PowerGRR creates a comfortable, cli-based workfl
PowerGRR creates a comfortable, cli-based workflow for incident response. Working directly with PowerShell objects enables you to sift quickly through flow and hunt data. This object-oriented approach gives you a fast way to analyze output within PowerShell, e.g. get all unique registry paths from a hunt or show a list of unique clients where a file was found.
Some of the use cases where PowerGRR could speed up the work:
* Start a flow on one or multiple clients and get flow results as PowerShell object for easier filtering.
* Create and start a new hunt and get the hunt info or results as PowerShell objects
* Add or remove a label on one or multiple clients based on a list of computer names.
* List hunts, labels or clients and filter them in different ways.
* Build scripts for common forensic workflows and start multiple hunts or flows inside a script.
Release Notes: https://github.com/swisscom/PowerGRR/releases
Minimum PowerShell version
Swisscom (Schweiz) AG
(c) 2017 Swisscom (Schweiz) AG
Get-GRRHuntResult Get-GRRHuntInfo Find-GRRClient Find-GRRClientByLabel Get-GRRComputerNameFromClientId Get-GRRClientIdFromComputerName Set-GRRLabel Remove-GRRLabel Invoke-GRRFlow Get-GRRLabel Get-GRRHunt Get-GRRFlowResult ConvertFrom-Base64 Invoke-GRRRequest Get-GRRSession New-GRRHunt Start-GRRHunt Stop-GRRHunt New-GRRHuntApproval New-GRRClientApproval Get-GRRFlowDescriptor Get-GRRArtifact Get-GRRConfig
This module has no dependencies.
This version changed the config file handling. PowerGRR supports now the user profile or the module root as locations for the config file. This is useful when updating PowerGRR with Update-Module because each version is stored in an own folder. Using the profile folder for the config prevents from constantly moving your config file. Beside the file name change different improvements were made in regards to config checks.
The dynamic parameters which are used in Invoke-GRRFlow and New-GRRHunt are now autocompleted correctly. The change in the parameter handling mitigates a PowerShell bug, see details below.
The dynamic parameters in New-GRRHunt were improved. The 'OS' and the 'Label' parameter are now defined as dynamic parameters and are only shown based on the corresponding rule type. Furthermore, the label handling was improved to only run a hunt if at least one label was valid (that means found in GRR).
See CHANGELOG in Github for full version information.
|0.3.0 (current version)||15||7/31/2017|