Incident Response and the Power of Reach

By: Absolute Security | 8/21/2017

By now, you’ve likely heard more about Absolute Reach and how you can deploy query and remediation tasks to your endpoint devices unlike anything before it. But did you know the power of Reach is only limited by your imagination? Absolute Reach empowers both PowerShell and Bash scripts and delivers powerful tools for system administrators and a security professionals that allows you to perform amazing feats!

One of the many problems faced by many who work in the Incident Response (IR) field is the ability to push scripts to devices that aren’t easy to reach or find. Oftentimes, in the world of IR, a device gets compromised or breached outside of the confines of your traditional network perimeter, which can severely limit the options available to your IR team. In many cases, an incident cannot be resolved (or fully investigated, for that matter) until the device is returned to your corporate environment… which can lead to a larger negative impact to that endpoint device. We all know that the faster you can respond to an incident, the easier it is to limit the damage to that device and get it back to a known good state.

[caption id="attachment_29552" align="aligncenter" width="693"] Absolute Reach[/caption]


So how can you combine the power of Reach with the effectiveness of PowerShell to better respond to an incident? There are some amazing PowerShell-based Incident Response frameworks out there for IR teams to triage, respond to, and remediate your endpoint devices.

Advanced Hard Drive Forensics with PowerForensics

PowerForensics is a PowerShell-based framework used for hard drive forensic analysis. You can see them on GitHub here. If an endpoint does become compromised by malware, PowerForensics can assist you in post mortem analysis to gather evidence about an attack. PowerForensics was created by Jared Atkinson (@jaredcatkinson).

What can you do with PowerForensics?

You’ll find a comprehensive list of all the available PowerForensics cmdlets available here. But some of my favorite cmdlets available are:

  • Get-ForensicMasterBootRecord - this cmdlet can retrieve the MBR from the hard drive. This can be invaluable to look for changes to the MBR after an attack. Don’t forget to keep a known good copy from your deployed endpoints for comparison.
  • Get-ForensicGuidPartitionTable - this cmdlet fetches a copy of the GUID Partition Table from the target hard drive, which can look for changes to a hard drive’s partitions.
  • Get-ForensicOfficeFileMru - I love this one: it gives IR teams the ability to take a look at the most recently opened MS Office files on the target machine. As we all know, a lot of malware spread today is still sent via malicious MS Office files. Knowing what was opened may help you determine which malware infected the endpoint device.
  • Get-ForensicRegistryKey and Get-ForensicRegistryValue - these commands are essential in doing analysis after an attack, as many malware families will add, delete, or modify the Windows Registry to persist or disable defenses. These cmdlets allow you to retrieve both all the keys in a specific registry hive and the values of registry keys you want to review.
  • Copy-ForensicFile - this cmdlet allows you to create a copy of a file on the target device directly from the raw disk.
  • And for incidents where preserving forensic evidence may be crucial for legal reasons, PowerForensics provides the Invoke-ForensicDD cmdlet: the ability to create a bit for bit copy of a target device. Hope you have lots of storage space.

Live Data Acquisition with PSRecon

Greg Foss and the team at LogRhythm created a live IR data acquisition tool called PSRecon which can help you better retrieve data from a system during an incident. Not only can you better investigate an incident while it’s happening, but you can remotely lockout or lockdown accounts until you’re able to fully clean things up.

PSRecon is great for Incident Response; not only can PSRecon extract forensic data from your remote target, it can send the results back to you via email or to a remote share to dig into later. One of the coolest features of PSRecon is the ability to remotely quarantine a compromised endpoint. It allows you to immediately capture forensic data for analysis later, and can then disable all network traffic, forcing the user to logout, and then locking the desktop.

These are just a handful of the amazingly powerful tools available to you through PowerShell and Absolute Reach. By leveraging Absolute’s unique, privileged position already on your endpoint devices, you can make sure your endpoint devices are always visible and within your reach, no matter where they’re physically located.

Reach provides numerous guardrails and validation steps to ensure scripts execute effectively, however we recommend you test any new script on a subset of your devices. With great power comes great responsibility!

Learn more about Reach by joining our webcast.

Financial Services