Skip to content
Jym Cheong edited this page Nov 12, 2021 · 33 revisions

Welcome to the OpenEDRclient wiki!

Hey! Where are the Source-Codes?

https://github.com/jymcheong/OpenEDR/wiki/6.-FAQ#where-are-the-host-agents-source-codes

How-to...

All commands below require Powershell session with admin-rights...

Offline Installation

  • Make sure install.ps1 & installer.zip are in the same folder
  • Use UAC elevated Powershell session
  • Run Get-Content -Raw install.ps1 | iex
  • For additional mode(s), prefix like this $detectOnly=1; Get-Content -Raw install.ps1 | iex
  • Multiple modes: $detectOnly=1; $capturePEfiles; Get-Content -Raw install.ps1 | iex

Capture PE files

PE file-based (aka Type-1) Code-Execution is by default denied unless $detectOnly = 1 is used during installation. This mode will turn on submission of denied PE files to backend for further analysis (currently using Intezer if you have API key defined)

Stand-Alone Mode

Offers protection but without the need to run backend, therefore no centralized event collection, monitoring & response. See https://github.com/jymcheong/OpenEDRclient/issues/12.

For offline installation: $standAlone=1; Get-Content -Raw install.ps1 | iex

otherwise from a Powershell session, run the following:

start-process -verb runas -Filepath powershell -ArgumentList "-ExecutionPolicy Bypass", '-Command "$standAlone=1; $site=''https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'';[scriptblock]::Create((New-Object System.Net.WebClient).DownloadString($site)).Invoke();pause;"'

Detect Only Mode

When enabled, host agent will skip rogue process termination.

Prefix the client-side installation Powershell command with $detectOnly=1:

$detectOnly=1; $SFTPCONFURL='http://<YOUR_IP_ADDRESS>:8888/sftpconf.zip'; Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'))

See https://github.com/jymcheong/OpenEDRclient/blob/38f3f464a725ef2326e65b7cdd1a7829bcbb770a/install.ps1#L125

Allow Office-Macro

Prefix the client-side installation Powershell command with $allowMacro=1 (see codes):

$allowMacro=1; $SFTPCONFURL='http://<YOUR_IP_ADDRESS>:8888/sftpconf.zip'; Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'))

Keep Specific Macro Type

Earlier configuration keeps ALL; Granular enabling of Word ($allowWordMacro), Excel ($allowExcelMacro) & PowerPoint ($allowPowerPointMacro). Let's say you only need to use Excel macro:

$allowExcelMacro=1; $SFTPCONFURL='http://<YOUR_IP_ADDRESS>:8888/sftpconf.zip'; Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'))

See https://github.com/jymcheong/OpenEDRclient/blob/master/install.ps1#L134