A Digital Forensics framework for Windows PowerShell.

This module tries to enumerate all the persistence techniques implanted on a compromised machine.

A Digital Forensics framework for Windows PowerShell.

CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows. CIM/WMI obviates the need for the installation of a host-based agent. The WMI service is running by default on all versions of Windows.

A Digital Forensics framework for Windows PowerShell.

A cloud forensics module to run threat hunting playbooks on data from Azure and O365

The DFIR-O365RC module will extract logs from the unified audit log (using Exchange Online and Purview), Entra ID Sign In logs, Entra ID Audit Logs, Azure Monitor and Azure DevOps activity logs

A comprehensive PowerShell toolkit for threat hunting, digital forensics, and incident response (DFIR). Provides "Hunt" functions to detect persistence mechanisms, analyze system artifacts, search event logs, and generate detailed forensic reports.

Comprehensive Windows security posture analysis and attack surface assessment tool. Covers 23 security categories including hardware security (TPM/VBS/Secure Boot), BitLocker, Microsoft Defender ASR rules, exploit protection, privacy settings, network security, remote access, WSL, PowerShell security, authentication policy, scheduled tasks, and Win... More info

PowerTriage is a lightweight, dependency-free PowerShell script designed for Incident Response (DFIR) on compromised Windows devices. It collects critical artifacts (Network, Process, Persistence, System, Browsers) and packages them for analysis. Features: - Zero Dependencies: Runs on standard PowerShell 5.1+ - Modular: Full or Minimal collection ... More info