G. Hunting with Power Response - Asymmetric-InfoSec/Power-Response Wiki

Power-Response has been adapted to use plugins for threat hunting within a Windows environment. The Hunt category of plugin was created to leverage plugins in a hunting capacity. Additionally, analyze plugins have been created to implement automatic analysis of collected threat hunting data using Microsoft's Log Parser utility.

Using Power-Response for Hunting

Running Power-Response in a threat hunting capacity more or less the same process, with one exception:

  1. Leverage the Import-Items (formally Import-Computers) plugin to import your list of computers (there will likely be many)

Note: Power-Response_Import-Computers_Template.csv is located in the Extras directory for ease of formatting and ingestion

  1. Navigate to the Hunt plugin that you are interested in running

  2. Specify a HuntName for your hunt (this is to ensure that output is grouped properly for analysis)

  3. Run the plugin (analysis will automatically occur when the data is returned)

  4. Review the output and analysis output

Analyzing Hunt Data with Power-Response

Microsoft's Log Parser is used to analyze the CSV based data that is returned from Power-Response. If you have never used Log Parser before, it allows analysts to use a SQL syntax to group, manipulate, and analyze data in a variety of formats.

The Analyze plugin that corresponds to the Hunt plugin being run will contain an array of hash tables which specify what the name of the output will be and the SQL query that will be run against the data. For Example, from Analyze-MaliciousProcessDLLs:

        Name = 'Stack_ProcessName_ModuleName'
        Query = @"
            COUNT(ModuleName, ProcessName) as ct,
        GROUP BY
        ORDER BY
            ct ASC    

You can add or remove queries as you would like to. As always, if you have a query that fits well into an Analyze plugin, please consider submitting a pull request.