https://github.com/wiredpulse/posh-r2

PowerShell - Rapid Response... For the incident responder in you!
https://github.com/wiredpulse/posh-r2

Last synced: 11 days ago
JSON representation

PowerShell - Rapid Response... For the incident responder in you!

• Host: GitHub
• URL: https://github.com/wiredpulse/posh-r2
• Owner: WiredPulse
• License: apache-2.0
• Created: 2016-11-04T08:17:50.000Z (about 8 years ago)
• Default Branch: master
• Last Pushed: 2019-10-10T00:22:58.000Z (about 5 years ago)
• Last Synced: 2024-08-01T09:26:27.210Z (3 months ago)
• Language: PowerShell
• Homepage:
• Size: 2.06 MB
• Stars: 290
• Watchers: 34
• Forks: 68
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!

PoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges and authentication is done via a Network logon. Retreived data is written to CSVs and SQLite databases on the system running the script. 







In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:







    - Autorun entries 


    - Disk info 


    - Environment variables 


    - Event logs (50 lastest) 


    - Installed Software 


    - Logon sessions 


    - List of drivers 


    - List of mapped network drives 


    - List of running processes 


    - Logged in user 


    - Local groups 


    - Local user accounts 


    - Network configuration 


    - Network connections 


    - Patches 


    - Scheduled tasks with AT command 


    - Shares 


    - Services 


    - System Information 


# Usage 


1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts. 


2. Data will be saved to a new directory called "PoSH_R2--Results" within the same directory from which this script was executed from. 


# Additional Notes 


- This script will work with PowerShell version 2 and above

# Screenshots 





Running the script


![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/1-Script_Execution.png?raw=true "Optional Title")





A listing of the results written to csv files


![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/2.1-Results.png?raw=true "Optional Title")








A listing of the databases


![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/2-Results.png?raw=true "Optional Title")








Reading the data back into PowerShell using out-gridview (import-csv .\ | out-gridview)


![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/3-Results2.png?raw=true "Optional Title")





Filtering only on splunk.exe. From the screenshot, we see it is running on six systems


![Alt text](https://github.com/WiredPulse/PoSh-R2/blob/master/Screenshots/4-Filter.PNG?raw=true "Optional Title")