B. The Setup Process (Including Dependencies)
There is no formal installation required. Simply clone the reposity using git (git clone https://github.com/Asymmetric-InfoSec/Power-Response.git) or download the zip file and move into your desired location
Note: There isn't any directory dependencies for where the root directory of Power-Response needs to live.
PowerShell Remoting
Power-Response depends on PowerShell remoting. All remote hosts will need to have PowerShell remoting enabled for data collection to be successful.
If you downloaded the zip from GitHub, unblock Setup.ps1
(previously Config-PR.ps1
) by executing Unblock-File .\Setup.ps1
Execute Setup.ps1
located in the Power-Response root directory to satisfy all dependencies. All dependencies are listed below for reference.
Download and/or place the following dependencies into BIN
(not necessary if you use Setup.ps1
)
The following Sysinternals tools are required for Sysinternals based plugins:
Autorunsc.exe
Autorunsc64.exe
Sigcheck.exe
Sigcheck64.exe
Handle.exe
Handle64.exe
Winpmem is used for memory acquisition on Windows based machines:
- Download the most recent release of Winpmem from https://github.com/Velocidex/c-aff4/releases/
- Rename the executable to
winpmem.exe
- Move winpmem.exe to
BIN
Big shout out to Michael Cohen for his work on winpmem!
PowerShell (.NET actually) has some native limitations for compression (must be less than 2GB), so we needed to bring in a stand alone tool to do compression on our behalf:
- Download
7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager
from https://www.7-zip.org/download.html - Locate the 64bit executable and rename to
7za_x64.exe
- Locate the 32bit executable and rename to
7za_x86.exe
- Move both executables to
BIN
Note: Power-Response plugins will attempt leverage locally installed 7-zip when possible. If 7-zip exists on the remote machine, 7-zip will not be deployed.
We use the following executables from Eric's tools that can be found at https://ericzimmerman.github.io/#!index.md. Download and place in BIN
.
PECmd
JLECmd
LECmd
MFTECmd
AmcacheParser
AppCompatCacheParser
-
RegistryExplorer
(The entire extracted directory) RBCmd
SBECmd
EvtxExplorer
Huge shout out to Eric and his tools! They make easy analysis work of the data that Power-Response collects.
Tools extracted from https://github.com/sleuthkit/sleuthkit/releases/download/sleuthkit-4.6.6/sleuthkit-4.6.6-win32.zip
- FLS.exe (and associated DLLs)
Microsoft tool for quick and easy parsing of CSV files retrieved with Power-Response
- Download the MSI from https://download.microsoft.com/download/f/f/1/ff1819f9-f702-48a5-bbc7-c9656bc74de8/LogParser.msi
- Install the thing
- Copy
logparser.exe
,logparser.dll
and theCOM
directory out of theProgram Files
location toBIN\logparser\