-
Notifications
You must be signed in to change notification settings - Fork 2
Expand file tree
/
Copy pathLOLIR_2025.bat
More file actions
292 lines (215 loc) · 12.7 KB
/
LOLIR_2025.bat
File metadata and controls
292 lines (215 loc) · 12.7 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
@echo off
powershell -c "Get-Date -Format 'yyyy-MM-dd_HH-mm-ss'" > timestamp.txt
set /p timestamp=<timestamp.txt
echo y | del timestamp.txt
mkdir LOLIR_%computername%_%timestamp%
cd LOLIR_%computername%_%timestamp%
cls
color cf
echo --------------------------------------------------------------------------------
echo Started at: %timestamp%
echo LOLIR - Living Of the Land Incident Response - Requires ADMIN privileges.
echo Last updated 2025-03-19, This script now REQUIRE **at least** Windows 10.
echo --------------------------------------------------------------------------------
echo * Logs: Security log (Requires admin privileges)
start /b wevtutil qe /f:text security > %computername%_log.security.log
echo * Logs: System log
start /b wevtutil qe /f:text system > %computername%_log.system.log
echo * Logs: Application log
start /b wevtutil qe /f:text application > %computername%_log.application.log
echo * Logs: Setup log
start /b wevtutil qe /f:text setup > %computername%_log.setup.log
echo * Logs: PowerShell/Operational log
start /b wevtutil qe /f:text Microsoft-Windows-PowerShell/Operational > %computername%_powershell.operational.log
echo * Logs: Sysmon/Operational log (Requires admin privileges)
start /b wevtutil qe /f:text Microsoft-Windows-Sysmon/Operational > %computername%_sysmon.operational.log
echo * Logs: TaskScheduler/Operational log
start /b wevtutil qe /f:text Microsoft-Windows-TaskScheduler/Operational > %computername%_taskscheduler.operational.log
echo * Logs: BitsClient/Operational log
start /b wevtutil qe /f:text Microsoft-Windows-Bits-Client/Operational > %computername%_bitsclient.operational.log
echo * Logs: TerminalServices-LocalSessionManager log
start /b wevtutil qe /f:text Microsoft-Windows-TerminalServices-LocalSessionManager/Operational > %computername%_Term.Local.operational.log
echo * Logs: TerminalServices-RemoteConnectionManager log
start /b wevtutil qe /f:text Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational > %computername%_Term.Remote.operational.log
echo * Logs: TerminalServices-RDPClient/Operational log
start /b wevtutil qe /f:text Microsoft-Windows-TerminalServices-RDPClient/Operational > %computername%_Term.RDPClient.operational.log
echo * Logs: LAPS
start /b wevtutil qe /f:text Microsoft-Windows-Laps/Operational > %computername%_laps.operational.log
echo * Logs: DHCP+DHCP6
start /b wevtutil qe /f:text Microsoft-Windows-Dhcp-Client/Admin > %computername%_dhcpclient.admin.log
start /b wevtutil qe /f:text Microsoft-Windows-DHCP-Client/Operational > %computername%_dhcpclient.operational.log
start /b wevtutil qe /f:text Microsoft-Windows-DHCPv6-Client/Admin > %computername%_dhcpclient6.admin.log
start /b wevtutil qe /f:text Microsoft-Windows-DHCPv6-Client/Operational > %computername%_dhcpclient6.operational.log
echo * Logs: Defender
start /b wevtutil qe /f:text "Microsoft-Windows-Windows Defender/Operational" > %computername%_defender.operational.log
echo * Logs: AdvFirewall
start /b wevtutil qe /f:text "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" > %computername%_advfirewall.firewall.log
start /b wevtutil qe /f:text "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" > %computername%_advfirewall.firewallverbose.log
echo * Logs: Hyper-V
start /b wevtutil qe /f:text Microsoft-Windows-Hyper-V-Hypervisor-Admin > %computername%_hyperv.admin.log
start /b wevtutil qe /f:text Microsoft-Windows-Hyper-V-Hypervisor-Operational > %computername%_hyperv.operational.log
echo * Logs: WinRM
start /b wevtutil qe /f:text Microsoft-Windows-WinRM/Operational > %computername%_winrm.operational.log
echo * Logs: SSH-Operational
start /b wevtutil qe "OpenSSH/Operational" > %computername%_SSH.operational.log
timeout 10
echo * Dumping .evtx files of the same sources (above).
