|
Title: MIR-ROR - Incident Response Script Post by: unsupported on June 11, 2009, 07:40:09 AM I just stumbled across the MIR-ROR (Motile Incident Response
– Respond Objectively, Remediate) tool reported over at the ISC Storm Center as reviewed in June's ISSA journal (http://holisticinfosec.org/toolsmith/docs/june2009.pdf). It is a script which was created by a Microsoft IH guru and utilizes the SysInternal utilities. The script automates and consolidates the output from a variety of Windows and SystInternals commands. net *, ipconfig, arp, netstat, nbtstat, systeminfo, tasklist, openfiles, driverquery, sc, at, set, ftype, assoc, and doskey from the %systemroot% and the remaining tools, autorunsc, handle, listdlls, logonsessions, now, psfile, psinfo, pslist, psloggedon, psloglist, psservice, seccheck, showacls, showpriv, sigcheck, srvinfo, and tcpvcon from the SysInternal utilities. I am sure you could create a USB stick/CD and change the script to use known good Windows files, in case you do not trust the actual Windows executable (but then again, the output could lie). If you are interested in more tool write-ups from ISSA, please visit http://holisticinfosec.org/content/view/12/26/. Title: Re: MIR-ROR - Incident Response Script Post by: BillV on June 11, 2009, 07:58:09 AM Sounds pretty interesting, will have to check it out.
Or, you could create a Windows LiveCD to run it from :) Title: Re: MIR-ROR - Incident Response Script Post by: Jhaddix on June 11, 2009, 10:51:56 AM This is really good.... nice find, going on my IR usb stick
Title: Re: MIR-ROR - Incident Response Script Post by: UNIX on June 12, 2009, 12:58:01 AM Thanks for sharing this information, haven't heard of MIR-ROR before. I guess this is another program which comes on my to-test-list.
Powered by SMF 1.1.18 |
SMF © 2013, Simple Machines
Joomla Bridge by JoomlaHacks.com |