Top 12 PowerShell Dfir Projects

• sysmon-modular

  15 2,485 6.8 PowerShell

  A repository of sysmon configuration modules

Project mention: Sysmon 15.0 is out now with advanced features | /r/sysadmin | 2023-06-29

I was specifically using the https://github.com/olafhartong/sysmon-modular config, but once we started seeing systems crash I tried building extremely minimal configs and still found them causing hangs.

• AzureHunter

  2 755 0.0 PowerShell

  A Cloud Forensics Powershell module to run threat hunting playbooks on data from Azure and O365

• InfluxDB

  www.influxdata.com sponsored

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• sysmon-config

  1 749 7.2 PowerShell

  Advanced Sysmon ATT&CK configuration focusing on Detecting the Most Techniques per Data source in MITRE ATT&CK, Provide Visibility into Forensic Artifact Events for UEBA, Detect Exploitation events with wide CVE Coverage, and Risk Scoring of CVE, UEBA, Forensic, and MITRE ATT&CK Events. (by ion-storm)

• WELA

  3 651 0.0 PowerShell

  WELA (Windows Event Log Analyzer): The Swiss Army knife for Windows Event Logs! ゑ羅（ウェラ）

  

• DetectionLabELK

  3 525 0.0 PowerShell

  DetectionLabELK is a fork from DetectionLab with ELK stack instead of Splunk.

  

• MemProcFS-Analyzer

  2 401 6.1 PowerShell

  MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

• Trawler

  6 287 7.6 PowerShell

  PowerShell script to help Incident Responders discover potential adversary persistence mechanisms.

Project mention: Non-SysAdmin Use Cases for PowerShell? Basically, any use cases NOT involving network, RDP, system config, IT/LAN admin type stuff? | /r/PowerShell | 2023-05-10

I use it for DFIR work - example - https://github.com/joeavanzato/Trawler

• WorkOS

  workos.com sponsored

  The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.

  

• Collect-MemoryDump

  2 213 4.5 PowerShell

  Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

• Win10

  1 163 7.2 PowerShell

  Win 10/11 related research

• WindowsDFIR

  2 71 2.6 PowerShell

  Repository for different Windows DFIR related CMDs, PowerShell CMDlets, etc, plus workshops that I did for different conferences or events.

• Queries

  1 67 1.0 PowerShell

  SQLite queries (by kacos2000)

• Power-Response

  2 61 0.0 PowerShell

  Powering Up Incident Response with Power-Response

  

PowerShell Dfir related posts

• Sysmon 15.0 is out now with advanced features
  2 projects | /r/sysadmin | 29 Jun 2023
• Sharing a tool I developed to help Blue Teamers discover Persistence on Windows - please check it out!
  1 project | /r/u_1259iknow | 2 May 2023
• Sharing a tool I developed to help Blue Teamers discover Persistence on Windows - please check it out!
  1 project | /r/netsec | 30 Apr 2023
• User was hacked and sent out malware via their company email however unable to find out how?
  1 project | /r/cybersecurity | 25 Apr 2023
• Sharing a new tool I made for aiding my analysis of persistence mechanisms on Windows - Trawler
  1 project | /r/computerforensics | 24 Apr 2023
• Splunk & Sysmon as SIEM
  1 project | /r/Splunk | 11 Apr 2023
• Looking for inputs and validation for this network setup.
  2 projects | /r/AskNetsec | 24 Feb 2023
• A note from our sponsor - WorkOS
  workos.com | 26 Apr 2024

  The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning. Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending PowerShell projects with our weekly report!