{"id":13540332,"url":"https://github.com/wiredpulse/posh-r2","last_synced_at":"2025-04-02T07:30:54.820Z","repository":{"id":64080463,"uuid":"72827671","full_name":"WiredPulse/PoSh-R2","owner":"WiredPulse","description":"PowerShell - Rapid Response... For the incident responder in you!","archived":false,"fork":false,"pushed_at":"2019-10-10T00:22:58.000Z","size":2164,"stargazers_count":293,"open_issues_count":0,"forks_count":68,"subscribers_count":34,"default_branch":"master","last_synced_at":"2024-11-03T05:32:41.442Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/WiredPulse.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-11-04T08:17:50.000Z","updated_at":"2024-10-16T04:57:04.000Z","dependencies_parsed_at":"2023-01-14T21:01:36.731Z","dependency_job_id":null,"html_url":"https://github.com/WiredPulse/PoSh-R2","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WiredPulse%2FPoSh-R2","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WiredPulse%2FPoSh-R2/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WiredPulse%2FPoSh-R2/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/WiredPulse%2FPoSh-R2/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/WiredPulse","download_url":"https://codeload.github.com/WiredPulse/PoSh-R2/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246774294,"owners_count":20831506,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-01T09:01:46.962Z","updated_at":"2025-04-02T07:30:49.810Z","avatar_url":"https://github.com/WiredPulse.png","language":"PowerShell","funding_links":[],"categories":["\u003ca id=\"e1fc1d87056438f82268742dc2ba08f5\"\u003e\u003c/a\u003e事件响应\u0026\u0026取证\u0026\u0026内存取证\u0026\u0026数字取证","\u003ca id=\"0e08f9478ed8388319f267e75e2ef1eb\"\u003e\u003c/a\u003e插件\u0026\u0026脚本"],"sub_categories":["\u003ca id=\"d0f59814394c5823210aa04a8fcd1220\"\u003e\u003c/a\u003e事件响应\u0026\u0026IncidentResponse","\u003ca id=\"6922457cb0d4b6b87a34caf39aa31dfe\"\u003e\u003c/a\u003e新添加的"],"readme":"# PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!\n\nPoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges and authentication is done via a Network logon. Retreived data is written to CSVs and SQLite databases on the system running the script. \n\u003cbr\u003e\n\u003cbr\u003e\nIn a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:\n\u003cbr\u003e\n\u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Autorun entries \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Disk info \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Environment variables \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Event logs (50 lastest) \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Installed Software \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Logon sessions \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- List of drivers \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- List of mapped network drives \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- List of running processes \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Logged in user \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Local groups \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Local user accounts \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Network configuration \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Network connections \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Patches \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Scheduled tasks with AT command \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Shares \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- Services \u003cbr\u003e\n\u0026#160;\u0026#160;\u0026#160;\u0026#160;- System Information \u003cbr\u003e\n\n# Usage \u003cbr\u003e\n1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts. \u003cbr\u003e\n2. Data will be saved to a new directory called \"PoSH_R2--Results\" within the same directory from which this script was executed from. \u003cbr\u003e\n# Additional Notes \u003cbr\u003e\n- This script will work with PowerShell version 2 and above\n\n# Screenshots \u003cbr\u003e\n\u003cbr\u003e\n\nRunning the script\u003cbr\u003e\n![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/1-Script_Execution.png?raw=true \"Optional Title\")\u003cbr\u003e\n\u003cbr\u003e\nA listing of the results written to csv files\u003cbr\u003e\n![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/2.1-Results.png?raw=true \"Optional Title\")\u003cbr\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nA listing of the databases\u003cbr\u003e\n![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/2-Results.png?raw=true \"Optional Title\")\u003cbr\u003e\n\u003cbr\u003e\n\u003cbr\u003e\nReading the data back into PowerShell using out-gridview (import-csv .\\\u003csome_file.csv\u003e | out-gridview)\u003cbr\u003e\n![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/3-Results2.png?raw=true \"Optional Title\")\u003cbr\u003e\n\u003cbr\u003e\nFiltering only on splunk.exe. From the screenshot, we see it is running on six systems\u003cbr\u003e\n![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/4-Filter.PNG?raw=true \"Optional Title\")\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwiredpulse%2Fposh-r2","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwiredpulse%2Fposh-r2","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwiredpulse%2Fposh-r2/lists"}