start /b wevtutil epl security %computername%_log.security.evtx
start /b wevtutil epl system %computername%_log.system.evtx
start /b wevtutil epl application %computername%_log.application.evtx
start /b wevtutil epl setup %computername%_log.setup.evtx
start /b wevtutil epl Microsoft-Windows-PowerShell/Operational %computername%_log.powershell.evtx
start /b wevtutil epl Microsoft-Windows-Sysmon/Operational %computername%_log.sysmon.evtx
start /b wevtutil epl Microsoft-Windows-TaskScheduler/Operational %computername%_log.taskscheduler.evtx
start /b wevtutil epl Microsoft-Windows-Bits-Client/Operational %computername%_log.bitsclient.evtx
start /b wevtutil epl Microsoft-Windows-TerminalServices-LocalSessionManager/Operational %computername%_log.Term.Local.evtx
start /b wevtutil epl Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational %computername%_log.Term.Remote.evtx
start /b wevtutil epl Microsoft-Windows-TerminalServices-RDPClient/Operational %computername%_log.Term.RDPClient.evtx
start /b wevtutil epl Microsoft-Windows-Laps/Operational %computername%_laps.operational.evtx
start /b wevtutil epl Microsoft-Windows-Dhcp-Client/Admin %computername%_dhcpclient.admin.evtx
start /b wevtutil epl Microsoft-Windows-DHCP-Client/Operational %computername%_dhcpclient.operational.evtx
start /b wevtutil epl Microsoft-Windows-DHCPv6-Client/Admin %computername%_dhcpclient6.admin.evtx
start /b wevtutil epl Microsoft-Windows-DHCPv6-Client/Operational %computername%_dhcpclient6.operational.evtx
start /b wevtutil epl "Microsoft-Windows-Windows Defender/Operational" %computername%_defender.operational.evtx
start /b wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" %computername%_advfirewall.firewall.evtx
start /b wevtutil epl "Microsoft-Windows-Windows Firewall With Advanced Security/FirewallVerbose" %computername%_advfirewall.firewallverbose.evtx
start /b wevtutil epl Microsoft-Windows-Hyper-V-Hypervisor-Admin %computername%_hyperv.admin.evtx
start /b wevtutil epl Microsoft-Windows-Hyper-V-Hypervisor-Operational %computername%_hyperv.operational.evtx
start /b wevtutil epl Microsoft-Windows-WinRM/Operational %computername%_winrm.operational.evtx
start /b wevtutil epl "OpenSSH/Operational" %computername%_ssh.operational.evtx
timeout 10
rem If there are any error messages saying "file cannot be written", change the timeout values to something larger.
echo * Dump registry: HKLM to text
start /b reg export HKLM %computername%_reg_HKLM.txt
echo * Dump registry: HKCU to text
start /b reg export HKCU %computername%_reg_HKCU.txt
echo * Dump registry: HKU to text
start /b reg export HKU %computername%_reg_HKU.txt
timeout 10
echo * Dump BITS jobs
bitsadmin.exe /rawreturn /list /allusers /verbose > %computername%_BITS.jobs.txt
echo * Dump DNS Cache
ipconfig /displaydns > %computername%_dnsCache.IPConf.txt
echo * IPConfig /all
ipconfig /all > %computername%_ipconfig.txt
echo * Dump DNS Cache Powershell
powershell -c "Get-DnsClientCache | Format-List" > %computername%_dnsCache.ps.txt
echo * Dump SecEdit (Requires admin privileges)
secedit /export /cfg %computername%_SecEdit.txt
echo * Kerberos sessions
klist sessions > %computername%_kerberos.session.tickets.klist.txt
klist tickets > %computername%_kerberos.tickets.txt
powershell -c "gwmi win32_LogonSession" > %computername%_kerberos.session.tickets.ps.txt
echo * NTDS.DIT (Servers only, like 2019/2022/2025).
esentutl.exe /y /vss c:\windows\ntds\ntds.dit /d %computername%_ntds.dit > nul
echo * Current processes (List)
tasklist /FO LIST > %computername%_processes.short.txt
powershell.exe -c "Get-CimInstance Win32_process | Export-Csv %computername%_processes.long.txt"
echo * Network state (Admin = more detail)
Netstat -nabo > %computername%_netstat.admin.txt
echo * Network state (user)
Netstat -nao > %computername%_netstat.user.txt
echo * Scheduled tasks
schtasks /query /v /FO list > %computername%_schtasks.txt
echo * Services (Win32_Services)
sc query > %computername%_services.sc.txt
net start > %computername%_services.net.txt
powershell.exe -c "Get-CimInstance Win32_service | Export-Csv %computername%_services.txt"
echo * Repository
mkdir Repository
copy C:\Windows\System32\wbem\Repository\* Repository >nul
echo * WDI
mkdir WDI
copy C:\Windows\System32\WDI\LogFiles\* WDI >nul
echo * WMI
mkdir WMI
copy C:\Windows\System32\LogFiles\WMI\* WMI >nul
echo * Setupapi
mkdir Setupapi
copy C:\Windows\INF\setupapi*.log Setupapi >nul
echo * Prefetch
mkdir Prefetch
copy c:\windows\prefetch\*.pf prefetch >nul
echo * Mountvol Drivers
