The module allows the use of the GRR API from within PowerShell.

Minimum PowerShell version


Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PowerGRR -RequiredVersion 0.1.0

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More


Swisscom (Schweiz) AG


(c) 2017 Swisscom (Schweiz) AG



GRR Security IncidentResponse Containment Malware


Get-GRRHuntResult Get-GRRHuntInfo Find-GRRClient Find-GRRClientByLabel Get-GRRComputerNameFromClientId Get-GRRClientIdFromComputerName Set-GRRLabel Remove-GRRLabel Invoke-GRRFlow Get-GRRLabel Get-GRRHunt Get-GRRFlowResult ConvertFrom-Base64 Invoke-GRRRequest Get-GRRSession New-GRRHunt Start-GRRHunt Stop-GRRHunt New-GRRHuntApproval New-GRRClientApproval Get-GRRFlowDescriptor Get-GRRArtifact


This module has no dependencies.

Release Notes

This initial version includes functions for hunts, flows, client handling, search functionality and label handling. All function takes the computer name as input which is then converted to the needed client id internally. If multiple client id's are available for one client then the functions use just the latest seen client (LastSeenOn property).

Most functions allow returning plain JSON instead of the converted GRR object. Various functions has pipeline support. See help and the markdown documentation. The configuration allows using certificate authentication.

Create a Configuration.ps1 file in the root folder of the project. Set the following variables as needed:

# Ignore certificate errors - if set to $true certificate errors are ignored
$GRRIgnoreCertificateErrors = $false

# Client certificate issuer - if set the corresponding client certificate is used
# Otherwise the client certificate from the given issuer is used.
$GRRClientCertIssuer = "issuer of the certificate"

$GRRUrl = ...

See CHANGELOG in Github (see link "Project Site" on the left) for full version information.

Version History

Version Downloads Last updated
0.12.0 113 7/7/2021
0.11.0 6 6/2/2021
0.10.0 14 3/22/2021
0.9.1 175 4/4/2019
0.9.0 136 5/19/2018
0.8.0 42 2/21/2018
0.7.0 18 1/19/2018
0.6.0 84 9/14/2017
0.5.0 70 8/16/2017
0.4.2 15 8/8/2017
0.4.1 8 8/8/2017
0.4.0 8 8/7/2017
0.3.0 15 7/31/2017
0.2.1 11 7/28/2017
0.2.0 9 7/27/2017
0.1.0 (current version) 8 7/27/2017
Show less