Audit scripts

[mgreen27]

Hello,

Wondering if you can share the Redline/MIR audit scripts for collecting information for your tool in the repository?

Matt

[mbevilacqua]

RedLine is freely available at FireEye / Mandiant's website. That being said, it's probably overkill to simply grab ShimCache or AmCache. I suggest automating the process with powershell or GPO's if an EDR solution is not available.

[mgreen27]

Thank you for the reply. I am actually planning a collection via MIR. From your documentation I wasnt sure what the LUA in "AppCompat Mir LUA script (XML)" was so thought I would reach out.

[mbevilacqua]

That's a Mandiant script to acquire ShimCache using Mir but I don't think it's available to the general public. If using Mir you can simply create a RegistryAudit to pull in the registry values where ShimCache data is stored (all controlsets recommended, + RegBack) and ACP will also happily ingest that for you through the appcompat_mirregistryaudit ingest module.

[mgreen27]

Ahh makes sense. Thank you!

[mbevilacqua]

Perfect! Since you're a Mir user you can also reach out through your FireEye point of contact and get that routed my way. I should be able to better support you from there and even send over a sample audit of what you're looking for to make the acquisition as fast as possible with Mir.