[QueryCorner][August2022] Live Response - Five Basics for Windows

Purpose

This post is to highlight response actions that an operator of the Sophos Central XDR tools may encounter. These response actions will be used on XDR with the full Intercept X engine or in our future launch of the XDR Sensors.

We will cover (5) key actions that you may perform daily or in an incident response activity:

  1. Windows Firewall
  2. Registry Keys
  3. Modify Processes
  4. Programs
  5. Services
  6. Bonus Commands

We are going to focus on working out of Powershell.

You can run native commands from Live Response within the Windows Command Prompt utility, you can use their reference of available commands.

Prerequisites

You must have XDR enabled in your environment. This is entirely a Live Discover query.

This is intended for Windows only.

To call Powershell, you can perform the simple command: "powershell.exe"

Windows Firewall

View Firewall Enabled Profiles Get-NetFirewallProfile -Enabled True
Enable Domain, Private, & Public Profiles Set-NetFirewallProfile -Enabled True
View Firewall Enabled Rules Get-NetFirewallRule -Enabled True
Remove Firewall Rule by Name Remove-NetFirewallRule -Display Name
Remove Firewall Rule by Program Remove-NetFirewallRule -Program "C:\Programs FIles\Some\App.exe"
Reset Firewall Settings to Default (New-Object -ComObject HNetCfg.FwPolicy2).RestoreLocalFirewallDefaults()

Registry

Create Registry Property New-ItemProperty -Path 'HKLM:\Software\Policies\Some\Path' -Name 'SomeName' -Value "value" -PropertyType propertyType -Force
Remove Registry Property Remove-ItemProperty -Path 'HKLM:\\Software\Policies\Some\Path' -Name 'SomeName'
Remove Registry Key Remove-Item -Path 'HKLM:\\Software\Policies\Some\Path' -Name 'SomeName'

Processes

Stop Process by name Stop-Process -Name Name
Stop Process by wildcard Stop-Process -Name Name*
Stop Process by PID Stop-Process -Id PID

Programs

Get List of Programs Get-WmiObject -Class Win32_Product | Select-Object -Property Name
Get Program Name via Search $someProgram =Get-WmiObject -Class Win32_Product | Where-Object{$_.Name -eq "someProgram"}
Get Program Name via ID $someProgram = Get-WmiObject -Class Win32_Product -Filter “IdentifyingNumber = ‘{XXXXXXXX-XXXX-XXXX-XXX}'”
Stop Process by PID $someProgram.Uninstall()
Get List of Packages Get-Package -Provider Programs -IncludeWindowsInstaller
Uninstall-Package Uninstall-Package -Name Name

Services

Show Services Get-Service
Stop Service by name Stop-Service -Name Name
Stop Services by wildcard Stop-Service -Name Name, "Name*"
Stop Service with Console Output Stop-Service -Name Name -PassThru
Stop Service by Display Name Stop-Service -DisplayName "Display Name"
Stop Service Force Stop-Service -DisplayName "Display Name" -Force
Remove Service Using Name Remove-Service -Name "Name"
Remove Service Using Display Name Remove-Service -DisplayName "Display Name"

Bonus

Restart Machine Restart-Computer
Delete Files Remove-Item C:\Some\Path\to\name.file
Delete Any Document that does not have a 1 in its name Remove-Item * -Include *.docs -Exclude *1*
Delete CSV Files From Subfolders in Current Path Get-ChildItem * -Include *.csv -Recursive | Remove-Item

 


Happy querying!

-jk