Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromise occurred.
Alternatively, the output of this tool may be ingested into an analysis tool like ELK, Graylog, or Splunk for stack-counting and other analysis techniques.
Requires Powershell 5.0 or above on the "scanning" device.
Requires Powershell 3.0 or higher on target systems (2.0 may be adequate in some cases).
Information Collected
Linked to Hunt Use Cases
| Host Info | Processes* | Services | Autoruns | Drivers |
|---|---|---|---|---|
| ARP | DLLs* | EnvVars | Hosts File | ADS |
| DNS | Strings* | Users & Groups | Ports | Select Registry |
| Hotfixes | Handles* | Sofware | Hardware | Event Logs |
| Net Adapters | Net Routes | Sessions | Shares | Certificates |
| Scheduled Tasks | TPM | Bitlocker | Recycle Bin | User Files |
Quick Install
Run this command in Powershell with git installed, then open a new Powershell session.
git clone https://github.com/TonyPhipps/THRecon C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon
mkdir C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\Quick Test Use
To run a "quick" scan on your own system, you will need to create a blank folder, then run the cmdlet within that folder, since output defaults to the current working directory.
mkdir c:\temp\
cd c:\temp\
Invoke-THR -QuickTroubleshooting
Installing a Powershell Module
If your system does not automatically load modules in your user profile, you may need to import the module manually.
cd C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\
Import-Module THRecon.psm1Screenshots
Output of Command "Invoke-THR"
Output Files
