PowerGRR
0.9.0
P
PowerGRR creates a comfortable, cli-based workflow for incident response. Working directly with PowerShell objects enables you to sift quickly through flow and hunt data. This object-oriented approach gives you a fast way to analyze output within PowerShell, e.g. get all unique registry paths from a hunt or show a list of unique clients where a file was found.
Some of the use cases where PowerGRR could speed up the work:
* Start a flow on one or multiple clients and get flow results as PowerShell object for easier filtering.
* Create and start a new hunt and get the hunt info or results as PowerShell objects.
* Create a hunt or a client approval request and wait until they get valid.
* Add or remove a label on one or multiple clients based on a list of computer names.
* Add artifacts to or remove artifacts from the GRR artifact repository.
* List hunts, artifacts, client or hunt approvals, labels and clients and filter them as needed.
* Build scripts for common forensic workflows and start multiple hunts or flows inside a script.
----
Release Notes: https://github.com/swisscom/PowerGRR/releases
Configuration: https://github.com/swisscom/PowerGRR#configuration
Changelog: https://github.com/swisscom/PowerGRR/blob/master/CHANGELOG.md
Minimum PowerShell version
3.0
Installation Options
Owners
Copyright
(c) 2017 Swisscom (Schweiz) AG
Package Details
Author(s)
- Swisscom (Schweiz) AG
Tags
IncidentResponse RemoteForensics Forensics GRR
Functions
Get-GRRHuntResult Get-GRRHuntInfo Find-GRRClient Find-GRRClientByLabel Get-GRRComputerNameFromClientId Get-GRRClientIdFromComputerName Set-GRRLabel Remove-GRRLabel Invoke-GRRFlow Get-GRRLabel Get-GRRHunt Get-GRRFlowResult ConvertFrom-Base64 Invoke-GRRRequest Get-GRRSession New-GRRHunt Start-GRRHunt Stop-GRRHunt New-GRRHuntApproval New-GRRClientApproval Get-GRRFlowDescriptor Get-GRRArtifact Get-GRRConfig ConvertTo-Base64 Add-GRRArtifact Remove-GRRArtifact Get-GRRHuntApproval Get-GRRClientApproval ConvertTo-Hex Wait-GRRHuntApproval Wait-GRRClientApproval Get-GRRClientInfo ConvertFrom-EpocTime
Dependencies
This module has no dependencies.
Release Notes
Improve password handling by allowing to set the $GRRCredential variable with the credential in the console which is then used by all subsequent command calls. The use of -Credential is therefore not needed anymore. For better converting the unix timestamp, the function ConvertFrom-EpocTime was added. Additionally, improve PowerShell help.
See CHANGELOG in Github for full version information.
FileList
- PowerGRR.nuspec
- PowerGRR.psd1
- PowerGRR.psm1
- en-us\PowerGRR-help.xml
Version History
Version | Downloads | Last updated |
---|---|---|
0.12.0 | 202 | 7/7/2021 |