Sign in to follow this  
Followers 0
iamtheky

AuditShot - A quick endpoint interrogation

7 posts in this topic

#1 ·  Posted (edited)

A simple, quick, audit tool.

 

-Logged On Users

-SystemInfo

-IPconfig /All

-Active Connections (Netstat)

-Netstat Names

-Privileged Users/Groups

-Startup

-Services

-Processes+Svcs

-Drivers (signed?)

-Software

-Powershell Commands

-Logon Failures

-All RDP

Feel Free to Reply with More.  

**Requires PowerShell v4.0 or higher to run some of the commands , but those can be converted to WMI without much effort.

;AuditShot v1.1 -iamtheky


#RequireAdmin
#include<array.au3>
#include<excel.au3>
local $aFinal[0]

$oXL = _Excel_Open(FALSE)
$oXLbook = _Excel_BookNew($oXL , 13)

;----------------------------------------------------------Logged on Users---------------------------------------------------------------------------------------


$sCommand = "powershell Get-CimInstance Win32_LoggedOnUser"

$iPID = run($sCommand & " | Format-List", "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 1 , $aOut)
$oXLBook.WorkSheets(1).Name = "LOGGEDON"

_ArrayConcatenate($aFinal , $aOut)

;------------------------------------------------SYS INFO-------------------------------------------------------------------------------------------------


$sCommand = "systeminfo"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 2 , $aOut)
$oXLBook.WorkSheets(2).Name = "SYSINFO"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);

;------------------------------------------------IPCONFIG-------------------------------------------------------------------------------------------------


$sCommand = "ipconfig /all"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 3 , $aOut)
$oXLBook.WorkSheets(3).Name = "IPCONFIG"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);

;------------------------------------------------ACTIVE NETSTAT-------------------------------------------------------------------------------------------------


$sCommand = "netstat -n"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 4 , $aOut)
$oXLBook.WorkSheets(4).Name = "NETSTAT"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);

;-----------------------------------------------------NETSTAT_NAMES--------------------------------------------------------------------------------------------------

$sCommand = "netstat -n"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""
$sNSLookupOut = ""
local $aNSfinal[0]
local $aNSLookupFinal[0]

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

For $i = 4 to ubound($aOut) - 1
    $aLine = stringsplit($aOut[$i] , " " , 2)
        For $k = ubound($aLine) - 1 to 0 step - 1
            If stringstripWS($aLine[$k] , 8) = "" Then _ArrayDelete($aLine , $k)
        Next

;~ msgbox(0, '' , stringleft($aLine[2] , stringinstr($aLine[2] , ":" , 0 , -1) - 1))

If ubound($aLine) > 1 Then _ArrayAdd($aNSfinal , stringleft($aLine[2] , stringinstr($aLine[2] , ":" , 0 , -1) - 1))


$aUniqueNS = _ArrayUnique($aNSfinal)
_ArrayDelete($aUniqueNS , 0)



Next

;~ _ArrayDisplay($aUniqueNS)


For $k = 0 to ubound($aUniqueNS) - 1

        $iPID = run("nslookup " & $aUniqueNS[$k] , "" , @SW_HIDE , $stdout_child)

            While 1
                $sNSLookupOut &= StdoutRead($iPID)
                If @error Then ExitLoop
            WEnd

        ProcessClose($iPID)

        $aNSLookup = stringsplit($sNSLookupOut , @LF , 2)

            _ArrayDelete($aNSLookup , "0-2")

            _ArrayAdd($aNSLookupFinal , $aNSLookup)


$sNSLookupOut = ""

Next

;~ _ArrayDisplay($aNSLookupFinal , "Final")


;~ _ArrayDisplay($aNSLookupFinal , "Final")

$aOut = $aNSLookupFinal

_Excel_RangeWrite($oXLbook , 5 , $aOut)
$oXLBook.WorkSheets(5).Name = "NS_NAMES"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);
;-------------------------------------------------------------Privileged Users And Groups------------------------------------------------------------------------------------

$sOutput = ""

local $aSelectedGroups[] = ["Administrators" , "Backup Operators"]   ; Array Of Privileged Groups


        For $i = 0 to ubound($aSelectedGroups) - 1

            $PsCommand = '"' & "$([ADSI]'WinNT://localhost/" & stringstripws($aSelectedGroups[$i] , 3) &",group').psbase.Invoke('Members') | foreach { $_.GetType().InvokeMember('ADspath', 'GetProperty', $null, $_, $null).Replace('WinNT://', '') }" & '"'


            $iPID = run("powershell " & $PsCommand, "" , @SW_HIDE , $stdout_child)

             While 1
                    $sOutput &= StdoutRead($iPID)
                    If @Error Then ExitLoop
             WEnd

             ProcessClose($iPID)

        Next



    $aOut = stringsplit($sOutput , @LF , 2)

