Hi All,
I has a little spare time recently (long flights) and wanted to create some more useful "out of the box" example scripts. As many of you know the existing "React.pl" script demonstrates how ProDiscover IR can be fully automated to collect information and perform many Incident Response functions across the network.
What I came up with is two variations of IRAC.pl (Incident Response and Collection). The first of the scripts works much like React.pl, but adds some more error checking, and real world functions such as enumerating disk, etc.
In Summary React.pl will:
- Take a single parameter (Remote IP Address).
- Push out the Windows Remote Agent.
- Connect to the Remote Agent.
- Enumerate all the disks and add them to the project
- Collect all the remote processes running.
- Collect all the items from the IR Menu System State Option.
- Collect all open IP end points.
- Search for all the specific files listed in the "IRACArtifacts.sts" file. The file is repopulated with a few items such as the pagefile.sys and hyberfil.sys.
- Mark all search results as items of interest.
- Extract all items of interest.
- Collect a physical memory image.
- Collect a physical BIOS image.
- Export the report to RTF format.
- Save the project report.
- Disconnect from the remote system.
- Remove the remote agent.
The second script React2.pl will perform all the functions as above but will read a IRACHosts.log for a list of IP addresses and perform the functions on all listed IP Addresses.
Both scripts and all the support files have been added in the attached zip file.
To Do: There is plenty of room for improvement to these scripts, but they should be very useful as is. Please feel free to add more error checking and functions to these on your next long flight and post for others to use.