Initial release

Author: Karneades

.gitattributes

@@ -0,0 +1,3 @@
+*.ps1	-text diff merge
+*.psm1	-text diff merge
+*.psd1 -text diff merge

.gitignore

@@ -0,0 +1,4 @@
+# Add any directories, files, or patterns you don't want to be tracked by version control
+*.swp
+!.gitignore
+/bin/*.exe

BUILD.md

@@ -0,0 +1,98 @@
+# BUILD
+
+## Testing
+
+Run all the tests:
+
+`Invoke-Pester .\test\`
+
+To use the code coverage assessment use `-CodeCoverage`:
+
+`$res = Invoke-Pester .\Pester\ -CodeCoverage ..\PowerSponse.psm1 -PassThru`
+
+The result can be read in the following manner:
+
+``` powershell
+PS> $res.TotalCount
+11
+PS> $res.FailedCount
+0
+PS> $res.PassedCount
+11
+```
+
+# Source Code Analyzer
+
+`Invoke-ScriptAnalyzer -Path .\PowerSponse\`
+
+## Generating Help
+
+### Markdown Help
+First time create markdown help with the following commands
+
+``` powershell
+# 1. Import module
+Import-Module .\PowerSponse.psd1 -Force
+
+# 2. Create new markdown help for module, otherwise use 3.
+New-MarkdownHelp -Module PowerSponse -OutputFolder .\docs\ -WithModulePage -Force -HelpVersion "1.0.0.0"
+
+# 3. Create new markdown help file for specific command
+New-MarkdownHelp -Command Restart-Computer -OutputFolder .\docs\ -OnlineVersionUrl "https://github.com/swisscom/PowerSponse/master/docs/Restart-Computer.md" 
+```
+
+For updating the markdown help use instead the following commands
+
+``` powershell
+Import-Module .\PowerSponse.psd1 -Force
+Remove-Module microsoft.powershell.management
+ipmo microsoft.powershell.management -NoClobber
+Update-MarkdownHelp .\docs\
+```
+
+### PowerShell Help
+Use the following command for creating a PowerShell help file (use `-force` to
+update an existing external help file).
+
+``` powershell
+New-ExternalHelp -Path .\docs\ -OutputPath en-us\ -Force
+```
+
+## Tags file for PowerShell
+
+### PowerShell
+The following [ctags](http://ctags.sourceforge.net/ctags.html) command uses
+only variables which come directly after a type declaration, e.g. \[string\]
+var.
+
+ctags.cnf (variables disabled through the regex)
+
+```
+--langdef=powershell
+--langmap=powershell:.psm1.ps1
+--regex-powershell=/function\s+(script:)?([a-zA-Z\-]+)/\2/m, method/i
+--regex-powershell=/xxxxCommentxxxxx\s*\[.*\]\s*\$([a-zA-Z\-]+)/\1/v, variable/i
+--regex-powershell=/xxxxCommentxxxxx\$global:([a-zA-Z\-]+)/\1/v, globalvariable/i
+--exclude=test
+--exclude=bin
+```
+
+ctags command
+
+```
+ctags -R --languages=powershell
+```
+
+### Pester
+
+```
+ctags -R --langdef=pester --langmap=pester:.ps1 --regex-pester="/describe\s+'(.*)'/\1/m, method/i"
+```
+
+Use `--excmd=number` for line numbers instead of the tag text.
+
+## References
+* [Pester](https://github.com/pester/Pester)
+* [platyPS](https://github.com/PowerShell/platyPS)
+* [New-ModuleManifest](https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.core/new-modulemanifest)
+* [Update-ModuleManifest](https://msdn.microsoft.com/powershell/reference/5.1/PowerShellGet/Update-ModuleManifest)

