Git Product home page Git Product logo

threcon's Introduction

THRecon

-Threat Hunting Reconnaissance Toolkit-

Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromise occurred.

Alternatively, the output of this tool may be ingested into an analysis tool like ELK, Graylog, or Splunk for stack-counting and other analysis techniques.

Requires Powershell 5.0 or above on the "scanning" device.

Requires Powershell 3.0 or higher on target systems (2.0 may be adequate in some cases).

Information Collected

Linked to Hunt Use Cases

Host Info Processes* Services Autoruns Drivers
ARP DLLs* EnvVars Hosts File ADS
DNS Strings* Users & Groups Ports Select Registry
Hotfixes Handles* Sofware Hardware Event Logs
Net Adapters Net Routes Sessions Shares Certificates
Scheduled Tasks TPM Bitlocker Recycle Bin User Files

* Info pulled from current running processes or their executables on disk.

Quick Install

Run this command in Powershell with git installed, then open a new Powershell session.

git clone https://github.com/TonyPhipps/THRecon C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon

Without git... make the folder, then drop all the contents of this project into it. Then open a new Powershell session.

mkdir C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\

Quick Test Use

To run a "quick" scan on your own system, you will need to create a blank folder, then run the cmdlet within that folder, since output defaults to the current working directory.

mkdir c:\temp\
cd c:\temp\
Invoke-THR -Quick

Troubleshooting

Installing a Powershell Module

If your system does not automatically load modules in your user profile, you may need to import the module manually.

cd C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\
Import-Module THRecon.psm1

Screenshots

Output of Command "Invoke-THR"

Output of Command "invoke-thr -verbose"

Output Files

Output Files

threcon's People

Contributors

tonyphipps avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.