Windows Forensics Using Powershell Remoting

This pack enables you to grab critical forensic evidence from your windows hosts and all of this without having to install any agent and respond in realtime.

Comment

Inspiration

DFIR open source tools.

What it does

Allows to capture multiple types of forensic data from a windows hosts without having to install any type of agent. Using native capabilities in Windows such as Winrm, Powershell, Netsh and more. Once the data is captured it is moved into XSOAR and is parsed and analyzed by multiple tools such as XSOAR PcapMiner, Regipy (A Python library to analyze registry), and many more.

How I built it

Created a Powershell integration that allows to open a remote session to a host. Multiple Python tools such as convert ETL to PCAP, Regipy which is user to parse data and Volatility to parse memory dumps.

Challenges I ran into

Creating a Docker image to support PS remoting without SSH Developing a new OOTB Powershell integration. Covering the most critical aspects to focus on within a short time limit.

Accomplishments that I'm proud of

Creating a complete suite of tools for various forensic aspects for acquiring data, retrieving and analyzing.

What I learned

How to implement an agent less DFIR tool suite And best practices for which data to capture. Working with Powershell integrations.

What's next for Windows Forensics Using Powershell Remoting

Improving security to use HTTPS for winrm, provide more commands and playbooks to gather and parse more data. and create a polling mechanisms for Powershell.

Built With

Share this project:

Updates