MIR-ROR: Motile Incident Response – Respond Objectively, Remediate MIR-ROR is a security incident response specialized, command-line script that calls specific Windows SysInternals tools, as well as some other useful tools, to provide live capture data for investigation.
You can easily enhance MIR-ROR to your liking with whatever command line tools you find useful.
For incident response resource, we’ve found it indispensable.
Windows SysInternals licensing prevents us from bundling the tools in a distribution package; you’ll have to retrieve them.
MIR-ROR can be installed on honeypot and detailed logs can be co-related for better co-relation of events and activities on system.
How to use MIR-ROR:
mir-ror.cmd <tool drive letter> <target drive letter>
From where we will refer as the <VICTIM system>, execute:
Logged on to <VICTIM system>, change directories to the
M: drive.
Execute mir-ror.cmd c m
This will run MIR-ROR against <VICTIM system> but write
the live capture results to <MIR-ROR server> at C:/tools/
MIR-ROR/Livecap_<VICTIM system>.
Pre-requisites:
Windows SysInternals tools
Windows Server 2003 Resource Kit
Seccheck.exe
Operating systems supported:
Windows XP SP2 and above
![Windows系統下通過CMD指令行或運作視窗打開常用附件和功能[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)