-Threat Hunting Reconnaissance Toolkit-
Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromise occurred.
Alternatively, the output of this tool may be ingested into an analysis tool like ELK, Graylog, or Splunk for stack-counting and other analysis techniques.
Linked to Hunt Use Cases
| Host Info | Processes* | Services | Autoruns | Drivers |
|---|---|---|---|---|
| ARP | DLLs* | EnvVars | Hosts File | ADS |
| DNS | Strings* | Users & Groups | Ports | Select Registry |
| Hotfixes | Handles* | Sofware | Hardware | Event Logs |
| Net Adapters | Net Routes | Sessions | Shares | Certificates |
| Scheduled Tasks | TPM | Bitlocker | Recycle Bin | User Files |
* Info pulled from current running processes or their executables on disk.
- Requires Powershell 5.0 or above on the "scanning" device.
- Requires Powershell 3.0 or higher on target systems (2.0 may be adequate in some cases).
- When scanning a remote machine without the psexec wrapper (Invoke-THR_PSExec), requires WinRM service on remote machine.
Run this command in Powershell with git installed, then open a new Powershell session.
git clone https://github.com/TonyPhipps/THRecon C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon
Without git... make the folder, then drop all the contents of this project into it. Then open a new Powershell session.
mkdir C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\
To run a "quick" scan on your own system, you will need to create a blank folder, then run the cmdlet within that folder, since output defaults to the current working directory.
mkdir c:\temp\
cd c:\temp\
Invoke-THR -Quick
Installing a Powershell Module
If your system does not automatically load modules in your user profile, you may need to import the module manually.
cd C:\Users\$env:UserName\Documents\WindowsPowerShell\Modules\THRecon\
Import-Module THRecon.psm1
Output of Command "Invoke-THR"
Output Files
