H. Scoping with Power Response - Asymmetric-InfoSec/Power-Response Wiki

Power-Response is capable of performing scoping functions within a Windows environment. The Scope category of plugin was created to leverage plugins in a scoping capacity in which a set of known IOC's are used to rapidly scope for compromise in an environment.

Using Power-Response for Scoping

Running Power-Response in a scoping capacity more or less the same process as a normal Power-Response session, with slight exceptions:

  1. Leverage the Import-Items (formally Import-Computers) plugin to import your list of computers (there will likely be many)

Note: Power-Response_Import-Computers_Template.csv is located in the Extras directory for ease of formatting and ingestion

  1. Leverage the Import-Items plugin to import your list of IOC's for scoping

Note: Power-Response_Scoping_Template.csv is located in the Extras directory for ease of formatting and ingestion

  1. Navigate to the Scope plugin that you are interested in running

  2. Specify a ScopeName for your scoping session (this is to ensure that output is grouped properly for analysis)

  3. Run the plugin

  4. Review the output