PowerGRR creates a comfortable, cli-based workflow for incident response. Working directly with PowerShell objects enables you to sift quickly through flow and hunt data. This object-oriented approach gives you a fast way to analyze output within PowerShell, e.g. get all unique registry paths from a hunt or show a list of unique clients where a file was found.
Some of the use cases where PowerGRR could speed up the work:
* Start a flow on one or multiple clients and get flow results as PowerShell object for easier filtering.
* Create and start a new hunt and get the hunt info or results as PowerShell objects
* Add or remove a label on one or multiple clients based on a list of computer names.
* List hunts, labels or clients and filter them in different ways.
* Build scripts for common forensic workflows and start multiple hunts or flows inside a script.
Release Notes: https://github.com/swisscom/PowerGRR/releases
Minimum PowerShell version
Swisscom (Schweiz) AG
(c) 2017 Swisscom (Schweiz) AG
Get-GRRHuntResult Get-GRRHuntInfo Find-GRRClient Find-GRRClientByLabel Get-GRRComputerNameFromClientId Get-GRRClientIdFromComputerName Set-GRRLabel Remove-GRRLabel Invoke-GRRFlow Get-GRRLabel Get-GRRHunt Get-GRRFlowResult ConvertFrom-Base64 Invoke-GRRRequest Get-GRRSession New-GRRHunt Start-GRRHunt Stop-GRRHunt New-GRRHuntApproval New-GRRClientApproval Get-GRRFlowDescriptor Get-GRRArtifact Get-GRRConfig
This module has no dependencies.
🎉 This version adds support for macOS and Linux 🎉
In general, the open source implementation of PowerShell for non-Windows platforms is mostly working in the exact same way as on Windows. However, some minor issues have been fixed in order to support 🍎 and 🐧 - a slightly different certificate error handling was implemented and the user profile environment variable changed...easy, isn't it?
Additionally, the ClientRate and ClientLimit parameters were added to New-GRRHunt and HuntDescription and RuleType were set to mandatory.
See CHANGELOG in Github for full version information.
|0.4.0 (current version)||8||8/7/2017|