{"id":13840003,"url":"https://github.com/0xbinibini/emergency_response_batch","last_synced_at":"2025-07-11T07:32:02.124Z","repository":{"id":219521655,"uuid":"404976487","full_name":"0xbinibini/emergency_response_batch","owner":"0xbinibini","description":"应急响应，应急响应脚本，应急响应批处理；将Windows查看日志用户端口等命令集成在批处理脚本中。让熟练的应急人员能省去多次重复的敲击和记忆，并通过读取配置文件来调用Windows自带的命令结束进程服务等，本批处理尽量不调用任何外部的工具。任何调用的外部工具都将会存放在plugin目录下可按需使用，力图使用最原生的命令行来完成工作。","archived":false,"fork":false,"pushed_at":"2023-04-06T17:47:28.000Z","size":28304,"stargazers_count":40,"open_issues_count":2,"forks_count":6,"subscribers_count":4,"default_branch":"main","last_synced_at":"2024-08-05T17:24:35.098Z","etag":null,"topics":["batch-script","emergency-response","miningpool"],"latest_commit_sha":null,"homepage":"","language":"Batchfile","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/0xbinibini.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2021-09-10T06:17:32.000Z","updated_at":"2024-07-13T03:04:50.000Z","dependencies_parsed_at":null,"dependency_job_id":"b8f2188b-0184-41ce-974d-82b34c771edc","html_url":"https://github.com/0xbinibini/emergency_response_batch","commit_stats":null,"previous_names":["0xbinibini/emergency_response_batch"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbinibini%2Femergency_response_batch","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbinibini%2Femergency_response_batch/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbinibini%2Femergency_response_batch/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/0xbinibini%2Femergency_response_batch/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/0xbinibini","download_url":"https://codeload.github.com/0xbinibini/emergency_response_batch/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225705159,"owners_count":17511234,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["batch-script","emergency-response","miningpool"],"created_at":"2024-08-04T17:00:40.308Z","updated_at":"2024-11-21T09:30:50.581Z","avatar_url":"https://github.com/0xbinibini.png","language":"Batchfile","funding_links":[],"categories":["Batchfile"],"sub_categories":[],"readme":"# 项目介绍\r\n\r\n主功能：\r\n\r\n1. 罗列计算机的基本信息 \r\n\r\n* msinfo32、systeminfo等\r\n  * todo\r\n  \r\n  * [ ] 添加插件:调用热门的**基线检查工具**(查看未打补丁等)\r\n\r\n2. 检测计算机用户信息 \r\n\r\n* 当前用户 net user 、net localgroup wmic useraccount get name,sid、lusrmgr.msc、HKLM\\SAM\\SAM\\Domains\\Account\\Users\\Names(需要注册表SAM权限调整)\r\n  * todo\r\n  * [x] 添加插件:启动**D盾**工具直接查看是否有克隆账号\r\n\r\n3. 网络链接与进程 \r\n\r\n* 任务管理器、进程服务列表、进程启动参数、网络链接列表\r\n  * todo ps:\u003cfont color=red\u003e现在已经有了一种能检测进程管理器来隐藏恶意进程的木马\u003c/font\u003e\r\n  * [ ] 命令实现查看所有网络连接的进程名称与进程列表\r\n  * [ ] 添加插件:添加**火绒剑**来方便查看\r\n\r\n4. 查看启动项与计划任务\r\n\r\n* msconfig、计划任务、计算机属性、ps显示计划任务、开始菜单自启动文件夹、bitsadmin自启动后门查看\r\n  * todo\r\n  * [x] 直接调用微软的autoruns来检查所有的自启动项\r\n\r\n5. 注册表项\r\n\r\n* HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\Run、HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\Policies\\Explorer、HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\Policies\\Explorer\\Run、HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\Run、HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\Policies\\Explorer、HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\Policies\\Explorer\\Run、HKEY_CURRENT_USER\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\RunOnce、HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\WINDOWS\\CurrentVersion\\RunOnce\r\n\r\n6. 敏感文件排查\r\n\r\n* %WINDIR%、%WINDIR%\\tmp、%WINDIR%\\system32\\、%TEMP%、%LOCALAPPDATA%、%APPDATA%、%UserProfile%\\Recent、%WINDIR%\\Prefetch\r\n  * todo\r\n  * [ ] forfiles命令实现查找一定范围的文件\r\n\r\n7. 