mountvol > %computername%_drives.txt
echo * VSSAdmin Volumes
vssadmin list volumes > %computername%_volumes.txt
echo * VSSAdmin Shadows (info only)
vssadmin list shadows > %computername%_vssadmin.shadows.txt
echo * VSSAdmin Shadowstorage (info only)
vssadmin list shadowstorage > %computername%_vssadmin.shadowstorage.txt
echo * Firewall
netsh advfirewall firewall show rule name=all > %computername%_firewall.txt
echo * Startup
powershell.exe -c "Get-CimInstance Win32_StartupCommand | Export-Csv %computername%_startup.txt"
echo * Hosts
copy c:\Windows\System32\drivers\etc\hosts %computername%_hosts.txt
echo * Environment
set > %computername%_environment.txt
echo * System info
systeminfo >%computername%_systeminfo.txt
echo * Arp
arp -a > %computername%_arp.txt
echo * Users
net user > %computername%_net.users.txt
powershell.exe -c "Get-CimInstance Win32_useraccount | Export-Csv %computername%_useraccount.txt"
echo * Mapped Drives (Requires Workstation Service running)
net use > %computername%_net.drives.txt
echo * Shares (Requires Server Service running)
echo n | net share > %computername%_net.shares.txt
echo * Groups (Requires Workstation Service running)
net localgroup > %computername%_net.localgroup.txt
powershell.exe -c "Get-CimInstance Win32_group | Export-Csv %computername%_groups.txt"
echo * Disks
powershell.exe -c "Get-CimInstance Win32_logicaldisk | Export-Csv %computername%_logicaldisks.txt"
echo * Installed patches
powershell.exe -c "Get-CimInstance Win32_QuickFixEngineering | Export-Csv %computername%_installedpatches.txt"
echo * Network Interface cards
powershell.exe -c "Get-CimInstance Win32_NetworkAdapter | Export-Csv %computername%_nic.list.gw-ip.txt"
powershell.exe -c "Get-CimInstance Win32_NetworkAdapterConfiguration | Export-Csv %computername%_niclist.txt"
powershell -c "get-netadapter | format-list" > %computername%_ps.niclist.txt
netsh interface show interface > %computername%_netsh.niclist.txt
echo * Wifi networks
netsh wlan show profiles > %computername%_available.wifi.networks.txt
echo * Wifi Config
netsh wlan show profile Name=* Key=clear > %computername%_wifi.config.txt
echo * Domain membership info
powershell.exe -c "Get-CimInstance Win32_ntdomain | Export-Csv %computername%_domain.membership.txt"
echo * Logins
powershell.exe -c "Get-CimInstance Win32_NetworkLoginProfile | Export-Csv %computername%_netlogins.txt"
echo * Plug and play devices
powershell.exe -c "Get-CimInstance Win32_PnPEntity | Export-Csv %computername%_pnp.txt"
echo * Installed printers (Unauthorised local printers)
powershell -c "Get-Printer | Export-Csv %computername%_printer.txt"
echo * Installed software (takes a while to run)
powershell.exe -c "Get-CimInstance Win32_product | Export-Csv %computername%_installed.software.txt"
echo * User Recent files (all user folders)
for /f %%f in ('dir /B /AD %public%\..') do (
echo %public%\..\%%f\AppData\Roaming\Microsoft\Windows\Recent\
powershell -c "Compress-Archive -CompressionLevel Optimal -Path C:\Users\%%f\AppData\Roaming\Microsoft\Windows\Recent\ -DestinationPath %computername%_recent_%%f.zip" > nul
)
echo * Appdata: Powershell
for /f %%f in ('dir /B /AD %public%\..') do (
echo %public%\..\%%f\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\
powershell -c "Compress-Archive -CompressionLevel Optimal -Path C:\Users\%%f\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ -DestinationPath %computername%_appdata_powershell_%%f.zip" > nul
)
echo * Userdata .ssh known*
for /f %%f in ('dir /B /AD %public%\..') do (
echo %public%\..\%%f\.ssh\*
powershell -c "Compress-Archive -CompressionLevel Optimal -Path C:\Users\%%f\.ssh\known_hosts -DestinationPath %computername%_ssh.knownhosts_%%f.zip" > nul
)
echo * Executables in world/user writeable, non-standard locations. (This can take a few minutes)
start /b attrib c:\ProgramData\*.exe /s | find /i ".exe" > %computername%_folder-programdata.exe.log
start /b attrib c:\users\*.exe /s | find /i ".exe" > %computername%_folder-users.exe.log
timeout 10
echo.
echo * Filesystem timestamps (This can take a few minutes)
dir \*.* /s > %computername%_filesystem.txt
echo * Filesystem hierarchy (This can take a few minutes)
attrib \*.* /s > %computername%_filesystem.hierarchy.txt
cd ..
echo --------------------------------------------------------------------------------
echo Ended @ %date%T%time%.
echo.
echo Compressing to .zip file...
powershell -c "Compress-Archive -Path LOLIR_%computername%_%timestamp% -DestinationPath LOLIR_%computername%_%timestamp%.zip"