    _Excel_RangeWrite($oXLbook , 6 , $aOut)
    $oXLBook.WorkSheets(6).Name = "PRIVILEGED"


_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);

;-------------------------------------------------Startup------------------------------------------------------------------------------------------------


$sCommand = "powershell Get-CimInstance Win32_StartupCommand | format-list"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 7 , $aOut)
$oXLBook.WorkSheets(7).Name = "STARTUP"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);

;-------------------------------------------------SERVICES------------------------------------------------------------------------------------------------


$sCommand = "powershell Get-Service | format-list"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 8 , $aOut)
$oXLBook.WorkSheets(8).Name = "SERVICES"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal);


;----------------------------------------------------PROCESSES+svc---------------------------------------------------------------------------------------------


$sCommand = "tasklist /svc /FO CSV"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 9 , $aOut)
$oXLBook.WorkSheets(9).Name = "PROC+SVC"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal)

;----------------------------------------------------Drivers---------------------------------------------------------------------------------------------


$sCommand = "driverquery -si -FO csv"
$iPID = run($sCommand, "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 10 , $aOut)
$oXLBook.WorkSheets(10).Name = "DRIVERS"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal)

;----------------------------------------------------SOFTWARE---------------------------------------------------------------------------------------------



$iPid = run("powershell Get-CimInstance Win32Reg_AddRemovePrograms", "" , @SW_HIDE , 0x2)

$sOutput = ""

 While ProcessExists($iPid)
        $sOutput &= StdoutRead($iPID)
 WEnd

$aOut = stringsplit($sOutput, @LF , 2)

_Excel_RangeWrite($oXLbook , 11 , $aOut)
$oXLBook.WorkSheets(11).Name = "SOFTWARE"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal)

;----------------------------------------------------------PowerShell Commands---------------------------------------------------------------------------------------


$sCommand = "powershell Get-EventLog -logname 'Windows PowerShell'"
$sMessage = '-message "Provider*Function*is*Started*"'
$iPID = run($sCommand & " " & $sMessage & "| Select -ExpandProperty message", "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringregexp($sOutput , "HostApplication=(.*)" , 3)

$aOut = _ArrayUnique($aOut , 0 , 0 , 0 , 0)

_Excel_RangeWrite($oXLbook , 12 , $aOut)
$oXLBook.WorkSheets(12).Name = "POWERSHELL"

_ArrayConcatenate($aFinal , $aOut)

;~ _ArrayDisplay($aFinal)

;----------------------------------------------------------Logon Failures---------------------------------------------------------------------------------------


$sCommand = "powershell Get-EventLog -logname 'Security'"
$sMessage = '-InstanceID "4625"'
$iPID = run($sCommand & " " & $sMessage & "| Format-List", "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 13 , $aOut)
$oXLBook.WorkSheets(13).Name = "LOGONFAIL"

_ArrayConcatenate($aFinal , $aOut)

;----------------------------------------------------------ALL RDP---------------------------------------------------------------------------------------


$sCommand = "powershell Get-EventLog -logname 'Security'"
$sMessage = '-InstanceID "4778"'
$iPID = run($sCommand & " " & $sMessage & "| Format-List", "" , @SW_HIDE , $stdout_child)

$sOutput = ""

     While 1
        $sOutput &= StdoutRead($iPID)
        If @error Then ExitLoop
    WEnd


ProcessClose($iPID)

$aOut = stringsplit($sOutput , @LF , 2)

_Excel_RangeWrite($oXLbook , 14 , $aOut)
$oXLBook.WorkSheets(14).Name = "RDP"

_ArrayConcatenate($aFinal , $aOut)

;~ ;--------------------------------------------------------------

;~ _ArrayDisplay($aFinal)

$destfile = @ScriptDir & "\" & @MON & @MDAY & @YEAR & @HOUR & @MIN & @SEC & "AuditShot.xlsx"
_Excel_BookSaveAs($oXLbook , $destfile)
_Excel_Close($oXL)
sleep(100)
ShellExecute($destfile)

 

Edited by iamtheky
2 people like this

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites



You can just array display $afinal if you are lacking excel


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Thank you sir, once I get the amalgamation complete (I know I have missed a couple of common locations, like common ACL mods) I will certainly work on the inefficiencies.  And then maybe dress it up all pretty for the UDF dance.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

#6 ·  Posted (edited)

Im going to leave this here so i dont forget, I want to add something of the sort (hand select protected files and folders and the things that malware might change about them) but this method is kind of slow.  So far got Attributes, ACLs, Modified, Created, and Accessed.

