Closed tt1379 closed 6 years ago
tt1379
commented
8 years ago Looking at #14, I guess this is the problem.
The parser relies on manifest.json file and w32system audit file to extract computer name.
I guess a work around would be to script something which builds a manifest.json file retrospectively?
roshanmaskey
commented
8 years ago Hi tt1379,
Manifest file helps to automatically find ComputerName so you don't have to type it. However, you can implement command line hack to process MIR audit files .
Process single audit file /opt/nighthawk/bin/nightHawk -v -N CaseName -C ComputerName -f AudtFile.xml
You can script over you zip your MIR audit data.
cd mir_audits
for auditfile in ls *.xml; do /opt/nighthawk/bin/nightHawk -v -N CaseName -C computerName -f $auditfile; done
Please note, it might not support all the audit types collected by MIR. We are working on to add more audit types. Current version supports following MIR/Redline audits: --- Persistence --- Registry (API and RAW) --- Services --- Ports --- User Accounts --- Tasks --- ProcessMemory --- Prefetch --- SystemInfo --- Disks --- Volumes --- URL History --- File Download History ---- Network DNS --- Network Route --- Network ARP --- File Listing (API and RAW) --- Hive Listing --- System Restore (not fully tested) --- Kernel Hooks --- Event Logs (Support on release 1.0.3 with message detail extraction for 4624, 4625, 4648, 4688 and 4697)
roshanmaskey
commented
7 years ago Hi tt1379,
You can process MIR audits in our latest release 1.0.3 using WebUI upload. MIR audit must contain system information to identify computer name.
Just stumbled across this project; like the idea.
The upload process from Redline & HX is detailed, but what about MIR (Mandiant Intelligent Response), the predecessor to HX?
The standard output from MIR is audit documents in XML format (and nothing else). I've tried just zipping the results, but this doesn't seem to be processed by nightHawk.
Any suggestions?
Thanks