Meerkat is collection of PowerShell modules designed for artifact gathering and reconnaisance of Windows-based endpoints without requiring a pre-deployed agent. Use cases include incident response triage, threat hunting, baseline monitoring, snapshot comparisons, and more.
https://github.com/TonyPhipps/Meerkat
Live Forensicator is part of the Black Widow Toolbox, its aim is to assist Forensic Investigators and Incidence responders in carrying out a quick live forensic investigation https://github.com/Johnng007/Live-Forensicator
CimSweep is a suite of CIM/WMI-based tools that enable the ability to perform incident response and hunting operations remotely across all versions of Windows
https://github.com/PowerShellMafia/CimSweep
A modular incident response framework in Powershell
https://github.com/davehull/Kansa
TRIDENT is a PowerShell script for fast triage and collection of evidence from forensic artifacts and volatile data, aimed to assist in the identification of compromise in Windows systems
https://github.com/nov3mb3r/trident
PoSH-R2 is a set of Windows Management Instrumentation (WMI) scripts that investigators and forensic analysts can use to retrieve information from a compromised (or potentially compromised) Windows system
https://github.com/WiredPulse/PoSh-R2
This script is used to get useful baseline information from windows systems in scope. It is designed for the Incident Response scenario. It primarily relies on PowerShell
https://github.com/securycore/Get-Baseline/blob/master/Get-Baseline.ps1
PSHunt is a Powershell Threat Hunting Module designed to scan remote endpoints* for indicators of compromise or survey them for more comprehensive information related to state of those systems (active processes, autostarts, configurations, and/or logs)
https://github.com/Infocyte/PSHunt
WINspect is part of a larger project for auditing different areas of Windows environments. It focuses on enumerating different parts of a Windows machine to identify security weaknesses and point to components that need further hardening
https://github.com/A-mIn3/WINspect
PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally:
https://github.com/gfoss/PSRecon
NOAH is an agentless open source Incident Response framework based on PowerShell, called "No Agent Hunting" (NOAH), to help security investigation responders to gather a vast number of key artifacts without installing any agent on the endpoints saving precious time:
https://github.com/giMini/NOAH
ThreatHunting-Module https://github.com/securycore/ThreatHunting
Powerless batch file https://raw.githubusercontent.com/gladiatx0r/Powerless/master/Powerless.bat
https://github.com/nettitude/PoshC2/tree/master/resources/modules
PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. See README.md for more information. https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerUp/PowerUp.ps1