PowerShell Rapid Response (PoSH-R2) - For the incident responder.

PowerShell Rapid Response (PoSH-R2) – For the incident responder.

PoSH-R2 is a set of Windows Management Instrumentation interface (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system. The scripts use WMI to pull this information from the operating system. Therefore, this script will need to be executed with a user that has the necessary privileges.



PoSH-R2 will retrieve the following data from an individual machine or a group of systems:
– Autorun entries
– Disk info
– Environment variables
– Event logs (50 lastest)
– Installed Software
– Logon sessions
– List of drivers
– List of mapped network drives
– List of running processes
– Logged in user
– Local groups
– Local user accounts
– Network configuration
– Network connections
– Patches
– Scheduled tasks with AT command
– Shares
– Services
– System Information


Source: https://github.com/WiredPulse