MIR-ROR

Source code checked in, #70298

Project Collection Service Accounts — Mon, 01 Oct 2012 21:36:45 GMT

Upgrade: New Version of LabDefaultTemplate.xaml. To upgrade your build definitions, please visit the following link: http://go.microsoft.com/fwlink/?LinkId=254563

Source code checked in, #70297

Project Collection Service Accounts — Mon, 01 Oct 2012 21:31:58 GMT

Checked in by server upgrade

Created Issue: nfscopy v 0.69 issues [7104]

cachmon — Mon, 03 Sep 2012 07:13:02 GMT

Execution in Windows XP SP3 [August-2012 updated]

- The script exits after ntfscopy command, so script stops after first ntfscopy (line 104)
- Line 104: add -dst to define destination directory, error if no -dst
- Lots of copies failed:
(example: "failed: c:\windows\system32\config\systemprofile\Menu Inicio")

Created Issue: seccheck.exe [7058]

4n6ist — Fri, 03 Aug 2012 05:58:19 GMT

Can I get seccheck.exe? I have tried to access the specified location described on "fetch.txt", but it returns "404 Error File Not Found"

Thanks,

Created Issue: Updated Fetch File [6909]

jcolorossi — Wed, 25 Apr 2012 01:21:08 GMT

I was testing out the new MIR-ROR version and noted that the fetch page is missing the references to a number of tools (if by design due to licensing, you can just shoot me). I updated the fetch.txt file (maybe save you time) with the links and files below. I also included a note to copy Cygwin.dll for rifiuti.

NirSoft:
http://www.nirsoft.net/utils/winprefetchview.zip
http://www.nirsoft.net/utils/iehv.zip
http://www.nirsoft.net/utils/mozillahistoryview.zip
http://www.nirsoft.net/utils/chromecacheview.zip

Foundstone:

http://downloadcenter.mcafee.com/products/tools/foundstone/rifiuti.zip

7-Zip:

http://www.7-zip.org/download.html

Updated Release: MIR-ROR 2.0 (Mar 31, 2012)

RussMcRee — Thu, 12 Apr 2012 02:26:52 GMT

MIR-ROR 2.0
The v.2.0 release incorporates many updates provided by Jon Mark Allen (contributing developer).
Highlights include feature additions such as browser history collection, registry exports, prefetch view, recycle bin analysis, and 7z package creation.
See Changelog.txt included in MIR-RORv2.0.zip for all changes.
Thanks to Claus Valca for cleaning up fetch.txt (as of 4/11/12).

Released: MIR-ROR 2.0 (Mar 31, 2012)

Thu, 12 Apr 2012 02:26:52 GMT

Updated Release: MIR-ROR 2.0 (Mar 31, 2012)

RussMcRee — Thu, 12 Apr 2012 02:25:18 GMT

Closed Issue: Remote script available in the patches section [2585]

RussMcRee — Thu, 12 Apr 2012 02:19:23 GMT

Remote script
You can launch the mir-ror script in a remote machines to analyze each machine from your local machine and copy the results in other server,in this case, in a linux server to play with bash and logs. But you can put the logs whre you want....modify the final path.

Thanks!
Comments:

Closed Issue: Handle Windows Vista and above [3398]

RussMcRee — Thu, 12 Apr 2012 02:19:08 GMT

I think this should work for some basic version handling.

REM http://ss64.org/viewtopic.php?id=879
Setlocal
:: Get Windows version numbers
For /f "tokens=2 delims=[]" %%G in ('ver') Do (set _version=%%G)
For /f "tokens=2,3,4 delims=. " %%G in ('echo %_version%') Do (set _major=%%G& set _minor=%%H& set _build=%%I)

REM Echo Major version: %_major% Minor Version: %_minor%.%_build%

...

REM seccheck.exe not compatible with Vista or above
if "%_major%">="6" goto compromised_stage

ECHO Running seccheck on %COMPUTERNAME%.
now.exe [Running seccheck on %COMPUTERNAME%.] >> %2:\Livecap_%COMPUTERNAME%\MIR-ROR.log
seccheck > %2:\Livecap_%COMPUTERNAME%\seccheck.log
move SecCheckLog.txt %2:\Livecap_%COMPUTERNAME%\SecCheckLog.txt

:compromised_stage
ECHO.
ECHO The following stage assesses for compromised code or settings.
ECHO.

...
Comments:

Closed Issue: Identify installed software [4249]

RussMcRee — Thu, 12 Apr 2012 02:18:33 GMT

Add another block for this command:

wmic path Win32_Product get Name, Version > ...

Knowing that version 6.0 of Adobe Reader is installed can help you assess whether the machine was compromised :-).
Comments:

Updated Release: MIR-ROR 2.0 (Mar 31, 2012)

RussMcRee — Sat, 31 Mar 2012 23:53:04 GMT

Released: MIR-ROR 2.0 (Mar 31, 2012)

Sat, 31 Mar 2012 23:53:04 GMT

Updated Wiki: Home

RussMcRee — Thu, 22 Mar 2012 06:24:29 GMT

STATUS
While more attention is now being spent on Bryan's Confessor development, we've benefited from Jon Mark Allen's (ubahmapk) many contributions, giving MIR-ROR some much needed attention. Please feel free to submit via Issue Tracker and we'll review potential updates for future releases.

