B. The Setup Process (Including Dependencies) - Asymmetric-InfoSec/Power-Response GitHub Wiki
Install Power-Response
There is no formal installation required. Simply clone the reposity using git (git clone https://github.com/Asymmetric-InfoSec/Power-Response.git) or download the zip file and move into your desired location
Note: There isn't any directory dependencies for where the root directory of Power-Response needs to live.
Dependencies
PowerShell Remoting
Power-Response depends on PowerShell remoting. All remote hosts will need to have PowerShell remoting enabled for data collection to be successful.
Run the Setup Script
If you downloaded the zip from GitHub, unblock Setup.ps1
(previously Config-PR.ps1
) by executing Unblock-File .\Setup.ps1
Execute Setup.ps1
located in the Power-Response root directory to satisfy all dependencies. All dependencies are listed below for reference.
Binaries used by Power-Response
Download and/or place the following dependencies into BIN
(not necessary if you use Setup.ps1
)
Sysinternals Tools
The following Sysinternals tools are required for Sysinternals based plugins:
Autorunsc.exe
Autorunsc64.exe
Sigcheck.exe
Sigcheck64.exe
Handle.exe
Handle64.exe
Winpmem Memory Acquisition Tool
Winpmem is used for memory acquisition on Windows based machines:
- Download the most recent release of Winpmem from https://github.com/Velocidex/c-aff4/releases/
- Rename the executable to
winpmem.exe
- Move winpmem.exe to
BIN
Big shout out to Michael Cohen for his work on winpmem!
7-zip Stand Alone Compression Tool
PowerShell (.NET actually) has some native limitations for compression (must be less than 2GB), so we needed to bring in a stand alone tool to do compression on our behalf:
- Download
7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager
from https://www.7-zip.org/download.html - Locate the 64bit executable and rename to
7za_x64.exe
- Locate the 32bit executable and rename to
7za_x86.exe
- Move both executables to
BIN
Note: Power-Response plugins will attempt leverage locally installed 7-zip when possible. If 7-zip exists on the remote machine, 7-zip will not be deployed.
Eric Zimmerman's Tools
We use the following executables from Eric's tools that can be found at https://ericzimmerman.github.io/#!index.md. Download and place in BIN
.
PECmd
JLECmd
LECmd
MFTECmd
AmcacheParser
AppCompatCacheParser
RegistryExplorer
(The entire extracted directory)RBCmd
SBECmd
EvtxExplorer
Huge shout out to Eric and his tools! They make easy analysis work of the data that Power-Response collects.
The Sleuth Kit
Tools extracted from https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.6.6/sleuthkit-4.6.6-win32.zip
- FLS.exe (and associated DLLs)
LogParser
Microsoft tool for quick and easy parsing of CSV files retrieved with Power-Response
- Download the MSI from https://download.microsoft.com/download/f/f/1/ff1819f9-f702-48a5-bbc7-c9656bc74de8/LogParser.msi
- Install the thing
- Copy
logparser.exe
,logparser.dll
and theCOM
directory out of theProgram Files
location toBIN\logparser\