Collect endpoint information for use in incident response triage / threat hunting / live forensics using this toolkit. When a security alert raises concern over a managed system, this toolkit aims to empower the analyst with as much relevant information as possible to help determine if a compromise occurred.
Alternatively, the output of this tool may be ingested into an analysis tool like ELK, Graylog, or Splunk for stack-counting and other analysis techniques.
Requires Powershell 5.0 or above on the “scanning” device.
Requires Powershell 3.0 or higher on target systems (2.0 may be adequate in some cases).


Information Collected
Linked to Hunt Use Cases

Host Info Processes* Services Autoruns Drivers
ARP DLLs* EnvVars Hosts File ADS
DNS Strings* Users & Groups Ports Select Registry
Hotfixes Handles* Sofware Hardware Event Logs
Net Adapters Net Routes Sessions Shares Certificates
Scheduled Tasks TPM Bitlocker Recycle Bin User Files

* Info pulled from current running processes or their executables on disk.

Quick Install
Run this command in Powershell with git installed, then open a new Powershell session.

git clone https://github.com/TonyPhipps/THRecon C:Users$env:UserNameDocumentsWindowsPowerShellModulesTHRecon

Without git… make the folder, then drop all the contents of this project into it. Then open a new Powershell session.

mkdir C:Users$env:UserNameDocumentsWindowsPowerShellModulesTHRecon

Quick Test Use
To run a “quick” scan on your own system, you will need to create a blank folder, then run the cmdlet within that folder, since output defaults to the current working directory.

mkdir c:temp
cd c:temp
Invoke-THR -Quick

Troubleshooting
Installing a Powershell Module
If your system does not automatically load modules in your user profile, you may need to import the module manually.

cd C:Users$env:UserNameDocumentsWindowsPowerShellModulesTHRecon
Import-Module THRecon.psm1

Screenshots
Output of Command “Invoke-THR”

Output Files