PoSh-R2 PowerShell: investigators and forensic analysts tool
PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.
In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:
– Autorun entries
– Disk info
– Environment variables
– Event logs (50 lastest)
– Installed Software
– Logon sessions
– List of drivers
– List of mapped network drives
– List of running processes
– Logged in user
– Local groups
– Local user accounts
– Network configuration
– Network connections
– Patches
– Scheduled tasks with AT command
– Shares
– Services
– System Information
Download
git clone https://github.com/WiredPulse/PoSh-R2.git
Usage
- Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.
- Data will be saved to a new directory called “PoSH_R2–Results” within the same directory from which this script was executed from.
Additional Notes
- This script will work with PowerShell version 2 and above
Running the script
A listing of the results written to csv files
Reading the data back into PowerShell using out-gridview (import-csv .<some_file.csv> | out-gridview)
Filtering only on splunk.exe. From the screenshot, we see it is running on six systems
Source: https://github.com/WiredPulse/