CHANGELOG.md

@@ -0,0 +1,85 @@
+# CHANGELOG
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](http://keepachangelog.com/) 
+and this project adheres to [Semantic Versioning](http://semver.org/).
+
+## [Unreleased](https://github.com/swisscom/PowerSponse/compare/v0.1.0...master)
+<!--
+### Added
+### Changed
+### Fixed
+### Security
+### Deprecated
+### Removed
+-->
+
+## [v0.1.0](https://github.com/swisscom/PowerSponse/tree/v0.1.0) - 2018-08-02
+
+:tada: Initial public release. :tada:
+
+This release includes basic **commands for contain malicious scheduled tasks,
+services, processes and some other host commands (e.g. disable network
+interface)**. Allow using the commands against remote host or without a given
+hostname run the command against localhost. Furthermore, a **rule engine was
+implemented to allow using CoRe (COntainment and REmediation) rules** and use
+them for containment. A **plugin architecture** was used to allow an easy way
+to add new functions.
+	
+### Added
+* Setup for building markdown and external help with **platyPS**.
+* Add plugin functionality for functions. All functions are in the subfolder functions/*.
+* Introduce **plugin architecture** to `Invoke-PowerSponse`. Add
+		the available functions for Invoke-PowerSponse to the repository which is
+		then used when processing CORE rules.
+* Initial version of **CoRe rule** engine and syntax [CORE](CORE-RULES.md). **XML or JSON
+    can be used for defining a CoRe rule**. By default XML is used to parse a
+    rule, when using JSON change the method using `-Method json`.
+    If no method is given when calling the `Invoke-PowerSponse` the file
+    extension is used to decide whether to use the XML or JSON parser. Use
+    OpenIOC terms for CoRe rule actions.
+* Add functionality to create a **cleanup package for offline deployment**
+  for deployment without direct network connection (`New-CleanupPackage`). The
+  function packs all available functions into one file and adds the cleanup
+  commands at the end of the script. This script can be executed locally on
+  the target without a remote connection.
+* Add following functions
+    * Add `Invoke-PowerSponse` as the main function for using CoRe rules
+      and to build offline cleanup packages.
+    * Add function to parse CoRe rules (`Get-PowerSponseRule`) and display the
+      rule.
+    * Service functions (`Edit-Service`, `Start-Service`, `Stop-Service`,
+	  `Disable-Service`, `Enable-Service`, `Get-Service`)
+    * Enable and disable RemoteRegistry (`Enable-RemoteRegistry`, `Disable-RemoteRegistry`)
+    * Get, start and kill processes (`Get-Process`, `Start-process`, `Stop-Process`)
+    * Get ,enable and disable scheduled tasks (`Get-ScheduledTask`, `Enable-ScheduledTask`,
+	  `Disable-ScheduledTask`)
+    * Get, enable and disable network adpaters (`Get-NetworkInterface`, `Edit-NetworkInterface`, 
+    `Enable-NetworkInterface`, `Disable-NetworkInterface`)
+    * Find files based on regex (`Find-File`)
+    * Get PowerSponse repository (see [Repository Configuration](Repository.ps1)
+	  for functions which are supported by `Invoke-PowerSponse`). Use 
+      `Get-PowerSponseRepository` and to change the current repository use
+      `Set-PowerSponseRepository`.
+	* Reading certificates using WinRM based on regex (`Get-Certificate`)
+	* Reading the open file handles by process name or pid (`Get-FileHandle`)
+    * Restart and shutdown hosts (`Restart-Computer`,
+      `Stop-Computer`) using WMI.
+    * Add `Get-Autoruns` for collecting autorunsc output into a csv file. The
+		command can be used with a target list or with multiple computer names.
+* Add regex functionality to different functions, e.g. to search scheduled
+  tasks or services based on a regex expressions.
+* Internal support Function
+    * Function for handling target lists (`Get-Target`). `Get-Target` can
+      handle `-ComputerName` and/or `-ComputerList` for the definition of
+      target hosts.
+    * Function for creating standard PowerSponse response objects
+      (`New-PowerSponseObject`).
+* Use method **WMI by default** (use "-method" to change that if function allows).
+* Check for missing action types to `Invoke-PowerSponse` and to
+  `New-CleanupPackage`. If an action type is used within a CoRe rule which
+  is not available in the repository then stop execution.
+* Add markdown help files and PowerShell help
+* Add download script for required binaries when using PsExec etc. See README
+  and PowerShell script in the \bin folder.
+* Initial **Pester** tests.

CONTRIBUTING.md

@@ -0,0 +1,34 @@
+# Contributing to PowerSponse
+
+Great, you decided to contribute! That's awesome!
+
+Please file an [issue](https://github.com/swisscom/PowerSponse/issues) if you
+need a new feature or found an inconvenient "situation" (bug) or get the code
+form Github, make a new branch, extend the functionality as its needed and
+make a [pull request](https://github.com/swisscom/PowerSponse/pulls) if you
+need a new feature or found an inconvenient "situation". See section
+[What is PowerSponse?](README.md#what-is-powersponse) for an overview about
+the repo structure.
+
+Please use the guidelines as references when implementing new functions and
+check current cmdlets how to use supporting functions.
+
+* [PowerShell scripting best practices](https://blogs.technet.microsoft.com/pstips/2014/06/17/powershell-scripting-best-practices/)
+* [Building-PowerShell-Functions-Best-Practices](http://ramblingcookiemonster.github.io/Building-PowerShell-Functions-Best-Practices/)
+* [Strongly Encouraged Development Guidelines](https://msdn.microsoft.com/en-us/library/dd878270(v=vs.85).aspx)
+* [Approved Verbs for Windows PowerShell Commands](https://msdn.microsoft.com/en-us/library/ms714428(v=vs.85).aspx)
+* [How to Write a PowerShell Module Manifest](https://msdn.microsoft.com/en-us/library/dd878337(v=vs.85).aspx)
+* [Windows PowerShell: Writing Cmdlets in Script](https://technet.microsoft.com/en-us/library/ff677563.aspx)
+
+Some general guidelines:
+
+* Functions must support the common parameters (e.g. -WhatIf)
+* Functions should support all methods: WMI, WinRM, External
+* Functions must return PowerSponse objects to be able to concatenate the
+  output of different commands
+* Functions names must comply with the PowerShell approved verbs (see
+  references below)
+* Functions should not throw an exception instead the field "reason" should
+  contain the error message
+* Add Pester tests for new functionality in .\tests\Pester\
+* Register the feature to the `$Repository` variable (see PowerSponse.psm1)

