THRecon

THRecon -Threat Hunting Reconnaissance Toolkit-

A collection of PowerShell modules designed for artifact gathering and reconnaissance of Windows-based endpoints. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.

• Ingest using your SIEM of choice (Check out THRecon-Elasticstack and SIEM Tactics)

Install

Requirements

• Requires Powershell 5.0 or above on the “scanning” device.
• Requires Powershell 3.0 or higher on target systems. You can make this further backward compatible to PowerShell 2.0 by replacing instances of “Get-CIMinstance” with “Get-WMIObject”
• When scanning a remote machine without the psexec wrapper (Invoke-THR_PSExec), requires WinRM service on remote machine.

git clone https://github.com/TonyPhipps/THRecon C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon

Install with PowerShell

Copy/paste this into a PowerShell console

$Modules = "$ENV:USERPROFILE\Documents\WindowsPowerShell\Modules\"

New-Item -ItemType Directory $Modules\THRecon\ -force

Invoke-WebRequest https://github.com/TonyPhipps/THRecon/archive/master.zip -OutFile $Modules\master.zip

Expand-Archive $Modules\master.zip -DestinationPath $Modules

Copy-Item $Modules\THRecon-master\* $Modules\THRecon\ -Force -Recurse

Remove-Item  $Modules\THRecon-master -Recurse -Force

Functions can also be used by opening the .psm1 file and copy-pasting its entire contents into a PowerSell console.

To update, simply run the same block of commands again.

Usage

cd C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\

Import-Module THRecon.psm1

mkdir c:\temp\

cd c:\temp\

Invoke-THR -All -Quick

An output of Command “Invoke-THR”

Output Files

Tutorial

Copyright (C) 2018 TonyPhipps

Source: https://github.com/TonyPhipps/