Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Purpose
This post is to highlight response actions that an operator of the Sophos Central XDR tools may encounter. These response actions will be used on XDR with the full Intercept X engine or in our future launch of the XDR Sensors.
We will cover (5) key actions that you may perform daily or in an incident response activity:
- Windows Firewall
- Registry Keys
- Modify Processes
- Programs
- Services
- Bonus Commands
We are going to focus on working out of Powershell.
You can run native commands from Live Response within the Windows Command Prompt utility, you can use their reference of available commands.
Prerequisites
You must have XDR enabled in your environment. This is entirely a Live Discover query.
This is intended for Windows only.
To call Powershell, you can perform the simple command: "powershell.exe"
Windows Firewall
| View Firewall Enabled Profiles | Get-NetFirewallProfile -Enabled True |
| Enable Domain, Private, & Public Profiles | Set-NetFirewallProfile -Enabled True |
| View Firewall Enabled Rules | Get-NetFirewallRule -Enabled True |
| Remove Firewall Rule by Name | Remove-NetFirewallRule -Display Name |
| Remove Firewall Rule by Program | Remove-NetFirewallRule -Program "C:\Programs FIles\Some\App.exe" |
| Reset Firewall Settings to Default | (New-Object -ComObject HNetCfg.FwPolicy2).RestoreLocalFirewallDefaults() |
Registry
| Create Registry Property | New-ItemProperty -Path 'HKLM:\Software\Policies\Some\Path' -Name 'SomeName' -Value "value" -PropertyType propertyType -Force |
| Remove Registry Property | Remove-ItemProperty -Path 'HKLM:\\Software\Policies\Some\Path' -Name 'SomeName' |
| Remove Registry Key | Remove-Item -Path 'HKLM:\\Software\Policies\Some\Path' -Name 'SomeName' |
Processes
| Stop Process by name | Stop-Process -Name Name |
| Stop Process by wildcard | Stop-Process -Name Name* |
| Stop Process by PID | Stop-Process -Id PID |
Programs
| Get List of Programs | Get-WmiObject -Class Win32_Product | Select-Object -Property Name |
| Get Program Name via Search | $someProgram =Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "someProgram"} |
| Get Program Name via ID | $someProgram = Get-WmiObject -Class Win32_Product -Filter “IdentifyingNumber = ‘{XXXXXXXX-XXXX-XXXX-XXX}'” |
| Stop Process by PID | $someProgram.Uninstall() |
| Get List of Packages | Get-Package -Provider Programs -IncludeWindowsInstaller |
| Uninstall-Package | Uninstall-Package -Name Name |
Services
| Show Services | Get-Service |
| Stop Service by name | Stop-Service -Name Name |
| Stop Services by wildcard | Stop-Service -Name Name, "Name*" |
| Stop Service with Console Output | Stop-Service -Name Name -PassThru |
| Stop Service by Display Name | Stop-Service -DisplayName "Display Name" |
| Stop Service Force | Stop-Service -DisplayName "Display Name" -Force |
| Remove Service Using Name | Remove-Service -Name "Name" |
| Remove Service Using Display Name | Remove-Service -DisplayName "Display Name" |
Bonus
| Restart Machine | Restart-Computer |
| Delete Files | Remove-Item C:\Some\Path\to\name.file |
| Delete Any Document that does not have a 1 in its name | Remove-Item * -Include *.docs -Exclude *1* |
| Delete CSV Files From Subfolders in Current Path | Get-ChildItem * -Include *.csv -Recursive | Remove-Item |
Happy querying!
-jk
Added Disclaimer
[edited by: GlennSen at 3:49 PM (GMT -7) on 5 Apr 2023]