Skip to content
/ PowerTriage Public

Powertriage is a Powershell script to perform a live adquisition of artifacts on a Windows System without external software

License

GPL-3.0 license
8 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

jdangosto/PowerTriage

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

12 Commits
LICENSE
LICENSE
 
 
PowerTriage.ps1
PowerTriage.ps1
 
 
README.md
README.md
 
 

Repository files navigation

PowerTriage - PowerShell Triage Tool

PowerTriage

Powertriage is a DFIR Powershell script to perform a live adquisition of artifacts on a Windows System without external software.

PowerTriage Script - Extracted Artefacts

PowerTriage collects information from multiple sources, the output by default is in "C:" folder but you can set an specific folder to perform the adquisition, the folder will be named as 'PowerTriage-hostname-yearmonthdate_hhmmss'. This folder will be zipped once the script finish (and the original folder will be delete), so that zip file could be remotely collected. PowerTriage script collects the following artifacts:

Functions

  • System Info
  • Network Info:
    • Ip information (All interfaces)
    • TCP_Stablishe_Connections
  • Activities Cache (All users)
  • Event Logs (Application, Security, System, PowerShell Operational, TaskScheduler Operational, Sysmon Operational, WMI Activity Operational, NTLM Operational, etc.)
  • PowerShell Command History (All users)
  • Prefetch
  • Process Information (Process List, Process Tree, Unique Process Hash)
  • Recent Items (All users)
  • Recycle Bin (All users)
  • Schedule Task (Schedule Task List, Schedule Task Run Info)
  • Active Users
  • Autoruns
  • DNS Cache
  • Users:
    • Active Users
    • Local Users
  • Services Running
  • Shadow Copies List
  • Browsers artifacts (Edge, Opera, Chrome, Firefox)
  • RDP Connections
  • Hashing artifacts

**More functions the next update :) **

Windows Usage

PowerTriage script must be run with admin privileges for a best performance, if not, not all artifacts will be collect.

The PowerTriage script is unsigned, that could result in having to use the -ExecutionPolicy Bypass to run the script.

The script can be excuted by running the following command. .\Powertriage.ps1 or Powershell.exe -ExecutionPolicy Bypass .\PowerTriage.ps1

If you still have execution problems, you can open the Powershell ise application as administrator and in a new file paste the entire Powertriage.PS1 code and execute it, that will not fail

EDR/XDR Usage

If you are going to use the script from a Live Response console through an EDR/XDR system, you must comment on the corresponding line (this line has a comment for it)

About

Powertriage is a Powershell script to perform a live adquisition of artifacts on a Windows System without external software

Resources

Readme

License

GPL-3.0 license
Activity

Stars

8 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages