CyberPolice.bat (25601B)
1 @Echo Off 2 3 SETLOCAL EnableDelayedExpansion 4 5 set functions=checkfiles usermgmtff userprop services firewall features passwordpol audit lockout rdp power sessions shares checkdns uac windef backuplsp lsp regharden verifysys auto logging 6 set analysisFunctions=allgpo listgpos listdisabledgpos gpoinfo gporeport backupgpos logfirewall logservices logusers netstat backupeventlogs checksync manual 7 8 for /F "tokens=1,2 delims=#" %%a in ('"prompt #$H#$E# & echo on & for %%b in (1) do rem"') do ( 9 set "DEL=%%a" 10 ) 11 12 echo CYBER POLICE are initializing... 13 14 set path=%~dp0 15 if not exist "%path%CyberPoliceOutput" mkdir "%path%CyberPoliceOutput" 16 set output=%path%CyberPoliceOutput 17 set powershellScriptPath=%path%PowershellScripts 18 set vbScriptPath=%path%VBScripts 19 set configPath=%path%ConfigFiles 20 set toolsPath=%path%Tools 21 set batchScripts=%path%BatchScripts 22 23 set powershellPath=%SYSTEMROOT%\System32\WindowsPowerShell\v1.0\powershell.exe 24 set wmicPath=%SystemRoot%\System32\Wbem\wmic.exe 25 set net=%SystemRoot%\system32\net.exe 26 set lgpo=%toolsPath%/LGPO.exe 27 28 set you=%username% 29 30 for /f "tokens=*" %%A in (%configPath%\DefaultPassword.txt) do ( 31 setlocal DisableDelayedExpansion 32 set "password=%%A" 33 setlocal enabledelayedexpansion 34 ) 35 36 echo CYBER POLICE are making required directories... 37 if not exist "%output%\WindowsFeatures" mkdir "%output%\WindowsFeatures" 38 if not exist "%output%\gpoInfo" mkdir "%output%\gpoInfo" 39 if not exist "%output%\gpoInfo\gpoReports" mkdir "%output%\gpoInfo\gpoReports" 40 if not exist "%output%\logs" mkdir "%output%\logs" 41 42 set lspEditOs = "Windows10" 43 44 echo %path%CyberPoliceOutput>%output%\path.txt 45 46 echo The CYBER POLICE are running from: %path% 47 48 echo. 49 echo Checking if the CYBER POLICE have Administrative rights... 50 NET SESSION >nul 2>&1 51 if %errorlevel%==0 ( 52 cecho {0a}CYBER POLICE are enforcing as admin!{#} 53 echo. 54 ) else ( 55 echo. 56 cecho {0c}No admin!{#} 57 echo. 58 echo Please INITIATE the CYBER POLICE taskforce as admin 59 echo There may be errors... 60 cecho {0e}Here are some solutions that may work:{#} 61 echo. 62 cecho 1. Making a shortcut to the CyberPolice batch file. 63 echo. 64 cecho - Then going to the shortcut's propetries and appending: 65 echo. 66 cecho - runas /user:{0b}YourAdminUsername{#} /savecred 67 echo. 68 cecho - infront of the loaction of the CyberPolice file 69 echo. 70 cecho - Note: This error may still come up but the commands will work. 71 echo. 72 cecho Sometimes though it still says you lack permission to do things. 73 echo. 74 cecho 2. Check your Local Security Policies and Group Policies to see if they are affecting the program [theres a lot] 75 echo. 76 echo Press any key to continue... 77 pause>nul 78 echo. 79 ) 80 81 echo Checking for powershell... 82 FOR /F "tokens=3" %%A IN ('REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1" /v Install ^| FIND "Install"') DO SET PowerShellInstalled=%%A 83 84 IF NOT "%PowerShellInstalled%"=="0x1" ( 85 echo Powershell installed: false > %output%\PowershellStatus.txt 86 cecho {0c}POWERSHELL NOT INSTALLED!{#} 87 echo. 88 cecho {0c}The CYBER POLICE can't enforce without it!{#} 89 echo. 90 pause>nul 91 exit 92 ) 93 94 FOR /F "tokens=3" %%A IN ('REG QUERY "HKLM\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine" /v PowerShellVersion ^| FIND "PowerShellVersion"') DO SET PowerShellVersion=%%A 95 96 echo Powershell installed: true Version: %PowerShellVersion% > %output%\PowershellStatus.txt 97 cecho {0a}Powershell is installed!!{#} 98 echo. 99 echo. 100 cecho Note: If you plan on using the Logging function you need {0b}cscript.exe{#}! 101 echo. 102 echo. 103 104 for /f "delims=: tokens=2" %%a in ('systeminfo ^| find "OS Name"') do set os=%%a 105 for /f "tokens=* delims= " %%a in ("%os%") do set os=%%a 106 cecho {0b}The CYBER POLICE have detected {0d}%os% {0b}as host's OS{#} 107 echo. 108 echo %os%>%output%\"OSVERSION.txt" 109 110 for /f %%a in ('set ^| find "PROCESSOR_ARCHITECTURE"') do set proArc=%%a 111 set proArc=%proArc:~23% 112 cecho {0b}The CYBER POLICE have detected {0d}%proArc% {0b}as host's CPU architecture{#} 113 echo. 114 echo %proArc%>%output%\"CPUARCHITECTURE.txt" 115 116 for /f "delims=: tokens=2" %%a in ('systeminfo ^| find "Domain:"') do set domain=%%a 117 for /f "tokens=* delims= " %%a in ("%domain%") do set domain=%%a 118 cecho {0b}The CYBER POLICE have detected {0d}%domain% {0b}as host's domain{#} 119 echo. 120 echo %domain%>%output%\"Domain.txt" 121 122 cecho {0b}Running as user {0a}%you%{#} 123 echo. 124 echo. 125 126 set dism=%toolsPath%\DISM%proArc%\DISM\dism.exe 127 128 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/CreateRestorePoint.ps1" 129 echo. 130 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/UserList.ps1" 131 132 echo. 133 cecho {0a}The CYBER POLICE have finished initializing!{#} 134 echo. 135 echo Press any key to begin CYBER POLICE OPS... 136 pause>nul 137 138 echo. 139 cecho {0e}Do you want [{0a}A{0e}]uto, [{0b}M{0e}]anual or [{0d}L{0e}]ogging/Analysis (Default is [{0b}M{0e}]anual){#} 140 echo. 141 set /p aus="[A/M/L]: " 142 if /i "%aus%"=="L" goto:logging 143 if /i "%aus%"=="A" goto:auto 144 goto:manual 145 146 :auto 147 for %%A in (%functions%) do call:autoCheck %%A 148 cecho {0a}The CYBER POLICE have finished running auto{#} 149 echo. 150 echo Press any key to switch to manual... 151 pause>nul 152 goto:manual 153 154 :autoCheck 155 if "%~1"=="backuplsp" ( 156 goto:EOF 157 ) 158 if "%~1"=="auto" ( 159 goto:EOF 160 ) 161 call:%~1 162 goto:EOF 163 164 :manual 165 166 echo. 167 cecho {07}Type {0b}exit {07}to {0c}exit {07}and {0b}help {07}for {0a}help{#} 168 echo. 169 170 set /p act="What should the CYBER POLICE do: " 171 if "%act%"=="exit" exit 172 if "%act%"=="help" ( 173 echo CYBER POLICE available actions: 174 for %%F in (%functions%) do ( 175 cecho {0b}%%F{#} 176 echo. 177 ) 178 pause>nul 179 goto:manual 180 ) 181 for %%F in (%functions%) do ( 182 if %%F==%act% ( 183 cecho {0a}CYBER POLICE are executing {0b}%act%{#} 184 echo. 185 echo. 186 call:%act% 187 cecho {0a}CYBER POLICE have finished executing {0b}%act%{#} 188 echo. 189 goto:endOfManual 190 ) 191 ) 192 cecho {0c}CYBER POLICE could not find {0b}%act% {0c}operation!{#} 193 echo. 194 :endOfManual 195 pause>nul 196 goto:manual 197 198 :logging 199 echo. 200 cecho {07}Type {0b}exit {07}to {0c}exit {07}and {0b}help {07}for {0a}help{#} [analysis mode] 201 echo. 202 set /p act="What should the CYBER POLICE [Covert Ops] check: " 203 if "%act%"=="exit" exit 204 if "%act%"=="help" ( 205 echo CYBER POLICE [Covert Ops] available actions: 206 for %%F in (%analysisFunctions%) do ( 207 cecho {0d}%%F{#} 208 echo. 209 ) 210 pause>nul 211 goto:logging 212 ) 213 for %%F in (%analysisFunctions%) do ( 214 if %%F==%act% ( 215 cecho {0a}CYBER POLICE [Covert Ops] are executing {0b}%act%{#} 216 echo. 217 echo. 218 call:%act% 219 cecho {0a}CYBER POLICE [Covert Ops] have finished executing {0b}%act%{#} 220 echo. 221 goto:endOfLogging 222 ) 223 ) 224 cecho {0c}CYBER POLICE [Covert Ops] could not find {0b}%act% {0c}operation!{#} 225 echo. 226 :endOfLogging 227 pause>nul 228 goto:logging 229 230 :checkfiles 231 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/MakeCheckFileDirectories.ps1" 232 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/CheckFiles.ps1" 233 call:manualVerify "explorer.exe" 234 goto:EOF 235 236 :services 237 echo The CYBER POLICE are checking services... 238 call:servicesLoop "%wmicPath% process list brief>" "BriefProcesses.txt" 239 call:servicesLoop "%wmicPath% process list full>" "FullProcesses.txt" 240 call:servicesLoop "%wmicPath% startup list full>" "StartupLists.txt" 241 call:servicesLoop "net start>" "StartedProcesses.txt" 242 call:servicesLoop "reg export HKLM\Software\Microsoft\Windows\CurrentVersion\Run" "Run.txt" 243 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/ProcessDMA.ps1" 244 call:manualVerify "services.msc" 245 goto:EOF 246 247 :servicesLoop 248 %~1 %path%\CyberPoliceOutput\Services\%~2 249 if %errorlevel%==1 ( 250 cecho {0e}%~2 failed to write!{#} 251 echo. 252 cecho {0e}Creating file and trying again...{#} 253 echo. 254 call :createFile "%path%\CyberPoliceOutput\Services\%~2" %~2 255 if %errorlevel%==1 ( 256 cecho {0c}%~2 could not be written to!{#} 257 echo. 258 ) 259 else ( 260 cecho {0a}%~2 was successfully written to!{#} 261 echo. 262 goto:EOF 263 ) 264 ) else ( 265 cecho {0a}%~2 was successfully written to!{#} 266 echo. 267 ) 268 goto:EOF 269 270 :windef 271 echo CYBER POLICE are setting windows defender settings... 272 %powershellPath% Set-MpPreference -MAPSReporting Advanced 273 %powershellPath% Set-MpPreference -SubmitSamplesConsent Always 274 %powershellPath% Set-MpPreference -EnableNetworkProtection Enabled 275 goto:EOF 276 277 :passwordpol 278 echo The CYBER POLICE are setting a password policy... 279 net accounts /lockoutthreshold:5 /MINPWLEN:8 /MAXPWAGE:30 /MINPWAGE:15 /UNIQUEPW:15 280 cecho {0a}Password policy set! 281 echo. 282 cecho {0e}(NOTICE) The CYBER POLICE cannot set the following functions through script... 283 echo. 284 cecho {07}Password policy must meet complexity to {0b}enabled 285 echo. 286 cecho {07}Store passwords using reversible encryption to {0b}disabled{#} 287 echo. 288 call:manualVerify "secpol.msc" 289 goto:EOF 290 291 :lockout 292 echo The CYBER POLICE are setting a lockout policy... 293 echo. 294 net accounts /lockoutduration:30 295 net accounts /lockoutthreshold:5 296 net accounts /lockoutwindow:30 297 cecho {0a}The CYBER POLICE have successfully set a lockout policy{#} 298 echo. 299 call:manualVerify "secpol.msc" 300 goto:EOF 301 302 :audit 303 echo The CYBER POLICE are setting auditing success and failure for all categories... 304 auditpol /set /category:* /success:enable 305 auditpol /set /category:* /failure:enable 306 cecho {0a}The CYBER POLICE have successfully set an audit policy{#} 307 echo. 308 call:manualVerify "secpol.msc" 309 goto:EOF 310 311 :lsp 312 echo CYBER POLICE are starting Local Security Policy setup... 313 cecho {0e}(NOTICE) this will make changes to Local Secuity Policy. Things you have set may be changed.{#} 314 echo. 315 call:backuplsp 316 goto:managelsp 317 318 :managelsp 319 echo. 320 cecho {0b}You are running {0d}%os%{#} 321 echo. 322 echo CYBER POLICE found these OS' that have available LSP files: 323 set i=0 324 for /f %%G in ('dir %configPath%\lgpoTemplates /a:d /b') do ( 325 set /a i+=1 326 set osChoices[!i!]=%%~G 327 cecho {0b}%%G{#} 328 echo. 329 ) 330 echo. 331 set osChoicesFiles=%i% 332 333 echo Select an os... 334 cecho {0e}(NOTE) input is case sensitive. {0c}(exit to exit){#} 335 echo. 336 set /p selOs="OS: " 337 if "%selOs%"=="exit" ( 338 cecho {0c}Local Security Policy was not configured{#} 339 echo. 340 call:manualVerify "secpol.msc" 341 goto:EOF 342 ) 343 for /L %%i in (1,1,%osChoicesFiles%) do ( 344 if !osChoices[%%i]!==%selOs% ( 345 cecho {0a}Os set to configure Local Security Policy is {0b}!osChoices[%%i]!{#} 346 echo. 347 set lspEditOs=!osChoices[%%i]! 348 goto:pickLspType 349 goto:EOF 350 ) 351 ) 352 cecho {0b}%selOs% {0c}is not a valid os{#} 353 echo. 354 set /p aus="Continue? [Y/(N)]: " 355 if /i "%aus%" == "Y" goto:managelsp 356 echo. 357 goto:EOF 358 359 :pickLspType 360 cecho {08}CYBER POLICE found these LSP templates for {0b}%lspEditOs%{#} 361 echo. 362 set i=0 363 for /f %%G in ('dir %configPath%\lgpoTemplates\%lspEditOs% /a:d /b') do ( 364 set /a i+=1 365 set temChoices[!i!]=%%~G 366 cecho {0b}%%G{#} 367 echo. 368 ) 369 echo. 370 set temChoicesFiles=%i% 371 372 echo Select a LSP template... 373 cecho {0e}(NOTE) input is case sensitive. {0c}(exit to exit){#} 374 echo. 375 set /p selTem="LSP Template: " 376 if "%selTem%"=="exit" ( 377 cecho {0c}Local Security Policy was not configured{#} 378 echo. 379 call:manualVerify "secpol.msc" 380 goto:EOF 381 ) 382 for /L %%i in (1,1,%temChoicesFiles%) do ( 383 if !temChoices[%%i]!==%selTem% ( 384 cecho {0a}Set to configure Local Security Policy {0b}!temChoices[%%i]!{#} 385 echo. 386 %lgpo% /g %configPath%\lgpoTemplates\%lspEditOs%\!temChoices[%%i]! /v 387 cecho {0a}The CYBER POLICE have now set {0b}%lspEditOs% {0a}Local Security Policy to {0b}!temChoices[%%i]!{#} 388 echo. 389 call:manualVerify "secpol.msc" 390 goto:EOF 391 ) 392 ) 393 cecho {0b}%selTem% {0c}is not a valid template{#} 394 echo. 395 set /p aus="Continue? [Y/(N)]: " 396 if /i "%aus%" == "Y" goto:pickLspType 397 echo. 398 goto:EOF 399 400 :backuplsp 401 cecho {0b}A back up of secpol.msc will be created...{#} 402 echo. 403 set /p aus="Make backup? [Y/N]: " 404 if /i "%aus%" == "Y" ( 405 if not exist "%output%\lgpoBackup" mkdir "%output%\lgpoBackup" 406 %lgpo% /b "%output%\lgpoBackup" 407 cecho {0a}Backup of LSP created{#} 408 echo. 409 ) else ( 410 cecho {0c}Backup of LSP not created{#} 411 echo. 412 ) 413 goto:EOF 414 415 :firewall 416 echo The CYBER POLICE will now try to enable the firewall... 417 netsh advfirewall set allprofiles state on 418 netsh advfirewall set publicprofile firewallpolicy blockinboundalways,allowoutbound 419 cecho {0a}The CYBER POLICE have enabled the firewall{#} 420 echo. 421 echo The CYBER POLICE will now do some basic firewall hardening... 422 for /f "tokens=*" %%A in (%configPath%\FirewallRulesOFF.txt) do ( 423 set comCheck=%%%A:~0,1% 424 if "!comCheck!" neq "#" ( 425 netsh advfirewall firewall set rule name="%%A" new enable=no 426 ) 427 ) 428 cecho {0a}The CYBER POLICE finished basic firewall hardening{#} 429 echo. 430 call:manualVerify wf.msc 431 goto:EOF 432 433 :regharden 434 echo The CYBER POLICE will do some system hardening through the registry... 435 for /f "tokens=*" %%A in (%configPath%\RegistyHardenData.txt) do ( 436 endlocal & set "regLine=%%A" 437 set comCheck=!regLine:~0,1! 438 if "!comCheck!" neq "#" ( 439 for /f "tokens=1,2,3,4 delims=:" %%G in ("!regLine!") do ( 440 set regPath=%%G 441 set regKey=%%H 442 set regType=%%I 443 set regVal=%%J 444 ) 445 echo "Editing registry path !regPath!" 446 cecho {07}Editing key {0b}!regKey!{#} 447 echo. 448 cecho {07}Editing variable type {0d}!regType!{#} 449 echo. 450 cecho {07}Applying value {0a}!regVal!{#} 451 echo. 452 reg add "!regPath!" /v !regKey! /t !regType! /d !regVal! /f 453 ) 454 ) 455 call:manualVerify regedit.exe 456 goto:EOF 457 458 :groupPol 459 rem set a secure group policy 460 461 :eventview 462 rem filter and find sketchy events in event viewer 463 464 :userprop 465 for /f "tokens=*" %%A in (%output%\users.txt) do ( 466 if "%%A" neq "%you%" ( 467 echo. 468 %wmicPath% UserAccount where Name='%%A' set PasswordExpires=True 469 %wmicPath% UserAccount where Name='%%A' set PasswordChangeable=True 470 %wmicPath% UserAccount where Name='%%A' set PasswordRequired=True 471 %net% user %%A /logonpasswordchg:yes 472 cecho {0a}Properties for {0b}%%A {0a}were changed{#} 473 echo. 474 ) 475 ) 476 call:manualVerify lusrmgr.msc 477 goto:EOF 478 479 :features 480 set wfOutput=%output%\WindowsFeatures 481 echo CYBER POLICE are making list of the status of current Windows features... 482 %dism% /online /Get-Features>%wfOutput%\StatusWFBefore.txt 483 echo.>%wfOutput%\DisabledWinFeatures.txt 484 cecho {0a}List has been made!{#} 485 echo. 486 echo CYBER POLICE will now look at windows features... 487 for /f "tokens=*" %%A in (%configPath%\BadWinFeatures.txt) do ( 488 cecho {07}CYBER POLICE are looking at feature {0b}%%A{#} 489 echo. 490 for /f "tokens=2 delims=:" %%B in ('%dism% /online /get-featureinfo /featurename:%%A ^| Find "State"') do set wfStatus=%%B 491 for /f "tokens=* delims= " %%C in ("!wfStatus!") do set wfStatus=%%C 492 493 cecho {0b}%%A{07}'s current status is {0b}!wfStatus!{#} 494 echo. 495 if "!wfStatus!" == "Disabled" ( 496 cecho {0e}No need to disable {0b}%%A{#} 497 echo. 498 ) else ( 499 echo %%A>>%wfOutput%\DisabledWinFeatures.txt 500 %dism% /online /disable-feature /featurename:%%A 501 cecho {0a}Disabled feature {0b}%%A{#} 502 echo. 503 ) 504 ) 505 %dism% /online /Get-Features>%wfOutput%\StatusWFAfter.txt 506 echo CYBER POLICE are stopping misc connections... 507 net stop WinRM 508 %wmicPath% /interactive:off nicconfig where TcpipNetbiosOptions=1 call SetTcpipNetbios 2 509 %powershellPath% Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol 510 %powershellPath% Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2 511 %powershellPath% Disable-WindowsOptionalFeature -Online -FeatureName MicrosoftWindowsPowerShellV2Root 512 cecho {0a}CYBER POLICE are done finding bad Windows features{#} 513 echo. 514 goto:EOF 515 516 :usermgmtff 517 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/ManageUsersFromFile.ps1" 518 echo Finding current users... 519 set uOutDir=%output%\ManagedUserOutput 520 break>"!uOutDir!\enabledUsers.txt" 521 for /f "tokens=*" %%A in (%output%\users.txt) do ( 522 for /f "tokens=3 delims= " %%B in ('%net% user "%%A" ^| Find "active"') do set userStatus=%%B 523 if "!userStatus!"=="No" ( 524 cecho {0b}%%A {07}account is {0b}Disabled{#} 525 echo. 526 ) else ( 527 cecho {0b}%%A {07}account is {0b}Enabled{#} 528 echo. 529 echo %%A>>!uOutDir!\enabledUsers.txt 530 ) 531 ) 532 echo. 533 echo The CYBER POLICE are now applying admins... 534 for /f "tokens=*" %%A in (%uOutDir%\authAdmins.txt) do ( 535 endlocal & set "line=%%A" 536 for /f "tokens=1 delims= " %%C in ("!line!") do ( 537 endlocal & set "user=%%C" 538 ) 539 for /f "tokens=2 delims= " %%C in ("!line!") do ( 540 endlocal & set "pass=%%C" 541 ) 542 call:checkusersadmin !user! !pass! 543 ) 544 echo The CYBER POLICE are now applying users... 