{"id":13530284,"url":"https://github.com/swisscom/PowerSponse","last_synced_at":"2025-04-01T18:31:29.916Z","repository":{"id":34385084,"uuid":"103512149","full_name":"swisscom/PowerSponse","owner":"swisscom","description":"PowerSponse is a PowerShell module focused on targeted containment and remediation during incident response.","archived":false,"fork":false,"pushed_at":"2022-03-18T10:19:03.000Z","size":198,"stargazers_count":38,"open_issues_count":10,"forks_count":6,"subscribers_count":16,"default_branch":"master","last_synced_at":"2025-03-04T22:02:07.939Z","etag":null,"topics":["cleanup","containment","incident-response","powershell","powershell-modules","remediation"],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/swisscom.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-09-14T09:15:11.000Z","updated_at":"2024-09-10T05:40:00.000Z","dependencies_parsed_at":"2022-08-08T01:00:18.445Z","dependency_job_id":null,"html_url":"https://github.com/swisscom/PowerSponse","commit_stats":null,"previous_names":[],"tags_count":5,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FPowerSponse","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FPowerSponse/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FPowerSponse/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/swisscom%2FPowerSponse/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/swisscom","download_url":"https://codeload.github.com/swisscom/PowerSponse/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246691554,"owners_count":20818533,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cleanup","containment","incident-response","powershell","powershell-modules","remediation"],"created_at":"2024-08-01T07:00:47.354Z","updated_at":"2025-04-01T18:31:29.536Z","avatar_url":"https://github.com/swisscom.png","language":"PowerShell","readme":"![PowerSponse - PowerShell module for containment and remediation](media/powersponse.png)\n\n# PowerSponse - PowerShell Module for Containment and Remediation\n\nPowerSponse is a PowerShell module for targeted containment and remediation\nduring incident response.\n\nPlease see [Command Documentation](docs/PowerSponse.md),\n[Wiki](https://github.com/swisscom/PowerSponse/wiki) and\n[CHANGELOG](CHANGELOG.md).\n\n***\n\u003c!-- vim-markdown-toc GFM --\u003e\n\n* [What is PowerSponse?](#what-is-powersponse)\n* [Example](#example)\n* [Requirements](#requirements)\n* [Installation](#installation)\n* [Usage](#usage)\n * [Authentication](#authentication)\n * [Import](#import)\n * [Cmdlets](#cmdlets)\n * [Help](#help)\n* [Contributing](#contributing)\n* [Inspiration](#inspiration)\n* [References](#references)\n\n\u003c!-- vim-markdown-toc --\u003e\n***\n\n## What is PowerSponse?\n\nPowerSponse is a PowerShell module for targeted containment and remediation.\n\nThe following features are implemented in PowerSponse:\n* Commands for containment and remediation which can be easily extended with\n the used plugin system.\n* Handling of **literal or regular expressions** for searching or killing processes, \n files and directories, searching for or deactivating scheduled tasks or services. \n* **Implementation of a rule engine** (**[CoRe\n rules](https://github.com/swisscom/PowerSponse/wiki/CoRe-rules)** which can be \n used by `Invoke-PowerSponse` or `New-CleanupPackage` to reuse predefined\n actions, e.g. a CoRe rule per malware family). This should be the \n [YARA](https://virustotal.github.io/yara/) or [SIGMA](https://github.com/Neo23x0/sigma) \n equivalent but for containment.\n* Use a CoRe rule for **specific cleanup against one or more remote** hosts using\n `Invoke-PowerSponse` or use `New-CleanupPackage` to **build a cleanup\n package** and deploy it to a remote host which is not reachable via network.