LICENSE.md

@@ -0,0 +1,9 @@
+The MIT License (MIT)
+
+Copyright © 2018 Swisscom (Schweiz) AG
+
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

PowerSponse.psd1

@@ -0,0 +1,152 @@
+#
+# Module manifest for module 'PowerSponse'
+#
+# Generated by: Swisscom (Schweiz) AG
+#
+# Generated on: 04.12.2016
+#
+
+@{
+
+# Script module or binary module file associated with this manifest.
+RootModule = 'PowerSponse.psm1'
+
+# Version number of this module.
+ModuleVersion = '0.1.0'
+
+# ID used to uniquely identify this module
+GUID = 'ca85e27c-3d41-49a1-9315-fb44966836b7'
+
+# Author of this module
+Author = 'Swisscom (Schweiz) AG'
+
+# Company or vendor of this module
+CompanyName = 'Swisscom (Schweiz) AG'
+
+# Copyright statement for this module
+Copyright = '(c) 2018 Swisscom (Schweiz) AG'
+
+# Description of the functionality provided by this module
+Description = 'The module allows a fast and easy way to contain and remediate a threat on a remote host.'
+
+# Minimum version of the Windows PowerShell engine required by this module
+PowerShellVersion = '3.0'
+
+# Name of the Windows PowerShell host required by this module
+# PowerShellHostName = ''
+
+# Minimum version of the Windows PowerShell host required by this module
+# PowerShellHostVersion = ''
+
+# Minimum version of Microsoft .NET Framework required by this module
+# DotNetFrameworkVersion = ''
+
+# Minimum version of the common language runtime (CLR) required by this module
+# CLRVersion = ''
+
+# Processor architecture (None, X86, Amd64) required by this module
+ProcessorArchitecture = 'None'
+
+# Modules that must be imported into the global environment prior to importing this module
+# RequiredModules = @()
+
+# Assemblies that must be loaded prior to importing this module
+RequiredAssemblies = @()
+
+# Script files (.ps1) that are run in the caller's environment prior to importing this module.
+ScriptsToProcess = @()
+
+# Type files (.ps1xml) to be loaded when importing this module
+TypesToProcess = @()
+
+# Format files (.ps1xml) to be loaded when importing this module
+FormatsToProcess = @()
+
+# Modules to import as nested modules of the module specified in RootModule/ModuleToProcess
+# NestedModules = @()
+
+# Functions to export from this module
+FunctionsToExport = @(
+	'Invoke-PowerSponse',
+	'New-CleanupPackage',
+	'Get-PowerSponseRule',
+	'Get-Process',
+	'Start-Process',
+	'Stop-Process',
+	'Start-Service',
+	'Stop-Service',
+	'Enable-Service',
+	'Disable-Service',
+	'Get-ScheduledTask',
+	'Enable-ScheduledTask',
+	'Disable-ScheduledTask',
+	'Stop-Computer',
+	'Restart-Computer',
+	'Get-NetworkInterface',
+	'Enable-NetworkInterface',
+	'Disable-NetworkInterface',
+	'Get-Autoruns',
+	'Enable-RemoteRegistry',
+	'Disable-RemoteRegistry',
+	'Get-PowerSponseRepository',
+	'Set-PowerSponseRepository',
+	'Import-PowerSponseRepository',
+	'Get-FileHandle'
+	)
+
+# Cmdlets to export from this module
+CmdletsToExport = @()
+
+# Variables to export from this module
+VariablesToExport = @()
+
+# Aliases to export from this module
+AliasesToExport = @()
+
+# DSC resources to export from this module
+# DscResourcesToExport = @()
+
+# List of all modules packaged with this module
+# ModuleList = @()
+
+# List of all files packaged with this module
+FileList = @(
+	'PowerSponse.psd1',
+	'PowerSponse.psm1',
+	'en-us\PowerSponse-help.xml'
+)
+
+# Private data to pass to the module specified in RootModule/ModuleToProcess. This may also contain a PSData hashtable with additional module metadata used by PowerShell.
+PrivateData = @{
+
+    PSData = @{
+
+        # Tags applied to this module. These help with module discovery in online galleries.
+        Tags = @('IncidentResponse','Containment','Remediation','ActiveResponse')
+
+        # A URL to the license for this module.
+        LicenseUri = 'https://github.com/swisscom/PowerSponse/LICENSE.md'
+
+        # A URL to the main website for this project.
+        ProjectUri = 'https://github.com/swisscom/PowerSponse'
+
+        # A URL to an icon representing this module.
+        # IconUri = ''
+
+        # ReleaseNotes of this module
+        # ReleaseNotes = ''
+
+        # External dependent modules of this module
+        # ExternalModuleDependencies = ''
+
+    } # End of PSData hashtable
+    
+ } # End of PrivateData hashtable
+
+# HelpInfo URI of this module
+# HelpInfoURI = ''
+
+# Default prefix for commands exported from this module. Override the default prefix using Import-Module -Prefix.
+# DefaultCommandPrefix = ''
+
+}