Invoke-LiveResponse is a live incident response tool for targeted collection.

Invoke-LiveResponse is a live incident response tool for targeted collection.

Invoke-LiveResponse is a live incident response tool for targeted collection. There are two main modes of use in Invoke-LiveResponse and both are configured by a variety of command line switches.

ForensicCopy
+ Reflectively loads Powerforensics onto target machine to enable raw disk access.
+ Leverages a scriptblock for each configured function of the script.
+ Common forensic artifacts and custom file collections.
+ WinPMem for memory support
+ Depending on the selected switches, each selected capability is joined at run time to build the scriptblock pushed out to the target machine.

Invoke-LiveResponse

Live Response
+ Inspired by the Kansa Framework, LiveResponse mode will execute any Powershell scripts placed inside a content folder.
+ Results consist of the standard out from the executed content, redirected from the collection machine to a local Results folder as ScriptName.txt.
+ The benefit of this method is the ability to operationalise new capability easily by dropping in new content with desired StdOut.

Other content
+ Get-Powerforensics.ps1 – Installs Powerforensics to user profile
+ Get-Forensicating.ps1 – Installs Invoke-LiveResponse and Powerforensics to user profile.
+ Invoke-ForensicCopy.ps1 – Powershell function to leverage Powerforensics API for raw copy with best performance.
+ Content – Contains some nice content from around the place, mainly from Kansa and SpectreOps ACE project. Ill add more as I remember / find new things.

Gotchas
– MaxMemoryPerShellMB settings will need to change on Powershell 2.0 targets for LiveResponse content, up from 150MB.
– Please set to 0 (off) or 1024 in Powershell 2.0, Powershell 3.0 and above should be appropriately configured for WinRM use.
– Invoke-MaxMemory is a quick and dirty module to set MaxMemoryPerShell to 0, use -Legacy for Windows 7 machines.

Todo:
– Add additional artifacts into ForensicCopyMode
– Expand scope to enable at scale enterprise wide detection/hunting through Powershell Start-Job capabilities.
– Improve ancillary tools: Invoke-StartWinRM/Invoke-StopWinRM, Invoke-MaxMemory. Improve -Legacy options

Dependencies:
+ Powershell v3.0 or Higher

Use and Download:

Source: https://github.com/mgreen27