545 for /f "tokens=* delims=" %%A in (%uOutDir%\authUsers.txt) do ( 546 call:checkusers %%A !password! 547 ) 548 echo CYBER POLICE are checking users... 549 for /f "tokens=*" %%A in (%uOutDir%\enabledUsers.txt) do ( 550 call:checkcurrusers %%A 551 ) 552 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/UserList.ps1" 553 call:manualVerify lusrmgr.msc 554 goto:EOF 555 556 :checkcurrusers 557 for /f "tokens=* delims=" %%B in (%uOutDir%\authAdmins.txt) do ( 558 endlocal & set "line=%%B" 559 for /f "tokens=1 delims= " %%C in ("!line!") do ( 560 endlocal & set "userChk=%%C" 561 if "%~1"=="!userChk!" ( 562 cecho {0b}%~1 {0a}found!{#} 563 echo. 564 goto:EOF 565 ) 566 ) 567 ) 568 for /f "tokens=* delims=" %%D in (%uOutDir%\authUsers.txt) do ( 569 set userChk=%%D 570 if "%~1"=="!userChk!" ( 571 cecho {0b}%~1 {0a}found{#} 572 echo. 573 goto:EOF 574 ) 575 ) 576 577 cecho {0b}%~1 {0c}not found{#} 578 echo. 579 cecho {0e}Disabling {0b}%~1{#} 580 echo. 581 net user %~1 /active:no 582 goto:EOF 583 584 :checkusersadmin 585 endlocal & set "user=%~1" 586 endlocal & set "pass=%~2" 587 for /f "tokens=*" %%B in (!uOutDir!\enabledUsers.txt) do ( 588 if "!user!"=="%%B" ( 589 cecho {0b}!user! {0a}admin found{#} 590 echo. 591 cecho {07}Giving {0b}!user! {07}password{#} 592 echo. 593 %powershellPath% Write-Host -Foregroundcolor Gray -NoNewLine ": " 594 %powershellPath% Write-Host -Foregroundcolor Cyan "!pass!" 595 net user !user! !pass! 596 if %ERRORLEVEL% neq 0 ( 597 call:userError !user! 598 ) 599 cecho {07}Managing {0b}!user! {07}admin{#} 600 echo. 601 %net% localgroup "Administrators" "!user!" /add 602 goto:EOF 603 ) 604 ) 605 cecho {0b}!user! {0c}admin not found{#} 606 echo. 607 cecho {07}Creating {0b}!user! {07}and giving password{#} 608 echo. 609 %powershellPath% Write-Host -Foregroundcolor Gray -NoNewLine ": " 610 %powershellPath% Write-Host -Foregroundcolor Cyan "!pass!" 611 %net% user "!user!" "!pass!" /add 612 if %ERRORLEVEL% neq 0 ( 613 call:userError !user! 614 ) 615 cecho {07}Managing {0b}!user! {07}admin{#} 616 echo. 617 %net% localgroup "Administrators" "!user!" /add 618 goto:EOF 619 620 :checkusers 621 endlocal & set "user=%~1" 622 endlocal & set "pass=%~2" 623 for /f "tokens=*" %%B in (!uOutDir!\enabledUsers.txt) do ( 624 if "!user!"=="%%B" ( 625 cecho {0b}!user! {0a}found{#} 626 echo. 627 cecho {07}Giving {0b}!user! {07} password{#} 628 echo. 629 %powershellPath% Write-Host -Foregroundcolor Gray -NoNewLine ": " 630 %powershellPath% Write-Host -Foregroundcolor Cyan "!pass!" 631 net user !user! !pass! 632 cecho {07}Managing {0b}!user! {07}user{#} 633 echo. 634 %net% localgroup "Users" "!user!" /add 635 %net% localgroup "Administrators" "!user!" /delete 636 goto:EOF 637 ) 638 ) 639 cecho {0b}!user! {0c}not found{#} 640 echo. 641 cecho {07}Creating {0b}!user! {07}with password{#} 642 echo. 643 %powershellPath% Write-Host -Foregroundcolor Gray -NoNewLine ": " 644 %powershellPath% Write-Host -Foregroundcolor Cyan "!pass!" 645 echo. 646 %net% user "!user!" "!pass!" /add 647 cecho {07}Managing {0b}!user! {07}user{#} 648 echo. 649 %net% localgroup "Users" "!user!" /add 650 %net% localgroup "Administrators" "!user!" /delete 651 goto:EOF 652 653 :userError 654 cecho {0c}Looks like there was an error configuring {0b}%~1{#} 655 echo. 656 cecho {0e}It could be a password problem...