Hello everybody,
I started to code a Rapid-Response framework intended for remote acquisition of data from windows machines.
It creates one-time-use samba usershares and users on a linux machine and deletes them after successful acquisition.
So if the target server is compromised an attacker can not get further domain accounts (e.g over gsecdump or other DCC-tools).
Basically every windows based forensic tool with localmode can be placed in the usershare toolset.
The outputs are saved to the share and can be transfered to a analyzation workstation.
For the start I use Triage-IR from Michael Ahrendt
There is a –fullforce mode which uses the windows/smb/psexec module from metasploit to get a meterpreter shell running on the compromised machine (how ironic I know) to gather data in silence. After that a log2timeline csv is created over the Triage-IR output. This sounds forensically pretty wrong in the first place I know / but thats why this tool has the side heading "Rapid". It is not intended to be 100% correct. If the number of compromised systems grows this is necessary sometimes.
There is a lot of work to do and not all intended features work on every windows flavour. But I found out its best to get constructive input before you do something wrong.
I would highly appreciate any input or recommendation regarding the features that should be implemented.
More intel and the source