I. Eradicating with Power Response - Asymmetric-InfoSec/Power-Response Wiki

Power-Response is capable of performing eradication functions within a Windows environment. The Eradicate category of plugin was created to leverage plugins in a eradication capacity in which a set of known IOC's are used to perform eradication in an environment.

Using Power-Response for Eradication

Running Power-Response in a eradication capacity more or less the same process as a normal Power-Response session, with slight exceptions:

  1. Leverage the Import-Items (formally Import-Computers) plugin to import your list of computers (there will likely be many)

Note: Power-Response_Import-Computers_Template.csv is located in the Extras directory for ease of formatting and ingestion

  1. Leverage the Import-Items plugin to import your list of IOC's for eradication

Note: Power-Response_Eradication_Template.csv is located in the Extras directory for ease of formatting and ingestion

  1. Navigate to the Eradication plugin that you are interested in running

  2. Specify a EradicateName for your scoping session (this is to ensure that output is grouped properly for analysis)

  3. Run the plugin

  4. Review the output (This will confirm which hosts eradication was successful and unsuccessful for)