PowerGRR

PowerGRR is a PowerShell module for working with the GRR API running on Windows, macOS and Linux. GRR Rapid Response is an incident response framework focused on remote live forensics. The module allows working with flows, hunts, labels, artifacts and the search feature. Furthermore, it allows working with the computer names instead of the GRR internal client id.

PowerGRR creates a comfortable, cli-based workflow for incident response. Working directly with PowerShell objects enables you to sift quickly through flow and hunt data. This object-oriented approach gives you a fast way to analyze output within PowerShell, e.g. get all unique registry paths from a hunt or show a list of unique clients where a file was found.

Some of the use cases where PowerGRR could speed up the work:

* Start a flow on one or multiple clients and get flow results as PowerShell object for easier filtering.

* Create and start a new hunt and get the hunt info or results as PowerShell objects.

* Create a hunt or a client approval request and wait until they get valid.

* Add or remove a label on one or multiple clients based on a list of computer names.

* Add artifacts to or remove artifacts from the GRR artifact repository.

* List hunts, artifacts, client or hunt approvals, labels and clients and filter them as needed.

* Build scripts for common forensic workflows and start multiple hunts or flows inside a script.

----

Release Notes: https://github.com/swisscom/PowerGRR/releases

Configuration: https://github.com/swisscom/PowerGRR#configuration

Changelog: https://github.com/swisscom/PowerGRR/blob/master/CHANGELOG.md