G. Hunting with Power Response - Asymmetric-InfoSec/Power-Response GitHub Wiki
Power-Response has been adapted to use plugins for threat hunting within a Windows environment. The Hunt
category of plugin was created to leverage plugins in a hunting capacity. Additionally, analyze plugins have been created to implement automatic analysis of collected threat hunting data using Microsoft's Log Parser utility.
Running Power-Response in a threat hunting capacity more or less the same process, with one exception:
- Leverage the
Import-Items
(formallyImport-Computers
) plugin to import your list of computers (there will likely be many)
Note
: Power-Response_Import-Computers_Template.csv
is located in the Extras
directory for ease of formatting and ingestion
-
Navigate to the Hunt plugin that you are interested in running
-
Specify a
HuntName
for your hunt (this is to ensure that output is grouped properly for analysis) -
Run the plugin (analysis will automatically occur when the data is returned)
-
Review the output and analysis output
Microsoft's Log Parser is used to analyze the CSV based data that is returned from Power-Response. If you have never used Log Parser before, it allows analysts to use a SQL syntax to group, manipulate, and analyze data in a variety of formats.
The Analyze
plugin that corresponds to the Hunt
plugin being run will contain an array of hash tables which specify what the name of the output will be and the SQL query that will be run against the data. For Example, from Analyze-MaliciousProcessDLLs:
Name = 'Stack_ProcessName_ModuleName'
Query = @"
SELECT
COUNT(ModuleName, ProcessName) as ct,
ProcessName,
ModuleName
INTO
<File>
FROM
$DataLocation
GROUP BY
ProcessName,
ModuleName
ORDER BY
ct ASC
"@
You can add or remove queries as you would like to. As always, if you have a query that fits well into an Analyze
plugin, please consider submitting a pull request.