PoSh-R2 PowerShell: investigators and forensic analysts tool

PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.

In a single execution, PoSH-R2 will retrieve the following data from an individual machine or a group of systems:

– Autorun entries
– Disk info
– Environment variables
– Event logs (50 lastest)
– Installed Software
– Logon sessions
– List of drivers
– List of mapped network drives
– List of running processes
– Logged in user
– Local groups
– Local user accounts
– Network configuration
– Network connections
– Patches
– Scheduled tasks with AT command
– Shares
– Services
– System Information

Download

git clone https://github.com/WiredPulse/PoSh-R2.git

Usage 

1. Call upon the script from a PowerShell window with applicable rights for WMI and follow the prompts.
2. Data will be saved to a new directory called “PoSH_R2–Results” within the same directory from which this script was executed from.

Additional Notes 

• This script will work with PowerShell version 2 and above

Running the script

A listing of the results written to csv files

Reading the data back into PowerShell using out-gridview (import-csv .<some_file.csv> | out-gridview)

Filtering only on splunk.exe. From the screenshot, we see it is running on six systems

Source: https://github.com/WiredPulse/