227 | } 228 | Remove-Item $CurrentPath\TEMP.txt 2>&1>$null 229 | Remove-Item $CurrentPath\TEMP1.txt 2>&1>$null 230 | 231 | #################################################################### 232 | # 敏感目录痕迹 233 | #################################################################### 234 | tree c:\Users /F > file.txt 235 | gci "C:\Users\*" -Recurse | ft >> file.txt 236 | gci -path "C:\Users\*" -Recurse | Get-FileHash | ft hash, path -autosize > users_hash.txt 237 | gci -path "C:\windows\temp" -Recurse | ft >> file.txt 238 | gci -path "C:\windows\temp" -Recurse | Get-FileHash | ft hash, path -autosize > temp_hash.txt 239 | #仅win10 240 | reg query "HKLM\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings" /s > bam.txt --------------------------------------------------------------------------------