Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

https://github.com/wiredpulse/posh-r2

PowerShell - Rapid Response... For the incident responder in you!
https://github.com/wiredpulse/posh-r2

Last synced: about 1 month ago
JSON representation

PowerShell - Rapid Response... For the incident responder in you!

Host: GitHub
URL: https://github.com/wiredpulse/posh-r2
Owner: WiredPulse
License: apache-2.0
Created: 2016-11-04T08:17:50.000Z (over 7 years ago)
Default Branch: master
Last Pushed: 2019-10-10T00:22:58.000Z (over 4 years ago)
Last Synced: 2024-02-09T00:14:12.384Z (5 months ago)
Language: PowerShell
Homepage:
Size: 2.06 MB
Stars: 287
Watchers: 35
Forks: 68
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Lists

awesome-reverse-engineering - **202**星 - Rapid Response... For the incident responder in you! (<a id="0e08f9478ed8388319f267e75e2ef1eb"></a>插件&&脚本 / <a id="6922457cb0d4b6b87a34caf39aa31dfe"></a>新添加的)
awesome-reverse-engineering - **202**星 - Rapid Response... For the incident responder in you! (<a id="0e08f9478ed8388319f267e75e2ef1eb"></a>插件&&脚本 / <a id="6922457cb0d4b6b87a34caf39aa31dfe"></a>新添加的)
awesome-cyber-security - **204**星 - Rapid Response... For the incident responder in you! (<a id="e1fc1d87056438f82268742dc2ba08f5"></a>事件响应&&取证&&内存取证&&数字取证 / <a id="d0f59814394c5823210aa04a8fcd1220"></a>事件响应&&IncidentResponse)
awesome-reverse-engineering - **202**星 - Rapid Response... For the incident responder in you! (<a id="0e08f9478ed8388319f267e75e2ef1eb"></a>插件&&脚本 / <a id="6922457cb0d4b6b87a34caf39aa31dfe"></a>新添加的)

README

# PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!

PoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges and authentication is done via a Network logon. Retreived data is written to CSVs and SQLite databases on the system running the script.

In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:

    - Autorun entries

    - Disk info

    - Environment variables

    - Event logs (50 lastest)

    - Installed Software

    - Logon sessions

    - List of drivers

    - List of mapped network drives

    - List of running processes

    - Logged in user

    - Local groups

    - Local user accounts

    - Network configuration

    - Network connections

    - Patches

    - Scheduled tasks with AT command

    - Shares

    - Services

    - System Information

# Usage

1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.

2. Data will be saved to a new directory called "PoSH_R2--Results" within the same directory from which this script was executed from.

# Additional Notes

- This script will work with PowerShell version 2 and above

# Screenshots

Running the script

![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/1-Script_Execution.png?raw=true "Optional Title")

A listing of the results written to csv files

![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/2.1-Results.png?raw=true "Optional Title")

A listing of the databases

![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/2-Results.png?raw=true "Optional Title")

Reading the data back into PowerShell using out-gridview (import-csv .\ | out-gridview)

![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/3-Results2.png?raw=true "Optional Title")

Filtering only on splunk.exe. From the screenshot, we see it is running on six systems

![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/4-Filter.PNG?raw=true "Optional Title")