PSRecon – PowerShell Utility for Real-time Incident Response and Data Acquisition
System administrators count on using PowerShell to solve problems on different windows operating system. This helps to start scheduled tasks or launch commands remotely on thousands of servers using some simple scripts with too much automation.
Information security related events are also important for the security team to find out any suspicious or malicious activity that indicate an attack. PowerShell can be also used by security team for incident handling and data gathering.
Psrecon is an open source script that you can use to gather data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
This is a good way to make your forensics analyses in real-time without login to many systems and search in data. Psrecon also allows to lockdown the remote system to reduce the risk of spreading the attack on your network.
Some of the features are:
- Collect data on remote host to send the over Email / Push to Share / Pass Additional Arguments
- Basic incident response
- Integration with the SIEM to alert of any compromise
- Remote Lockdown and Quarantine
- Disable AD Account and Host Lockdown
You can download PSRecon over this link: https://github.com/gfoss/PSRecon/