Home

Awesome

PoSh-R2PowerShell - Rapid Response (PoSH-R2)... For the incident responder in you!

PoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges and authentication is done via a Network logon. Retreived data is written to CSVs and SQLite databases on the system running the script. <br> <br> In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems: <br> <br>     - Autorun entries <br>     - Disk info <br>     - Environment variables <br>     - Event logs (50 lastest) <br>     - Installed Software <br>     - Logon sessions <br>     - List of drivers <br>     - List of mapped network drives <br>     - List of running processes <br>     - Logged in user <br>     - Local groups <br>     - Local user accounts <br>     - Network configuration <br>     - Network connections <br>     - Patches <br>     - Scheduled tasks with AT command <br>     - Shares <br>     - Services <br>     - System Information <br>

Usage <br>

  1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts. <br>
  2. Data will be saved to a new directory called "PoSH_R2--Results" within the same directory from which this script was executed from. <br>

Additional Notes <br>

Screenshots <br>

<br>

Running the script<br> Alt text<br> <br> A listing of the results written to csv files<br> Alt text<br> <br> <br> A listing of the databases<br> Alt text<br> <br> <br> Reading the data back into PowerShell using out-gridview (import-csv .<some_file.csv> | out-gridview)<br> Alt text<br> <br> Filtering only on splunk.exe. From the screenshot, we see it is running on six systems<br> Alt text