PowerSponse

0.1.0

PowerSponse (PowerShell + Response) is a PowerShell module for targeted containment and remediation.

There are a lot of awesome sources and tools for log and forensic artifact collection and analysis (e.g. timeline information, Windows Event Logs, Sysmon, GRR, Rekall, PowerForensics, Kansa and many more). But there are none for the containment and remediation phase
PowerSponse (PowerShell + Response) is a PowerShell module for targeted containment and remediation.

There are a lot of awesome sources and tools for log and forensic artifact collection and analysis (e.g. timeline information, Windows Event Logs, Sysmon, GRR, Rekall, PowerForensics, Kansa and many more). But there are none for the containment and remediation phase during incident response. Also a search within the awesome awesome-incident-response list does not contain any tools for containment and remediation. There are of course some enterprise EDR (endpoint detection and response) platforms which have some capabilities to contain threats (e.g. kill process). PowerSponse should allow using various commands dedicated to containment during incident response.

There are some unique features implemented in PowerSponse:

* Focus on containment and not on detection or log collection and allows adding more functions easily with the implemented plugin system.
* Handling of literal or regular expressions for searching or killing processes, searching for or deactivating scheduled tasks or services.
* Implementation of a rule engine (CoRe rules which can be used by Invoke-PowerSponse or New-CleanupPackage to reuse predefined actions (e.g. a CoRe rule per malware family). This should be the YARA or SIGMA equivalent but for containment and not for detection.
* Run a specific cleanup rule against one or more remote hosts using Invoke-PowerSponse or use New-CleanupPackage to build a cleanup package and deploy it to a remote host which is not reachable via network.
* A simplified incident response cycle is preparation, detection, investigation and response. All the above mentioned tools focus on detection and investigation. The last incident response phase (besides recovery and lessons learned), namely the containment phase (deny, degrade and disrupt) is the main focus of PowerSponse.

----

Release Notes: https://github.com/swisscom/PowerSponse/releases

Changelog: https://github.com/swisscom/PowerSponse/blob/master/CHANGELOG.md

Minimum PowerShell version

3.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PowerSponse

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deloy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

Swisscom (Schweiz) AG

Copyright

(c) 2018 Swisscom (Schweiz) AG

Owners

Tags

IncidentResponse Containment Remediation ActiveResponse

Functions

Invoke-PowerSponse New-CleanupPackage Get-PowerSponseRule Get-Process Start-Process Stop-Process Start-Service Stop-Service Enable-Service Disable-Service Get-ScheduledTask Enable-ScheduledTask Disable-ScheduledTask Stop-Computer Restart-Computer Get-NetworkInterface Enable-NetworkInterface Disable-NetworkInterface Get-Autoruns Enable-RemoteRegistry Disable-RemoteRegistry Get-PowerSponseRepository Set-PowerSponseRepository Import-PowerSponseRepository Get-FileHandle

Dependencies

This module has no dependencies.

Release Notes

🎉 Initial public release. 🎉

This release includes basic commands for contain malicious scheduled tasks, services, processes and some other host commands (e.g. disable network interface). Allow using the commands against remote host, build a package with all the commands or without a hostname run the command against localhost. Furthermore, a rule engine was implemented to allow using CoRe (COntainment and REmediation) rules and use them for containment. A plugin architecture was implemented to allow an easy way to add new functions.

See CHANGELOG in Github for full version information.

Version History

Version Downloads Last updated
0.1.0 (current version) 89 8/2/2018