{#} 657 echo. 658 cecho {0e}Change thier password to a default password, user might not be created if No (Default is Yes){#} 659 echo. 660 set /p aus="[Y/N]: " 661 if /i "%aus%" neq "N" ( 662 cecho {07}Current default password{#} 663 %powershellPath% Write-Host -Foregroundcolor Gray -NoNewLine ": " 664 %powershellPath% Write-Host -Foregroundcolor Cyan "!password!" 665 echo. 666 %net% user "%~1" "!password!" /add 667 668 ) else ( 669 cecho {0b}%~1 {0c}was not created{#} 670 echo. 671 ) 672 %net% user %~1 /active:yes 673 goto:EOF 674 675 :sessions 676 echo The CYBER POLICE will display connected remote sessions 677 net session 678 net session > %output%/CurrentRemoteSessions.txt 679 cecho {0a}Sessions are done showing{#} 680 echo. 681 goto:EOF 682 683 :rdp 684 echo The CYBER POLICE will manage Remote Desktop... 685 cecho {0e}Enable remote desktop (Default will loop back){#} 686 echo. 687 set /p rdpChk="[Y/N]:" 688 if %rdpChk%==y ( 689 echo Enabling remote desktop... 690 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 1 /f 691 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 1 /f 692 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 1 /f 693 REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f 694 netsh advfirewall firewall set rule group="remote desktop" new enable=yes 695 cecho {07}The CYBER POLICE suggest you check{#} 696 echo. 697 cecho {0b}Allow connections only from computers running Remote Desktop with Network Level Authentication{#} 698 echo. 699 call:manualVerify SystemPropertiesRemote.exe 700 pause>nul 701 cecho {0a}The CYBER POLICE enabled RDP{#} 702 echo. 703 goto:EOF 704 ) 705 if %rdpChk%==n ( 706 echo Disabling remote desktop... 707 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 1 /f 708 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v AllowTSConnections /t REG_DWORD /d 0 /f 709 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fAllowToGetHelp /t REG_DWORD /d 0 /f 710 reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f 711 netsh advfirewall firewall set rule group="remote desktop" new enable=no 712 cecho {0a}The CYBER POLICE disabled RDP{#} 713 echo. 714 goto:EOF 715 ) 716 cecho {0c}Invalid input {0b}%rdpChk%{#} 717 echo. 718 goto rdp 719 720 :secRDP 721 rem secure rdp 722 723 :power 724 echo the CYBER POLICE are setting power settings... 725 powercfg -SETDCVALUEINDEX SCHEME_BALANCED SUB_NONE CONSOLELOCK 1 726 powercfg -SETDCVALUEINDEX SCHEME_MIN SUB_NONE CONSOLELOCK 1 727 powercfg -SETDCVALUEINDEX SCHEME_MAX SUB_NONE CONSOLELOCK 1 728 cecho {0a}The CYBER POLICE set power settings!{#} 729 echo. 730 goto:EOF 731 732 :shares 733 echo The CYBER POLICE are logging shares... 734 net share 735 net share > %output%\shares.txt 736 cecho {0a}Shares have been logged{#} 737 echo. 738 echo. 739 call:manualVerify fsmgmt.msc 740 goto:EOF 741 742 :uac 743 echo The CYBER POLICE are enabling UAC... 744 reg ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f 745 cecho {0a}The CYBER POLICE have enabled UAC{#} 746 echo. 747 goto:EOF 748 749 :verifysys 750 echo "CYBER POLICE are verifying system files..." 751 cecho {0e}This will take a while, get a snack...