I. Eradicating with Power Response - Asymmetric-InfoSec/Power-Response GitHub Wiki
Power-Response is capable of performing eradication functions within a Windows environment. The Eradicate
category of plugin was created to leverage plugins in a eradication capacity in which a set of known IOC's are used to perform eradication in an environment.
Using Power-Response for Eradication
Running Power-Response in a eradication capacity more or less the same process as a normal Power-Response session, with slight exceptions:
- Leverage the
Import-Items
(formallyImport-Computers
) plugin to import your list of computers (there will likely be many)
Note
: Power-Response_Import-Computers_Template.csv
is located in the Extras
directory for ease of formatting and ingestion
- Leverage the
Import-Items
plugin to import your list of IOC's for eradication
Note
: Power-Response_Eradication_Template.csv
is located in the Extras
directory for ease of formatting and ingestion
-
Navigate to the
Eradication
plugin that you are interested in running -
Specify a
EradicateName
for your scoping session (this is to ensure that output is grouped properly for analysis) -
Run the plugin
-
Review the output (This will confirm which hosts eradication was successful and unsuccessful for)