日志分析\r\n\r\n* %windir%\\System32\\winevt\\Logs\\、打开日志管理器eventvwr.msc\r\n  * todo\r\n  * [ ] 加入一些外部的日志分析工具 eg:\r\n    * [x] logparser(微软)\r\n    * [ ] event log explorer (可视化分析工具)\r\n    * [ ] 观星平台(一键上传分析)\r\n\r\n8. 扩展名关联项后门查看\r\n\r\n* assoc ; ftype txtfile \u0026 ftype exefile\r\n\r\n9. webshell检测 todo\r\n   1. 基于流量\r\n   2. 基于文件\r\n   3. 基于日志\r\n\r\n0. \u003cfont color=green\u003e[查杀批处理](#1)\u003c/font\u003e\r\n\r\n![image-20210910142318432](./.assets/image-20210910142318432.png)\r\n\r\n\u003ca name=\"1\"\u003e介绍\u003c/a\u003e\r\n\r\n可定义自己的规则来进行自动化的\r\n\r\n1. 结束计划任务\r\n2. 终止服务项(一些EDR仍然没有很好的结束服务项造成权限维持)\r\n3. 杀死恶意进程\r\n4. 删除恶意文件;恶意目录;恶意目录下的文件\r\n5. 删除注册表项(有时在成功结束上述项时注册表就自行删除了)\r\n\r\n现已定制的规则如下\r\n\r\nps:已实验的都是亲自拿虚拟机在本地用病毒样本运行过的\r\n\r\n* 勒索\r\n  * wannacry(已实验)\r\n* 挖矿\r\n  * wannamine\r\n  * wannamine2.0\r\n  * wannamine3.0\r\n  * wannamine4.0(已实验)\r\n* 其他 远控僵尸网络木马等\r\n  * 3601(僵尸网络木马lpk.dll劫持利用)\r\n\r\n![image-20210910142336418](./.assets/image-20210910142336418.png)\r\n\r\n[`: 一键关闭高危端口横向传播](#2)\r\n\r\n0：在添加自己的规则后需要按下0然后输入自己的规则的文件名称 如wannamine4.0\r\n\r\n自定义规则填写介绍\r\n\r\n![image-20210910155801185](./.assets/image-20210910155801185.png)\r\n\r\n\u003e 结束计划任务1(有注释不执行)\r\n\u003e\r\n\u003e 结束服务项目为3段组合项目结合的服务(eg可以拼接组合成:WindowsUpdateService、NetworkTimeSSDP)并以ses1为别名可被别处调用\r\n\u003e\r\n\u003e 杀死dllhostex进程\r\n\u003e\r\n\u003e 删除C:\\Windows\\System32\\rdpkax.xsl、C:\\Windows\\System32\\dllhostex.exe 、C:\\Windows\\System32\\!ses1!.dll、C:\\Windows\\SysWOW64\\!ses1!.dll、C:\\Windows\\SysWOW64\\dllhostex.exe恶意文件 删除C:\\Windows\\NetworkDistribution恶意目录\r\n\u003e\r\n\u003e 删除注册表 1(有注释不执行)\r\n\r\n\u003ca name=2\u003e一键关闭高危端口批处理\u003c/a\u003e\r\n\r\n![image-20210910161924862](.assets/image-20210910161924862.png)\r\n\r\n1. 禁止135 137 138 139 445(tcp) 137 138(UDP)端口 默认使用IPSEC安全策略 选择可以自行切换到使用wf.msc高级安全防火墙策略来完成封禁\r\n2. 业务需要或处理完成后删除封禁策略从而打开封禁的端口\r\n3. 将安全策略文件导出到本地以便批量在其他电脑导入\r\n4. 导入3导出的安全策略\r\n\r\n## 项目目录介绍\r\n\r\n路径|说明\r\n---|---\r\narichive2tools:|存放一些指定的压缩工具的目录解压后默认会被释放到tools目录\r\ntools:|解压后的工具存放的位置\r\n**main:**|------------------------主程序目录-------------------------------\r\n\u003cfont color=blue\u003e\"$.debug\"\u003c/font\u003e \t\t\t\t\t\t\t\t\t\t\t\t\t|调试目录\r\n\u003cfont color=blue\u003e\".his\"\u003c/font\u003e|\t\t\t\t\t \t\t\t\t\t\t\t\t\t\t历史文件夹\r\n\u003cfont color=blue\u003e\"evtx\"\u003c/font\u003e\t\t| logparser分析批处理脚本存放 \r\n\u003cfont color=blue\u003e\"log\"\u003c/font\u003e\t\t|\t\t\t\t\t\t\t\t\t\t\t\t \t批处理运行时的所有日志记录\r\n\u003cfont color=blue\u003e\"vir\"\u003c/font\u003e\t\t\t|\t\t\t\t\t\t\t\t\t\t\t \t自定义查杀规则存放目录\r\n\u003cfont color=red\u003e\"auto_temp.cmd\"\u003c/font\u003e\t\t\t|\t\t\t\t\t   \t可直接自动运行某种类型的木马查杀批处理\t\r\n\u003cfont color=red\u003e\"应急响应1.0.cmd\"\u003c/font\u003e\t|\t\t\t\t\t\t\t\t主功能批处理脚本\r\n\u003cfont color=red\u003e\"killvir1.0.cmd\"\u003c/font\u003e\t\t|\t\t\t\t\t\t\t   \t查杀功能批处理脚本\r\n\u003cfont color=red\u003e\"choosetools.cmd\"\u003c/font\u003e\t\t|\t\t\t\t\t\t\t   \t选择工具批处理脚本\r\n\u003cfont color=red\u003e\"隔离-一键关闭高危端口choice版.bat\"\u003c/font\u003e\t|使用choice来实现选择式关闭高危端口的批处理\r\n\u003cfont color=red\u003e\"隔离-一键关闭高危端口set版-1.1.bat\" \u003c/font\u003e   |处理高危端口的批处理\r\n\"choice.exe\"\t\t|\t\t\t\t\t\t\t\t\t\t为了兼容win2003的选择的命令行默认程序\r\n\"forfiles.exe\"\t\t\t\t|\t\t\t\t\t\t   \t为了兼容win2003的遍历目录的命令行默认程序\r\n\"7zG.exe\"\t\t\t\t|\t\t\t\t\t\t   \t解压程序\r\n\"7z.dll\"\t\t\t\t|\t\t\t\t\t\t   \t解压程序依赖的必要动态库文件\r\n\"wmicprocess.txt\"\t\t\t\t\t|\t\t     \twmic process的所有列字段\t\r\n\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbinibini%2Femergency_response_batch","html_url":"https://awesome.ecosyste.ms/projects/github.com%2F0xbinibini%2Femergency_response_batch","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2F0xbinibini%2Femergency_response_batch/lists"}