Collection of Microsoft PowerShell modules that can be used to aid with forensics of domain based attacks on an infected host.
CodeExecution
Execute code on a target machine using Import-Module.
Get-ShellContent
Extracts live input and output of any commandline process, running or dumped, encrypted or plaintext from a remote computer.
Get-SessionsAnomaly
Finds existence of Pass-The-Ticket and Pass-The-Hash attacks on a remote machine.
License
The IT-Tools project and all individual scripts are under the [BSD 3-Clause license] unless explicitly noted otherwise.
Usage
To install any of these modules, drop the powershell scripts into a directory and type Import-Module PathTo\scriptName.ps1
Then run the Module from the Powershell.
Refer to the comment-based help in each individual script for detailed usage information.