常用的windows命令(应急响应)
系统信息类:
systeminfo
wmic os
wmic cpu
wmic nteventlog #系统事件日志
wmic computersystem
进程、服务类
tasklist #查看进程
tasklist | findstr "evil.exe"
taskkill /f /t /im evil.exe
wmic process list full
wmic process get xxx #获取进程xxx属性值
wmic process where processid="2345" delete #删除进程
wmic process call create "C:Program FilesTencentQQQQ.exe" #创建进程
wmic process where name="jqs.exe" get executablepath #查看进程执行路径
wmic service where name="xxx" call [startservice | stopservice | pauseservice | delete ]
账户、域、工作组类
wmic useraccount
wmic sysaccount
wmic computersystem get domain #查看域工作组
wmic group
wmic netlogin #网络登录信息
wmic logon #登录日志
共享、远程、启动项类
wmic /node:"a.b.c.d /password:"xxxxxx" /user:"administrator" #远程连接对方
wmic share
wmic share where name='x$' call delete
wmic share call create "","xxx","3","TestShareName","","c:xxxxxx",0 #开启共享
wmic startup list #检查启动项
小工具代码
(批处理代码,很简单,用作应急响应的快速信息收集)
for /F %%i in ('whoami') do ( set commitid=%%i)
set path1=C:\Users
set path3=\Desktop\
set path2=%commitid:~6%
set path4=%path1%%path2%%path3%
set floder=report\
set var=%path4%%floder%
mkdir %var%
set path5=info.txt
set var1=%var%%path5%
cd %var%
systeminfo >> info.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
netstat -abo >> netflow.txt
wmic process list full /format:hform >> process.html
wmic service list full /format:hform >> services.html
wmic useraccount list full /format:hform >> user.html
wmic sysaccount list full /format:hform >> sysaccount.html
wmic group list full /format:hform >> group.html
wmic logon list full /format:hform >> logonlog.html
wmic netlogin list full /format:hform >> netloginlog.html
wmic job list full /format:hform >> job.html