B. The Setup Process (Including Dependencies) - Asymmetric-InfoSec/Power-Response Wiki

Install Power-Response

There is no formal installation required. Simply clone the reposity using git (git clone https://github.com/Asymmetric-InfoSec/Power-Response.git) or download the zip file and move into your desired location

Note: There isn't any directory dependencies for where the root directory of Power-Response needs to live.

Dependencies

PowerShell Remoting

Power-Response depends on PowerShell remoting. All remote hosts will need to have PowerShell remoting enabled for data collection to be successful.

Run the Setup Script

If you downloaded the zip from GitHub, unblock Setup.ps1 (previously Config-PR.ps1) by executing Unblock-File .\Setup.ps1

Execute Setup.ps1 located in the Power-Response root directory to satisfy all dependencies. All dependencies are listed below for reference.

Binaries used by Power-Response

Download and/or place the following dependencies into BIN (not necessary if you use Setup.ps1)

Sysinternals Tools

The following Sysinternals tools are required for Sysinternals based plugins:

  1. Autorunsc.exe
  2. Autorunsc64.exe
  3. Sigcheck.exe
  4. Sigcheck64.exe
  5. Handle.exe
  6. Handle64.exe

Winpmem Memory Acquisition Tool

Winpmem is used for memory acquisition on Windows based machines:

  1. Download the most recent release of Winpmem from https://github.com/Velocidex/c-aff4/releases/
  2. Rename the executable to winpmem.exe
  3. Move winpmem.exe to BIN

Big shout out to Michael Cohen for his work on winpmem!

7-zip Stand Alone Compression Tool

PowerShell (.NET actually) has some native limitations for compression (must be less than 2GB), so we needed to bring in a stand alone tool to do compression on our behalf:

  1. Download 7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager from https://www.7-zip.org/download.html
  2. Locate the 64bit executable and rename to 7za_x64.exe
  3. Locate the 32bit executable and rename to 7za_x86.exe
  4. Move both executables to BIN

Note: Power-Response plugins will attempt leverage locally installed 7-zip when possible. If 7-zip exists on the remote machine, 7-zip will not be deployed.

Eric Zimmerman's Tools

We use the following executables from Eric's tools that can be found at https://ericzimmerman.github.io/#!index.md. Download and place in BIN.

  1. PECmd
  2. JLECmd
  3. LECmd
  4. MFTECmd
  5. AmcacheParser
  6. AppCompatCacheParser
  7. RegistryExplorer (The entire extracted directory)
  8. RBCmd
  9. SBECmd
  10. EvtxExplorer

Huge shout out to Eric and his tools! They make easy analysis work of the data that Power-Response collects.

The Sleuth Kit

Tools extracted from https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.6.6/sleuthkit-4.6.6-win32.zip

  1. FLS.exe (and associated DLLs)

LogParser

Microsoft tool for quick and easy parsing of CSV files retrieved with Power-Response

  1. Download the MSI from https://download.microsoft.com/download/f/f/1/ff1819f9-f702-48a5-bbc7-c9656bc74de8/LogParser.msi
  2. Install the thing
  3. Copy logparser.exe, logparser.dll and the COM directory out of the Program Files location to BIN\logparser\