MIR-ROR – Motile Incident Response remotely

MIR-ROR: Motile Incident Response – Respond Objectively, Remediate MIR-ROR is a security incident response specialized, command-line script that calls specific Windows SysInternals tools, as well as some other useful tools, to provide live capture data for investigation.

You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.
For incident response resource, we’ve found it indispensable.
Windows SysInternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them.

MIR-ROR can be installed on honeypot and detailed logs can be co-related for better co-relation of events and activities on system.

How to use MIR-ROR:

mir-ror.cmd <tool drive letter> <target drive letter>

From where we will refer as the <VICTIM system>, execute:

net use M: //<MIR-ROR server>/IR
Logged on to <VICTIM system>, change directories to the
M: drive.
Execute mir-ror.cmd c m

This will run MIR-ROR against <VICTIM system> but write
the live capture results to <MIR-ROR server> at C:/tools/
MIR-ROR/Livecap_<VICTIM system>.

Pre-requisites:

Windows SysInternals tools
Windows Server 2003 Resource Kit
Seccheck.exe

Operating systems supported:

Windows XP SP2 and above

Download MIR-ROR here