G. Hunting with Power Response - Asymmetric-InfoSec/Power-Response Wiki
Power-Response has been adapted to use plugins for threat hunting within a Windows environment. The
Hunt category of plugin was created to leverage plugins in a hunting capacity. Additionally, analyze plugins have been created to implement automatic analysis of collected threat hunting data using Microsoft's Log Parser utility.
Using Power-Response for Hunting
Running Power-Response in a threat hunting capacity more or less the same process, with one exception:
- Leverage the
Import-Computers) plugin to import your list of computers (there will likely be many)
Power-Response_Import-Computers_Template.csv is located in the
Extras directory for ease of formatting and ingestion
Navigate to the Hunt plugin that you are interested in running
HuntNamefor your hunt (this is to ensure that output is grouped properly for analysis)
Run the plugin (analysis will automatically occur when the data is returned)
Review the output and analysis output
Analyzing Hunt Data with Power-Response
Microsoft's Log Parser is used to analyze the CSV based data that is returned from Power-Response. If you have never used Log Parser before, it allows analysts to use a SQL syntax to group, manipulate, and analyze data in a variety of formats.
Analyze plugin that corresponds to the
Hunt plugin being run will contain an array of hash tables which specify what the name of the output will be and the SQL query that will be run against the data. For Example, from Analyze-MaliciousProcessDLLs:
Name = 'Stack_ProcessName_ModuleName' Query = @" SELECT COUNT(ModuleName, ProcessName) as ct, ProcessName, ModuleName INTO <File> FROM $DataLocation GROUP BY ProcessName, ModuleName ORDER BY ct ASC "@
You can add or remove queries as you would like to. As always, if you have a query that fits well into an
Analyze plugin, please consider submitting a pull request.