-
Notifications
You must be signed in to change notification settings - Fork 1
Home
Welcome to the OpenEDRclient wiki!
https://github.com/jymcheong/OpenEDR/wiki/6.-FAQ#where-are-the-host-agents-source-codes
All commands below require Powershell session with admin-rights...
- Make sure install.ps1 & installer.zip are in the same folder
- Use UAC elevated Powershell session
- Run
Get-Content -Raw install.ps1 | iex - For additional mode(s), prefix like this
$detectOnly=1; Get-Content -Raw install.ps1 | iex - Multiple modes:
$detectOnly=1; $capturePEfiles; Get-Content -Raw install.ps1 | iex
PE file-based (aka Type-1) Code-Execution is by default denied unless $detectOnly = 1 is used during installation. This mode will turn on submission of denied PE files to backend for further analysis (currently using Intezer if you have API key defined)
Offers protection but without the need to run backend, therefore no centralized event collection, monitoring & response. See https://github.com/jymcheong/OpenEDRclient/issues/12.
For offline installation: $standAlone=1; Get-Content -Raw install.ps1 | iex
otherwise from a Powershell session, run the following:
start-process -verb runas -Filepath powershell -ArgumentList "-ExecutionPolicy Bypass", '-Command "$standAlone=1; $site=''https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'';[scriptblock]::Create((New-Object System.Net.WebClient).DownloadString($site)).Invoke();pause;"'
When enabled, host agent will skip rogue process termination.
Prefix the client-side installation Powershell command with $detectOnly=1:
$detectOnly=1; $SFTPCONFURL='http://<YOUR_IP_ADDRESS>:8888/sftpconf.zip'; Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'))
Prefix the client-side installation Powershell command with $allowMacro=1 (see codes):
$allowMacro=1; $SFTPCONFURL='http://<YOUR_IP_ADDRESS>:8888/sftpconf.zip'; Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'))
Earlier configuration keeps ALL; Granular enabling of Word ($allowWordMacro), Excel ($allowExcelMacro) & PowerPoint ($allowPowerPointMacro). Let's say you only need to use Excel macro:
$allowExcelMacro=1; $SFTPCONFURL='http://<YOUR_IP_ADDRESS>:8888/sftpconf.zip'; Set-ExecutionPolicy Bypass -Scope Process -Force; [System.Net.ServicePointManager]::SecurityProtocol = [System.Net.ServicePointManager]::SecurityProtocol -bor 3072; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/jymcheong/openedrClient/master/install.ps1'))
See https://github.com/jymcheong/OpenEDRclient/blob/master/install.ps1#L134