\n\nPowerSponse can be used in the **containment and remediation phase (deny, degrade and disrupt)** \nof an incident. Of course, the containment part contradicts with the forensic soundness, which\nmeans that the source evidence (infected machine) is not altered in any\nway. The question is always: Would you like to limit the damage during an attack\nand control the communication flow to the attacker's servers or would you\nlike to collect more information from the attacker by just passive monitoring?\n\nDifferent methods are used to connect and run the commands on remote hosts:\nWMI, WinRM, PsExec, Windows' system tools.\n\nEvery action outputs the same PowerSponse object format for easy post processing: \nwhich command was run, target hostname, timestamp and status of the command.\n\nThe following use cases were in mind when implementing PowerSponse:\n* Cleanup ***single artifact*** on ***one specific host***: Run single command\n\tdirectly against that host.\n* Cleanup ***single artifact*** on ***multiple hosts***: Run single command\n against multiple hosts. Provide the list of computers with the \n `-ComputerName host1,host2,...` or the `-ComputerList host.txt` parameter.\n* Cleanup ***multiple artifacts*** on ***one specific or multiple host***: Run multiple commands\n\tagainst one or multiple host manually or use a PowerShell script with \n\tall the needed PowerSponse cmdlets and concatenate the output for easy\n\tpost processing. An other way would be to use `Invoke-PowerSponse` or \n\t`New-CleanupPackage` with a \n\t[CoRe rule](https://github.com/swisscom/PowerSponse/wiki/CoRe-rules).\n\n## Example\n\nDridex (yeah, old stuff, the example is from 2016) creates some files, injects itself into\nexplorer and adds a scheduled task. Taken from [Detecting and removing\nDridex](http://lpine.org/2016/06/detecting-removing-dridex/), the manual steps\nfor containment are as follows:\n\n\u003e 1. Kill explorer.exe process using taskkill /f /im explorer.exe\n\u003e 2. Remove all tmp files from C:\\users\\username\\data\\locallow, del\n\u003e \t%userprofile%\\appdata\\locallow\\*.tmp. There could be more than one user on\n\u003e \ta computer and you’d better traverse through all user profile folders to check\n\u003e \tfor Dridex files.\n\u003e 3. Remove Dridex task using schtasks /delete /tn “User_Feed_Synchronization-{Dridex-Random-Hex-GUID}” /f\n\u003e 4. Reboot the PC.\n\nWith PowerSponse you could use these cmdlets directly (`@()` is used to\nconcatenate the output of all the commands).\n\n``` powershell\nPS\u003e $ret = @()\nPS\u003e $ret += Stop-Process -ComputerName comp1 -Name \"explorer\"\nPS\u003e $ret += Remove-File -ComputerName comp1 -Path \"C:\\users\\*\\appdata\\locallow\\*.tmp\nPS\u003e $ret += Disable-ScheduledTask -ComputerName comp1 -TaskName \"User_F.*_S.*-\\{.{8}-(.{4}-){3}.{12}\\}\"\nPS\u003e $ret += Restart-Computer -ComputerName comp1\nPS\u003e $ret | select time, action, computername, status, reason\n\nTime Action ComputerName Status Reason\n---- ------ ------------ ------ ------\n08.01.2017 16:41:36 Stop-Process comp1 pass Stopped\n08.01.2017 16:41:47 Remove-File comp1 pass Removed\n08.01.2017 16:41:52 Disable-ScheduledTask comp1 pass Disabled\n08.01.2017 16:41:54 Restart-Computer comp1 pass Rebooted\n```\n\nOr create a corresponding\n[CoRe rule](https://github.com/swisscom/PowerSponse/wiki/CoRe-rules) and use\nthe rule in combination with `Invoke-PowerSponse` or `New-CleanupPackage`.\n\n``` json\n{\n \"PowerSponse\": [\n {\n \"id\" : \"12341234-1234-1234-1234-123412341234\",\n \"name\" : \"Dridex June 2016\",\n \"date\" : \"2016-06-01\",\n \"author\" : \"Mr. Evil\",\n \"description\" : \"Dridex cleanup rule.\",\n \"action\" : [\n {\n \"type\" : \"ProcessItem\",\n \"name\" : \"explorer.exe\"\n },\n {\n \"type\" : \"FileItem\",\n \"Path\" : \"C:\\\\users\\\\*\\\\appdata\\\\locallow\\\\*.tmp\"\n },\n {\n \"type\" : \"TaskItem\",\n \"searchstring\" : \"User_F.*_S.*-\\\\{.{8}-(.{4}-){3}.{12}\\\\}\"\n },\n {\n \"type\" : \"ComputerItem\",\n \"action\" : \"reboot\"\n }\n ]\n }\n ]\n}\n```\n\n``` powershell\nPS\u003e Invoke-PowerSponse -ComputerName comp1 -Rule dridex-201606.json\n```\n\n``` powershell\nPS\u003e New-CleanupPackage -Rule dridex-201606.json\n```\n\nInstead of running the commands directly against the target computers, you can use\n`New-CleanupPackage` which concatenates all scripts and commands into a new \nPowerShell script and therefore allows an offline deployment to the \ntarget host without having a direct network connection.\n\n## Requirements\n\nTo run PowerSponse commands via network you need remote administrator rights\nand need some ports open on the target machine, depending which\nmethod (WinRM, WMI, PsExec, ...) the remote management protocols use 135 TCP, 139 TCP, 445\nTCP, 5985 TCP, 5986 TCP. Alternatively, run the commands and PowerSponse\nscripts directly on the target (localhost) by importing the module on the\ntarget machine or by using the `New-CleanupPackage` in combination with a \nCoRe rule.\n\n## Installation\n\nUpdate March 2022: Install [PowerSponse from PowerShell Gallery](https://www.powershellgallery.com/packages/PowerSponse) was only supported until March 2022. Afterwards, only manual install through GitHub is provided. See [CHANGELOG](CHANGELOG.md) for more details about versions.\n\n* **Install PowerSponse from Github**\n\n * Clone or download the repo into your module path folder, usually\n _~\\Documents\\WindowsPowerShell\\modules_ on Windows (see _$env:PSModulePath_).\n * Clone or download the files to any other folder (could also be a share).\n * The location changes how the module is imported. See import below.\n * **Make sure to unblock the files** - either using the command below or by opening \n the properties page of all the the .psd1 and .psm1 files and checking \n \"Unblock\" at the bottom.\n\n ``` powershell\n gci \u003cmodule path\u003e -Recurse -Include *.ps1,*.psm1,*.psd1 | Unblock-File\n ```\n\n* **OPTIONALLY** Download the needed binaries (only if you need them for the used commands)\n or put them manually in the bin folder. See README and binary-urls.txt\n inside the \\bin folder. By default only some Sysinternal tools are\n downloaded (e.g. pskill, psexec, ...).\n\n ```\n cd \u003cpath-to-module\u003e\\bin\n powershell -ep bypass .\\DownloadBinariesToCurrentDir.ps1\n ```\n\n## Usage\n\nUse `command -\u003ctab\u003e` to tab between the available parameters or use \n`command -\u003cctrl+space\u003e` to display a list of all paremeters. \n\n**Disclaimer:** _The command interface is inconsistent, that means that some\ncommands can have a `-Credential` parameter (WMI and WinRM can handle\ncredential objects) and other commands which rely on external tools do not\n(passwords in logs are bad, very bad). Some commands have a WMI\nimplementation, others do only have an implementation using an external tool.\nRead through the docs, try the commands out and make a pull request for\nmissing functionality. There are a lot of missing commands...That said, enjoy\nmitigating the evil._\n\n\n### Authentication\n\n* Start a shell in escalated mode with your remote admin account\n (shift-right-click and use \"run as different user\")\n* Start a shell with your user and store your credentials in a credential\n variable and pass it to the commands with `-Credential`\n\n ```powershell\n $creds = Microsoft.PowerShell.Security\\get-credential\n ```\n\n### Import\n\nIf PowerSponse was saved inside the module path run the following command:\n\n``` powershell\nImport-Module PowerSponse -force\n```\n\nIf PowerSponse was saved outside the module path run the command:\n\n``` powershell\nImport-Module \u003cpath to module\u003e\\PowerSponse.psd1 -force\n```\n\n### Cmdlets\n\nPlease see [docs](docs/PowerSponse.md) and the wiki for the list of all available commands.