Search the Community

A simple, quick, audit tool. -Logged On Users -SystemInfo -IPconfig /All -Active Connections (Netstat) -Netstat Names -Privileged Users/Groups -Startup -Services -Processes+Svcs -Drivers (signed?) -Software -Powershell Commands -Logon Failures -All RDP Feel Free to Reply with More. **Requires PowerShell v4.0 or higher to run some of the commands , but those can be converted to WMI without much effort. ;AuditShot v1.1 -iamtheky #RequireAdmin #include<array.au3> #include<excel.au3> local $aFinal[0] $oXL = _Excel_Open(FALSE) $oXLbook = _Excel_BookNew($oXL , 13) ;----------------------------------------------------------Logged on Users--------------------------------------------------------------------------------------- $sCommand = "powershell Get-CimInstance Win32_LoggedOnUser" $iPID = run($sCommand & " | Format-List", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 1 , $aOut) $oXLBook.WorkSheets(1).Name = "LOGGEDON" _ArrayConcatenate($aFinal , $aOut) ;------------------------------------------------SYS INFO------------------------------------------------------------------------------------------------- $sCommand = "systeminfo" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 2 , $aOut) $oXLBook.WorkSheets(2).Name = "SYSINFO" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;------------------------------------------------IPCONFIG------------------------------------------------------------------------------------------------- $sCommand = "ipconfig /all" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 3 , $aOut) $oXLBook.WorkSheets(3).Name = "IPCONFIG" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;------------------------------------------------ACTIVE NETSTAT------------------------------------------------------------------------------------------------- $sCommand = "netstat -n" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 4 , $aOut) $oXLBook.WorkSheets(4).Name = "NETSTAT" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-----------------------------------------------------NETSTAT_NAMES-------------------------------------------------------------------------------------------------- $sCommand = "netstat -n" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" $sNSLookupOut = "" local $aNSfinal[0] local $aNSLookupFinal[0] While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) For $i = 4 to ubound($aOut) - 1 $aLine = stringsplit($aOut[$i] , " " , 2) For $k = ubound($aLine) - 1 to 0 step - 1 If stringstripWS($aLine[$k] , 8) = "" Then _ArrayDelete($aLine , $k) Next ;~ msgbox(0, '' , stringleft($aLine[2] , stringinstr($aLine[2] , ":" , 0 , -1) - 1)) If ubound($aLine) > 1 Then _ArrayAdd($aNSfinal , stringleft($aLine[2] , stringinstr($aLine[2] , ":" , 0 , -1) - 1)) $aUniqueNS = _ArrayUnique($aNSfinal) _ArrayDelete($aUniqueNS , 0) Next ;~ _ArrayDisplay($aUniqueNS) For $k = 0 to ubound($aUniqueNS) - 1 $iPID = run("nslookup " & $aUniqueNS[$k] , "" , @SW_HIDE , $stdout_child) While 1 $sNSLookupOut &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aNSLookup = stringsplit($sNSLookupOut , @LF , 2) _ArrayDelete($aNSLookup , "0-2") _ArrayAdd($aNSLookupFinal , $aNSLookup) $sNSLookupOut = "" Next ;~ _ArrayDisplay($aNSLookupFinal , "Final") ;~ _ArrayDisplay($aNSLookupFinal , "Final") $aOut = $aNSLookupFinal _Excel_RangeWrite($oXLbook , 5 , $aOut) $oXLBook.WorkSheets(5).Name = "NS_NAMES" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-------------------------------------------------------------Privileged Users And Groups------------------------------------------------------------------------------------ $sOutput = "" local $aSelectedGroups[] = ["Administrators" , "Backup Operators"] ; Array Of Privileged Groups For $i = 0 to ubound($aSelectedGroups) - 1 $PsCommand = '"' & "$([ADSI]'WinNT://localhost/" & stringstripws($aSelectedGroups[$i] , 3) &",group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" & '"' $iPID = run("powershell " & $PsCommand, "" , @SW_HIDE , $stdout_child) While 1 $sOutput &= StdoutRead($iPID) If @Error Then ExitLoop WEnd ProcessClose($iPID) Next $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 6 , $aOut) $oXLBook.WorkSheets(6).Name = "PRIVILEGED" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-------------------------------------------------Startup------------------------------------------------------------------------------------------------ $sCommand = "powershell Get-CimInstance Win32_StartupCommand | format-list" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 7 , $aOut) $oXLBook.WorkSheets(7).Name = "STARTUP" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;-------------------------------------------------SERVICES------------------------------------------------------------------------------------------------ $sCommand = "powershell Get-Service | format-list" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 8 , $aOut) $oXLBook.WorkSheets(8).Name = "SERVICES" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal); ;----------------------------------------------------PROCESSES+svc--------------------------------------------------------------------------------------------- $sCommand = "tasklist /svc /FO CSV" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 9 , $aOut) $oXLBook.WorkSheets(9).Name = "PROC+SVC" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------Drivers--------------------------------------------------------------------------------------------- $sCommand = "driverquery -si -FO csv" $iPID = run($sCommand, "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 10 , $aOut) $oXLBook.WorkSheets(10).Name = "DRIVERS" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------SOFTWARE--------------------------------------------------------------------------------------------- $iPid = run("powershell Get-CimInstance Win32Reg_AddRemovePrograms", "" , @SW_HIDE , 0x2) $sOutput = "" While ProcessExists($iPid) $sOutput &= StdoutRead($iPID) WEnd $aOut = stringsplit($sOutput, @LF , 2) _Excel_RangeWrite($oXLbook , 11 , $aOut) $oXLBook.WorkSheets(11).Name = "SOFTWARE" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------------PowerShell Commands--------------------------------------------------------------------------------------- $sCommand = "powershell Get-EventLog -logname 'Windows PowerShell'" $sMessage = '-message "Provider*Function*is*Started*"' $iPID = run($sCommand & " " & $sMessage & "| Select -ExpandProperty message", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringregexp($sOutput , "HostApplication=(.*)" , 3) $aOut = _ArrayUnique($aOut , 0 , 0 , 0 , 0) _Excel_RangeWrite($oXLbook , 12 , $aOut) $oXLBook.WorkSheets(12).Name = "POWERSHELL" _ArrayConcatenate($aFinal , $aOut) ;~ _ArrayDisplay($aFinal) ;----------------------------------------------------------Logon Failures--------------------------------------------------------------------------------------- $sCommand = "powershell Get-EventLog -logname 'Security'" $sMessage = '-InstanceID "4625"' $iPID = run($sCommand & " " & $sMessage & "| Format-List", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 13 , $aOut) $oXLBook.WorkSheets(13).Name = "LOGONFAIL" _ArrayConcatenate($aFinal , $aOut) ;----------------------------------------------------------ALL RDP--------------------------------------------------------------------------------------- $sCommand = "powershell Get-EventLog -logname 'Security'" $sMessage = '-InstanceID "4778"' $iPID = run($sCommand & " " & $sMessage & "| Format-List", "" , @SW_HIDE , $stdout_child) $sOutput = "" While 1 $sOutput &= StdoutRead($iPID) If @error Then ExitLoop WEnd ProcessClose($iPID) $aOut = stringsplit($sOutput , @LF , 2) _Excel_RangeWrite($oXLbook , 14 , $aOut) $oXLBook.WorkSheets(14).Name = "RDP" _ArrayConcatenate($aFinal , $aOut) ;~ ;-------------------------------------------------------------- ;~ _ArrayDisplay($aFinal) $destfile = @ScriptDir & "\" & @MON & @MDAY & @YEAR & @HOUR & @MIN & @SEC & "AuditShot.xlsx" _Excel_BookSaveAs($oXLbook , $destfile) _Excel_Close($oXL) sleep(100) ShellExecute($destfile)