There are a lot of awesome sources and tools for log and forensic artifact collection and analysis (e.g. timeline information, Windows Event Logs, Sysmon, GRR, Rekall, PowerForensics, Kansa and many more). But there are none for the containment and remediation phase
There are a lot of awesome sources and tools for log and forensic artifact collection and analysis (e.g. timeline information, Windows Event Logs, Sysmon, GRR, Rekall, PowerForensics, Kansa and many more). But there are none for the containment and remediation phase during incident response. Also a search within the awesome awesome-incident-response list does not contain any tools for containment and remediation. There are of course some enterprise EDR (endpoint detection and response) platforms which have some capabilities to contain threats (e.g. kill process). PowerSponse should allow using various commands dedicated to containment during incident response.
There are some unique features implemented in PowerSponse:
* Focus on containment and not on detection or log collection and allows adding more functions easily with the implemented plugin system.
* Handling of literal or regular expressions for searching or killing processes, searching for or deactivating scheduled tasks or services.
* Implementation of a rule engine (CoRe rules which can be used by Invoke-PowerSponse or New-CleanupPackage to reuse predefined actions (e.g. a CoRe rule per malware family). This should be the YARA or SIGMA equivalent but for containment and not for detection.
* Run a specific cleanup rule against one or more remote hosts using Invoke-PowerSponse or use New-CleanupPackage to build a cleanup package and deploy it to a remote host which is not reachable via network.
* A simplified incident response cycle is preparation, detection, investigation and response. All the above mentioned tools focus on detection and investigation. The last incident response phase (besides recovery and lessons learned), namely the containment phase (deny, degrade and disrupt) is the main focus of PowerSponse.
Release Notes: https://github.com/swisscom/PowerSponse/releases
Minimum PowerShell version
Swisscom (Schweiz) AG
(c) 2018 Swisscom (Schweiz) AG
Invoke-PowerSponse New-CleanupPackage Get-PowerSponseRule Get-Process Start-Process Stop-Process Start-Service Stop-Service Enable-Service Disable-Service Get-ScheduledTask Enable-ScheduledTask Disable-ScheduledTask Stop-Computer Restart-Computer Get-NetworkInterface Enable-NetworkInterface Disable-NetworkInterface Get-Autoruns Enable-RemoteRegistry Disable-RemoteRegistry Get-PowerSponseRepository Set-PowerSponseRepository Import-PowerSponseRepository Get-FileHandle
This module has no dependencies.
🎉 Initial public release. 🎉
This release includes basic commands for contain malicious scheduled tasks, services, processes and some other host commands (e.g. disable network interface). Allow using the commands against remote host, build a package with all the commands or without a hostname run the command against localhost. Furthermore, a rule engine was implemented to allow using CoRe (COntainment and REmediation) rules and use them for containment. A plugin architecture was implemented to allow an easy way to add new functions.
See CHANGELOG in Github for full version information.
|0.1.0 (current version)||89||8/2/2018|