Project Description
MIR-ROR: Motile Incident Response – Respond Objectively, Remediate
MIR-ROR is a security incident response specialized, command-line script that calls specific Windows Sysinternals tools, as well as some other useful utilities, to provide live capture data for investigation.

You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.
For incident response resource, we’ve found it indispensable.
Windows Systinternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them.
Download the complete Sysinternals Suite and unpack in a preferred directory on your system, then move the necessary tools listed in fetch.txt to a directory you create: C:\tools\MIR-ROR.

You can read the complete ISSA Journal article, MIR-ROR: Motile Incident Response – Respond Objectively, Remediate, here

Feel free to offer feedback; we hope this tool serves you well.

Russ McRee
Troy Larson
Jon Mark Allen

Closed Issue: Collect browser cookies [4593]

RussMcRee — Thu, 22 Mar 2012 06:22:12 GMT

Copy IE and Firefox browser cookies from all user profiles.

These cookies can then be inspected offline using Nirsoft's IECookiesView or MozillaCookiesView

http://www.nirsoft.net/utils/iecookies.html
http://www.nirsoft.net/utils/mzcv.html

(This modification currently depends on the alternate version detection code I listed in the version detection issue tracker thread, but can easily be modified if another method is used.)

ECHO.
ECHO ***************************************************************************
ECHO Collecting Cookies.
ECHO ***************************************************************************
ECHO.

now.exe [Collecting Cookies.] >> %LOGS%:\Livecap_%COMPUTERNAME%\MIR-ROR.log

IF %OSNAME% == XP GOTO XP_COOKIES
IF %OSNAME% == Vista GOTO VISTA_COOKIES
GOTO SKIP_COOKIES

:XP_COOKIES
ECHO Now collecting IE Cookies...
for /F %%i in ('dir /b "c:\Documents and Settings"') do @mkdir "%LOGS%:\Livecap_%COMPUTERNAME%\%%i_cookies" & xcopy /e /c /q /i /g /h /y "c:\Documents and Settings\%%i\Cookies" "%LOGS%:\Livecap_%COMPUTERNAME%\%%i_cookies" 2>> %LOGS%:\Livecap_%COMPUTERNAME%\MIR-ROR.log

IF NOT EXIST "C:\Program Files\Mozilla Firefox" GOTO FINISH_COOKIES
ECHO Now searching for Firefox profiles and gathering Firefox cookies.
ECHO.
ECHO !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ECHO This may generate some "The system cannot find the
ECHO path specified" error messages if a user doesn't
ECHO have a Firefox profile.
ECHO !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ECHO.

for /F %%u in ('dir /b "c:\Documents and Settings"') do for /F %%p in ('dir /b "c:\Documents and Settings\%%u\Application Data\Mozilla\Firefox\Profiles\"') do @copy /v /y "c:\Documents and Settings\%%u\Application Data\Mozilla\Firefox\Profiles\%%p\cookies.sqlite" "%LOGS%:\Livecap_%COMPUTERNAME%\mzcv_%%u_%%p_cookies.sqlite" 2>> %LOGS%:\Livecap_%COMPUTERNAME%\MIR-ROR.log

GOTO FINISH_COOKIES

:VISTA_COOKIES
ECHO Now collecting IE Cookies...
for /F %%i in ('dir /b c:\Users') do @mkdir "%LOGS%:\Livecap_%COMPUTERNAME%\%%i_cookies" & xcopy /e /c /q /i /g /h /y "c:\Users\%%i\AppData\Roaming\Microsoft\Windows\Cookies" "%LOGS%:\Livecap_%COMPUTERNAME%\%%i_cookies" 2>> %LOGS%:\Livecap_%COMPUTERNAME%\MIR-ROR.log

IF NOT EXIST "C:\Program Files\Mozilla Firefox" GOTO FINISH_COOKIES
ECHO Now searching for Firefox profiles and gathering Firefox cookies.
ECHO.
ECHO !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ECHO This may generate some "The system cannot find the
ECHO path specified" error messages if a user doesn't
ECHO have a Firefox profile.
ECHO !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
ECHO.

for /F %%u in ('dir /b c:\Users') do for /F %%p in ('dir /b c:\Users\%%u\AppData\Roaming\Mozilla\Firefox\Profiles\') do @copy /v /y "c:\Users\%%u\AppData\Roaming\Mozilla\Firefox\Profiles\%%p\cookies.sqlite" "%LOGS%:\Livecap_%COMPUTERNAME%\mzcv_%%u_%%p_cookies.sqlite" 2>> %LOGS%:\Livecap_%COMPUTERNAME%\MIR-ROR.log

GOTO FINISH_COOKIES

:SKIP_COOKIES
ECHO Unable to locate Cookie directories.
now.exe [Unable to locate Cookie directories.] >> %LOGS%:\Livecap_%COMPUTERNAME%\MIR-ROR.log

:FINISH_COOKIES
Comments: