-
Notifications
You must be signed in to change notification settings - Fork 13
Command Syntax
Scott Sutherland edited this page Mar 23, 2022
·
2 revisions
NAME
Invoke-PowerHunt
SYNOPSIS
This is a modular threat hunting framework designed to perform data collection via PowerShell remoting and offline analysis using easy to build modules.
SYNTAX
Invoke-PowerHunt [[-Username] ] [[-Password] ] [[-Credential] ] [[-DomainController] ] [[-Threads] ]
[-OutputDirectory] [[-RunSpaceTimeOut] ] [-ShowRunpaceError] [-CollectOnly] [-AnalyzeOnly] [[-OfflinePath] ] [[-ComputerName] ]
[[-ComputerList] ] []
DESCRIPTION
PARAMETERS
-Username
Local or domain account to authenticate with.
Required? false
Position? 1
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Password
Local or domain account password to authenticate with.
Required? false
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Credential
Local or domain credential.
Required? false
Position? 3
Default value [System.Management.Automation.PSCredential]::Empty
Accept pipeline input? false
Accept wildcard characters? false
-DomainController
Domain controller to communicate with for computer discovery.
Required? false
Position? 4
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Threads
Number of runspace threads to use during ping and port scanning.
Required? false
Position? 5
Default value 100
Accept pipeline input? false
Accept wildcard characters? false
-OutputDirectory
Required? true
Position? 6
Default value
Accept pipeline input? false
Accept wildcard characters? false
-RunSpaceTimeOut
RunSpaceTimeOut.
Required? false
Position? 7
Default value 15
Accept pipeline input? false
Accept wildcard characters? false
-ShowRunpaceError []
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-CollectOnly []
Only run collection modules, no analysis modules.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-AnalyzeOnly []
Only run analysis modules against offline data. Requires OfflinePath.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-OfflinePath
Collection scan directory. Can either be from full scan or CollectOnly scan.
Required? false
Position? 8
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ComputerName
Target single system, Active Directory discovery is disabled when using this method.
Required? false
Position? 9
Default value
Accept pipeline input? false
Accept wildcard characters? false
-ComputerList
Target list of computers with this file path, Active Directory discovery is disabled when using this method.
Required? false
Position? 10
Default value
Accept pipeline input? false
Accept wildcard characters? false
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -DomainController 10.1.1.1
-------------------------- EXAMPLE 3 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -DomainController 10.1.1.1 -Credentials domain\user
-------------------------- EXAMPLE 4 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -DomainController 10.1.1.1 -Username domain\user -Password 'SecretPasswordHere!'
-------------------------- EXAMPLE 5 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -ComputerName Desktop123
-------------------------- EXAMPLE 6 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -ComputerList c:\temp\computers.txt
-------------------------- EXAMPLE 7 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -Threads 100 -CollectOnly
-------------------------- EXAMPLE 8 --------------------------
PS C:\>Invoke-PowerHunt -OutputDirectory "c:\temp" -AnalyzeOnly -OfflinePath c:\temp\Hunt-032120222126