\n\nUse the common parameters like _-WhatIf_ or _-Verbose_ for troubleshooting and to\nsee what the commands would do. _WhatIf_ is implemented for every function which\nmakes any changes.\n\nList available PowerSponse commands.\n\n``` powershell\nget-command -Module PowerSponse\n```\n\nList all PowerSponse commands for tasks\n\n``` powershell\nget-command -Module PowerSponse | sls task\n```\n\n### Help\n\nUse `help \u003ccommand\u003e` to get the help for a command.\n\n```powershell\nPS\u003e help Get-ScheduledTask\n\nNAME\n Get-ScheduledTask\n\nOVERVIEW\n Find scheduled tasks based on regex.\n\nSYNTAX\n Get-ScheduledTask [-BinPath \u003cString\u003e] [-ComputerList \u003cString\u003e] [-ComputerName \u003cString[]\u003e] [-Confirm] [-Credential \u003cPSCredential\u003e] [-PrintXML] [-Session \u003cPSSession\u003e[]\u003e] [-WhatIf] [-NoRemoteRegistry] [-OnlyTaskName] [-SearchString \u003cString\u003e] [-Method \u003cString\u003e] [-OnlineCheck] [\u003cCommonParameters\u003e]\n\nDESCRIPTION\n Find scheduled tasks based on a literal or regex.\n...\n```\n\nUse `help \u003ccommand\u003e -Examples` to get examples for a command.\n\n```powershell\nPS\u003e help Get-ScheduledTask -Examples\n\nNAME\n Get-ScheduledTask\n\nOVERVIEW\n Find scheduled tasks based on literal or regex.\n\n Example 1\n\n PS\u003e Get-ScheduledTask -SearchString \".*-S-\\d{1}-\\d{1}\" -NoRemoteRegistry -OnlyTaskName\n\n\n Time : 06.01.2017 10:31:29\n Action : Get-ScheduledTask\n ComputerName : localhost\n Arguments : TaskName: .*-S-\\d{1}-\\d{1}\n Status : pass\n Reason : \\G2MUpdateTask-S-1-5-21-111111111-2222222222-333333333-444444 ; \\G2MUploadTask-S-1-5-21-111111111-2222222222-333333333-444444\n\n...\n```\nSome commands have the same name as the native cmdlets (e.g. `Stop-Service`). For these cmdlets you\nneed to prefix the cmdlet name with the specific module when using help: `help powersponse\\stop-service`.\n\n## Contributing\n\nSee [CONTRIBUTING](CONTRIBUTING.md) for general guidelines.\n\n## Inspiration\n* [PowerForensics](https://github.com/Invoke-IR/PowerForensics)\n* [Kansa](https://github.com/davehull/Kansa/)\n* [Invoke-LiveResponse](https://github.com/davidhowell-tx/Invoke-LiveResponse)\n* [Empire](https://github.com/adaptivethreat/Empire)\n* [PowerSploit](https://github.com/PowerShellMafia/PowerSploit/)\n* [AutoRuns PowerShell Module](https://github.com/p0w3rsh3ll/AutoRuns)\n\n## References\n* [PowerForensics and Remote Machines ](https://davidhowelltx.blogspot.ch/2016/04/powerforensics-and-remote-machines.html)\n* [Invoke-IR](http://www.invoke-ir.com/)\n* [Invoke-Command / PowerForensics PowerShell Remoting Usage](https://github.com/Invoke-IR/PowerForensics/issues/143)\n* [PowerShell AutoRuns](https://github.com/p0w3rsh3ll/AutoRuns)\n* [CimSweep](https://github.com/PowerShellMafia/CimSweep)\n* [p0wnedShell](https://github.com/Cn33liz/p0wnedShell)\n* [BloodHound](https://github.com/adaptivethreat/BloodHound)\n* [PowerShell Remoting and Incident Response](https://www.linkedin.com/pulse/powershell-remoting-incident-response-matthew-green)\n","funding_links":[],"categories":["IR Tools Collection","Persistence Removal"],"sub_categories":["Other Tools","Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2FPowerSponse","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fswisscom%2FPowerSponse","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fswisscom%2FPowerSponse/lists"}