.

MIR-ROR - Incident Response Script

<<

unsupported

User avatar

Sr. Member
Sr. Member

Posts: 318

Joined: Sun Feb 08, 2009 3:38 pm

Location: 407

Post Thu Jun 11, 2009 7:40 am

MIR-ROR - Incident Response Script

I just stumbled across the MIR-ROR (Motile Incident Response
– Respond Objectively, Remediate) tool reported over at the ISC Storm Center as reviewed in June's ISSA journal (http://holisticinfosec.org/toolsmith/docs/june2009.pdf).  It is a script which was created by a Microsoft IH guru and utilizes the SysInternal utilities.

The script automates and consolidates the output from a variety of Windows and SystInternals commands.  net *, ipconfig, arp, netstat, nbtstat, systeminfo, tasklist, openfiles, driverquery, sc, at, set, ftype, assoc, and doskey from the %systemroot% and the remaining tools, autorunsc, handle, listdlls, logonsessions, now, psfile, psinfo, pslist, psloggedon, psloglist, psservice, seccheck, showacls, showpriv, sigcheck, srvinfo, and tcpvcon from the SysInternal utilities.

I am sure you could create a USB stick/CD and change the script to use known good Windows files, in case you do not trust the actual Windows executable (but then again, the output could lie).

If you are interested in more tool write-ups from ISSA, please visit http://holisticinfosec.org/content/view/12/26/.
-Un
CISSP, GCIH, GCIA, C|EH, Sec+, Net+, MCP
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Thu Jun 11, 2009 7:58 am

Re: MIR-ROR - Incident Response Script

Sounds pretty interesting, will have to check it out.

Or, you could create a Windows LiveCD to run it from :)
<<

Jhaddix

User avatar

Sr. Member
Sr. Member

Posts: 317

Joined: Wed Oct 29, 2008 10:25 pm

Post Thu Jun 11, 2009 10:51 am

Re: MIR-ROR - Incident Response Script

This is really good.... nice find, going on my IR usb stick
<<

UNIX

User avatar

Hero Member
Hero Member

Posts: 1244

Joined: Mon Apr 28, 2008 9:20 am

Post Fri Jun 12, 2009 12:58 am

Re: MIR-ROR - Incident Response Script

Thanks for sharing this information, haven't heard of MIR-ROR before. I guess this is another program which comes on my to-test-list.

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software