{#} 752 echo. 753 sfc /verifyonly 754 cecho {0a}CYBER POLICE are finally done{#} 755 echo. 756 goto:EOF 757 758 :checkdns 759 echo The CYBER POLICE will display current dns... 760 ipconfig /displaydns 761 ipconfig /displaydns > %output%/CurrentDNS.txt 762 cecho {0d}Output ends here{#} 763 echo. 764 echo The CYBER POLICE will display hosts file 765 type C:\Windows\System32\Drivers\etc\hosts 766 type C:\Windows\System32\Drivers\etc\hosts > %output%/CurrentHOSTS.txt 767 cecho {0d}Output ends here{#} 768 echo. 769 echo The CYBER POLICE will now flush dns... 770 ipconfig /flushdns 771 cecho {0a}The CYBER POLICE have flushed dns{#} 772 echo. 773 echo The CYBER POLICE will now clear C:\Windows\System32\drivers\etc\hosts... 774 attrib -r -s C:\WINDOWS\system32\drivers\etc\hosts 775 echo > C:\Windows\System32\drivers\etc\hosts 776 attrib +r +s C:\WINDOWS\system32\drivers\etc\hosts 777 cecho {0a}The CYBER POLICE have cleared the HOSTS file{#} 778 echo. 779 goto:EOF 780 781 :allgpo 782 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/AllGPOs.ps1" 783 goto:EOF 784 785 :backupgpos 786 if not exist "%output%\gpoBackups" mkdir "%output%\gpoBackups" 787 cscript.exe %vbScriptPath%\BackupAllGPOs.wsf %output%\gpoBackups /Comment:"Cyber Police Backup" /Domain:%domain% 788 goto:EOF 789 790 :listgpos 791 cscript.exe %vbScriptPath%\ListAllGPOs.wsf > %output%\gpoInfo\GposInfoNameAndIDs.txt 792 cscript.exe %vbScriptPath%\ListAllGPOs.wsf /v > %output%\gpoInfo\GposInfoNameAndIDsVerbose.txt 793 cecho If you want to delete a GPO run {0a}Remove-GPO -Name {0b}[name]{#} in powershell{#} 794 echo. 795 echo. 2>%output%\gpoInfo\Gpos.txt 796 echo GPOs in this domain: 797 for /f "tokens=* delims=" %%i in (%output%\gpoInfo\GposInfoNameAndIDs.txt) do ( 798 echo.%%i|findstr /C:"Name:" >nul 2>&1 799 if not errorlevel 1 ( 800 for /f "delims=: tokens=2" %%j in ('echo %%i') do set gponame=%%j 801 set gponame=!gponame:~1! 802 cecho {0b}!gponame!{#} 803 echo. 804 echo !gponame! >> %output%\gpoInfo\Gpos.txt 805 ) 806 ) 807 echo. 808 goto:EOF 809 810 :listdisabledgpos 811 cscript.exe %vbScriptPath%\FindDisabledGPOs.wsf 812 goto:EOF 813 814 :gpoinfo 815 echo Getting all GPOS... 816 call:listgpos 817 for /f "tokens=* delims=" %%a in (%output%\gpoInfo\Gpos.txt) do ( 818 set currgpo=%%a 819 set currgpo=!currgpo:~0,-1! 820 cecho {0d}Getting {0b}!currgpo!{0d} info{#} 821 echo. 822 cscript.exe %vbScriptPath%\DumpGPOInfo.wsf "!currgpo!" 823 cecho {0d}End of {0b}!currgpo!{0d} info...{#} 824 echo. 825 ) 826 goto:EOF 827 828 :gporeport 829 rem %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/GPOReport.ps1" 830 cscript.exe %vbScriptPath%\GetReportsForAllGPOs.wsf %output%\gpoInfo\gpoReports 831 goto:EOF 832 833 :logfirewall 834 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/LogFirewall.ps1" 835 netsh advfirewall export "%output%\logs\fwBackup.wfw" 836 goto:EOF 837 838 :logservices 839 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/LogServices.ps1" 840 goto:EOF 841 842 :netstat 843 netstat -abno 844 netstat -abno > %output%\logs\netstatlog.txt 845 goto:EOF 846 847 :checksync 848 dcdiag /q 849 dcdiag /q > %output%\logs\synclog.txt 850 goto:EOF 851 852 :logusers 853 net user 854 net user > %output%\logs\userlog.txt 855 goto:EOF 856 857 :backupeventlogs 858 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/SaveEventLogs.ps1" 859 goto:EOF 860 861 :createFile 862 %powershellPath% -ExecutionPolicy Bypass -File "%powershellScriptPath%/CreateFile.ps1" %~1 %~2 863 goto:EOF 864 865 :manualVerify 866 cecho {0b}Do you want to manually look at %~1 (Default is No){#} 867 echo. 868 set /p aus="[Y/N]: " 869 if /i "%aus%" neq "Y" goto:EOF 870 echo Running %~1... 871 echo. 872 start %~1 /wait 873 echo. 874 cecho {0e}Press any key to let the CYBER POLICE continue...{#} 875 echo. 876 pause >nul 877 goto:EOF