By now, you’ve likely heard more about Absolute Reach and how you can deploy query and remediation tasks to your endpoint devices unlike anything before it. But did you know the power of Reach is only limited by your imagination? Absolute Reach empowers both PowerShell and Bash scripts and delivers powerful tools for system administrators and a security professionals that allows you to perform amazing feats!
One of the many problems faced by many who work in the Incident Response (IR) field is the ability to push scripts to devices that aren’t easy to reach or find. Oftentimes, in the world of IR, a device gets compromised or breached outside of the confines of your traditional network perimeter, which can severely limit the options available to your IR team. In many cases, an incident cannot be resolved (or fully investigated, for that matter) until the device is returned to your corporate environment… which can lead to a larger negative impact to that endpoint device. We all know that the faster you can respond to an incident, the easier it is to limit the damage to that device and get it back to a known good state.
[caption id="attachment_29552" align="aligncenter" width="693"] Absolute Reach[/caption]
So how can you combine the power of Reach with the effectiveness of PowerShell to better respond to an incident? There are some amazing PowerShell-based Incident Response frameworks out there for IR teams to triage, respond to, and remediate your endpoint devices.
Advanced Hard Drive Forensics with PowerForensics
PowerForensics is a PowerShell-based framework used for hard drive forensic analysis. You can see them on GitHub here. If an endpoint does become compromised by malware, PowerForensics can assist you in post mortem analysis to gather evidence about an attack. PowerForensics was created by Jared Atkinson (@jaredcatkinson).
What can you do with PowerForensics?
You’ll find a comprehensive list of all the available PowerForensics cmdlets available here. But some of my favorite cmdlets available are:
Live Data Acquisition with PSRecon
Greg Foss and the team at LogRhythm created a live IR data acquisition tool called PSRecon which can help you better retrieve data from a system during an incident. Not only can you better investigate an incident while it’s happening, but you can remotely lockout or lockdown accounts until you’re able to fully clean things up.
PSRecon is great for Incident Response; not only can PSRecon extract forensic data from your remote target, it can send the results back to you via email or to a remote share to dig into later. One of the coolest features of PSRecon is the ability to remotely quarantine a compromised endpoint. It allows you to immediately capture forensic data for analysis later, and can then disable all network traffic, forcing the user to logout, and then locking the desktop.
These are just a handful of the amazingly powerful tools available to you through PowerShell and Absolute Reach. By leveraging Absolute’s unique, privileged position already on your endpoint devices, you can make sure your endpoint devices are always visible and within your reach, no matter where they’re physically located.
Reach provides numerous guardrails and validation steps to ensure scripts execute effectively, however we recommend you test any new script on a subset of your devices. With great power comes great responsibility!
Learn more about Reach by joining our webcast.