Code Monkey home page Code Monkey logo

threcon's Introduction

THRecon

-Threat Hunting Reconnaissance Toolkit-

Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromise occurred.

Alternatively, the output of this tool may be ingested into an analysis tool like ELK, Graylog, or Splunk for stack-counting and other analysis techniques.

Information Collected

Linked to Hunt Use Cases

Host Info Processes* Services Autoruns Drivers
ARP DLLs* EnvVars Hosts File ADS
DNS Strings* Users & Groups Ports Select Registry
Hotfixes Handles* Sofware Hardware Event Logs
Net Adapters Net Routes Sessions Shares Certificates
Scheduled Tasks TPM Bitlocker Recycle Bin User Files

* Info pulled from current running processes or their executables on disk.

Requirements

  • Requires Powershell 5.0 or above on the "scanning" device.
  • Requires Powershell 3.0 or higher on target systems (2.0 may be adequate in some cases).
  • When scanning a remote machine without the psexec wrapper (Invoke-THR_PSExec), requires WinRM service on remote machine.

Quick Install

Run this command in Powershell with git installed, then open a new Powershell session.

git clone https://github.com/TonyPhipps/THRecon C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon

Without git... make the folder, then drop all the contents of this project into it. Then open a new Powershell session.

mkdir C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\

Quick Test Use

To run a "quick" scan on your own system, you will need to create a blank folder, then run the cmdlet within that folder, since output defaults to the current working directory.

mkdir c:\temp\
cd c:\temp\
Invoke-THR -Quick

Troubleshooting

Installing a Powershell Module

If your system does not automatically load modules in your user profile, you may need to import the module manually.

cd C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\
Import-Module THRecon.psm1

Screenshots

Output of Command "Invoke-THR"

Output of Command "invoke-thr -verbose"

Output Files

Output Files

threcon's People

Contributors

tonyphipps avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.