Post-collection analysis framework for high value UAC artifacts

[Towelie]

Is your feature request related to a problem? Please describe.
UAC generates detailed artifact collections across many Unix-like systems, but to my knowledge there isn’t a tool for rapid host compromise assessment and fleet-wide correlation focused on high-value artifacts. Analysts are left to manually sift through raw outputs, lacking structured triage, evidence summarization, and cross-host correlation. This increases investigation time and reduces consistency in threat analysis.

Describe the solution you'd like
Integrate https://github.com/Towelie/uac-atlas as a recognized feature/component of the UAC ecosystem to provide:

Structured Triage of UAC Collections
Automate extraction and interpretation of high-value artifacts such as user/privilege systems, persistence mechanisms, scheduled tasks, execution state, and network data.
GitHub

Fleet Correlation
Identify shared indicators (e.g., suspicious users, cron jobs, services) across multiple hosts to accelerate campaign attribution.

Explainable Output
Include confidence scoring and clear evidence linking artifacts to analyst conclusions.

Optional LLM-Assisted Enrichment
Integrate optional AI-assisted mapping to ATT&CK, higher-level indicators, and likelihood assessments to augment human analysis (not replace it).
GitHub

CLI/Library Mode
Usable both as a CLI for analysts and a library for integration into wider pipelines or SIEM/DFIR tooling.

Describe alternatives you've considered
Manual scripting / ad-hoc parsers:
Craft custom scripts per environment to parse UAC results — brittle and not reusable.

Generic SIEM ingestion:
Push raw logs into a SIEM/ELK stack, then write queries. This still lacks host-centric triage or cross-host artifact correlation and requires significant setup.

Forking UAC to bake the analysis in:
Trying to merge the analysis directly into the UAC core. This blurs separation of concerns and adds complexity to the core collection tool.

Use external forensic frameworks (e.g., Velociraptor)
These can ingest logs but are heavyweight compared to UAC-centric analysis and are not tailored to UAC’s artifact model.

Additional context
uac-atlas is designed for analyst review, not automated remediation and explicitly avoids replacing full forensic suites or live containment tooling.
GitHub

Design goals include:

High-signal, low-noise finding extraction

Explainable output with evidence and scoring

Optional enrichment (e.g., MITRE ATT&CK mapping)

Please note uac-atlas is early in its lifecycle and I am continuing to maintain it and update it.
Currently it's more of a proof of concept but I can work on it if this is something that I could contribute with to UAC which I've used quite a lot and found to be an amazing tool

[Towelie]

This is an adaptation from my other project, https://github.com/Towelie/HostTriageAI but meant to work with the files from a UAC collection (specifically high value low volume live response info).

It sends relevant findings to an AI and the AI will determine any deviations from an inferred baseline (depending on distro, etc)

[Towelie]

NOTE: This tool intentionally analyzes a limited subset of high-value live-response artifacts and does not attempt to process full UAC outputs.

[tclahr]

I will take a look and let you know. Thanks