#RequireAdmin
DllCall("kernel32.dll", "int", "Wow64DisableWow64FsRedirection", "int", 1)

#include <WinAPI.au3>
#include <WinAPIShellEx.au3>
#include <File.au3>

;-------specific paths to be checked----------------

Global $aArray[17]

$aArray[0] = "C:\Program Files"
$aArray[1] = "C:\Program Files\Common Files"
$aArray[2] = "C:\Program Files (x86)"
$aArray[3] = "C:\Program Files (x86)\Common Files"
$aArray[4] = "C:\ProgramData"
$aArray[5] = "C:\Windows"
$aArray[6] = "C:\Windows\System32"
$aArray[7] = "C:\Windows\System32\Drivers"
$aArray[8] = "C:\Windows\System32\Drivers\etc"
$aArray[9] = "C:\Windows\System32\Sysprep"
$aArray[10] = "C:\Windows\System32\wbem"
$aArray[11] = "C:\Windows\System32\WindowsPowerShell\v1.0"
$aArray[12] = "C:\Windows\Web"
$aArray[13] = "C:\Windows\SysWOW64"
$aArray[14] = "C:\Windows\SysWOW64\Drivers"
$aArray[15] = "C:\Windows\SysWOW64\wbem"
$aArray[16] = "C:\Windows\SysWOW64\WindowsPowerShell\v1.0"


;----------Folders to be recursed and all contents checked-----------------------------
;"C:\Users\Public","C:\Users\" & @UserName & "\AppData\Local","C:\Users\" & @UserName & "\AppData\Local\Temp","C:\Users\" & @UserName & "\AppData\LocalLow"
;"C:\Users\" & @UserName & "\AppData\Roaming"

local $aRecThese = ["C:\Boot","C:\Perflogs","C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup", _
"C:\Windows\Scripts","C:\Windows\System","C:\Windows\System32\Tasks", _
"C:\Windows\system32\config\systemprofile\AppData","C:\Windows\sysWOW64\sysprep", _
"C:\Windows\sysWOW64\config\systemprofile\AppData"]

;~ _ArrayDisplay($aRecThese)

for $i = 0 to ubound($aRecThese) - 1
  local $aList[0]
    $aList = _FileListToArrayRec($aRecThese[$i] , "*" , 0 , 1 , 0 , 2)
;~      _ArrayDisplay($aList)
        _ArrayDelete($aList , 0)
        _ArrayAdd($aArray , $aRecThese[$i])
        if ubound($aList) > 1 Then _ArrayAdd($aArray , $aList)
;~      _ArrayDisplay($aArray)
next

;-------------------------------------------------------------------------------------

Global $aOut = [["PATH","ATTRIB","ACL","Modified","Created","Accessed"]]   ; Declare Final Array
;~ _ArrayDisplay($aOut)

;--------START LOOP THROUGH ARRAY OF Files and Folders----------------------------------

For $i = 0 to ubound($aArray) - 1

    ;-----------------------------GET ATTRIBUTES------------------------------------------------

    $sAttrib = FileGetAttrib($aArray[$i])

    ;---------------------------GET ACLs----------------------------------------------------------
    $iPID = run ("cmd /c icacls " & '"' & $aArray[$i] & '"' & " /C"  ,  "", @SW_HIDE , $stdout_child)

    $sOutput = ""

         While 1
                $sOutput &= StdoutRead($iPID)
                If @error Then
                    ExitLoop
                EndIf
         WEnd

    ProcessClose($iPID)

$aSplit = stringsplit($sOutput , @LF , 2)

;-----------------------Get Times--------------



;------------Add All THat Stuff to the Final Array-----------------------------------------------------------

    _ArrayAdd($aOut , $aArray[$i])  ; Create a new row, Add the path to column 1
    $aOut[ubound($aOut) - 1][1] = $sAttrib ; add the attribute string to column 2
    $aOut[ubound($aOut) - 1][2] = stringregexpreplace(_ArrayToString($aSplit , ",," , 1 , ubound($aSplit) - 4) , "\s\s+" , "") ;ACL string in column 3
    $aOut[ubound($aOut) - 1][3] = FileGetTime($aArray[$i]  , 0 , 1)
    $aOut[ubound($aOut) - 1][4] = FileGetTime($aArray[$i]  , 0 , 1)
    $aOut[ubound($aOut) - 1][5] = FileGetTime($aArray[$i]  , 0 , 1)

Next

_ArrayDisplay($aOut)

 

Edited by iamtheky

,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Version 1.1 posted

Added Netstat Names - this uses netstat -n and Nslookup rather than netstat -f. It is faster in my testing and also allows me to dedup the foreign addresses prior to name resolution further speeding up the routine.


,-. .--. ________ .-. .-. ,---. ,-. .-. .-. .-.
|(| / /\ \ |\ /| |__ __||| | | || .-' | |/ / \ \_/ )/
(_) / /__\ \ |(\ / | )| | | `-' | | `-. | | / __ \ (_)
| | | __ | (_)\/ | (_) | | .-. | | .-' | | \ |__| ) (
| | | | |)| | \ / | | | | | |)| | `--. | |) \ | |
`-' |_| (_) | |\/| | `-' /( (_)/( __.' |((_)-' /(_|
'-' '-' (__) (__) (_) (__)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0