PowerGRR

0.4.1

PowerGRR is a PowerShell module for working with the GRR API running on Windows, macOS and Linux. GRR Rapid Response is an incident response framework focused on remote live forensics. The module allows working with flows, hunts, labels and the search feature. Furthermore, it allows working with the computer names instead of the GRR internal client id.

PowerGRR cre
PowerGRR is a PowerShell module for working with the GRR API running on Windows, macOS and Linux. GRR Rapid Response is an incident response framework focused on remote live forensics. The module allows working with flows, hunts, labels and the search feature. Furthermore, it allows working with the computer names instead of the GRR internal client id.

PowerGRR creates a comfortable, cli-based workflow for incident response. Working directly with PowerShell objects enables you to sift quickly through flow and hunt data. This object-oriented approach gives you a fast way to analyze output within PowerShell, e.g. get all unique registry paths from a hunt or show a list of unique clients where a file was found.

Some of the use cases where PowerGRR could speed up the work:

* Start a flow on one or multiple clients and get flow results as PowerShell object for easier filtering.

* Create and start a new hunt and get the hunt info or results as PowerShell objects

* Add or remove a label on one or multiple clients based on a list of computer names.

* List hunts, labels or clients and filter them in different ways.

* Build scripts for common forensic workflows and start multiple hunts or flows inside a script.

----

Release Notes: https://github.com/swisscom/PowerGRR/releases

Configuration: https://github.com/swisscom/PowerGRR#configuration

Changelog: https://github.com/swisscom/PowerGRR/blob/master/CHANGELOG.md

Minimum PowerShell version

3.0

Installation Options

Copy and Paste the following command to install this package using PowerShellGet More Info

Install-Module -Name PowerGRR -RequiredVersion 0.4.1

You can deploy this package directly to Azure Automation. Note that deploying packages with dependencies will deploy all the dependencies to Azure Automation. Learn More

Manually download the .nupkg file to your system's default download location. Note that the file won't be unpacked, and won't include any dependencies. Learn More

Author(s)

Swisscom (Schweiz) AG

Copyright

(c) 2017 Swisscom (Schweiz) AG

Owners

Tags

IncidentResponse RemoteForensics Forensics GRR

Functions

Get-GRRHuntResult Get-GRRHuntInfo Find-GRRClient Find-GRRClientByLabel Get-GRRComputerNameFromClientId Get-GRRClientIdFromComputerName Set-GRRLabel Remove-GRRLabel Invoke-GRRFlow Get-GRRLabel Get-GRRHunt Get-GRRFlowResult ConvertFrom-Base64 Invoke-GRRRequest Get-GRRSession New-GRRHunt Start-GRRHunt Stop-GRRHunt New-GRRHuntApproval New-GRRClientApproval Get-GRRFlowDescriptor Get-GRRArtifact Get-GRRConfig

Dependencies

This module has no dependencies.

Release Notes

v0.4.1
------
Hotfix release due to typo in variable name in Invoke-GRRFlow.

v0.4.0
------
🎉 This version adds support for macOS and Linux 🎉

In general, the open source implementation of PowerShell for non-Windows platforms is mostly working in the exact same way as on Windows. However, some minor issues have been fixed in order to support 🍎 and 🐧 - a slightly different certificate error handling was implemented and the user profile environment variable changed...easy, isn't it?

Additionally, the ClientRate and ClientLimit parameters were added to New-GRRHunt and HuntDescription and RuleType were set to mandatory.

See CHANGELOG in Github for full version information.

Version History

Version Downloads Last updated
0.12.0 113 7/7/2021
0.11.0 6 6/2/2021
0.10.0 14 3/22/2021
0.9.1 175 4/4/2019
0.9.0 136 5/19/2018
0.8.0 42 2/21/2018
0.7.0 18 1/19/2018
0.6.0 84 9/14/2017
0.5.0 70 8/16/2017
0.4.2 15 8/8/2017
0.4.1 (current version) 8 8/8/2017
0.4.0 8 8/7/2017
0.3.0 15 7/31/2017
0.2.1 11 7/28/2017
0.2.0 9 7/27/2017
0.1.0 8 7/27/2017
Show less