All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog and this project adheres to Semantic Versioning.
v0.4.2 - 2017-08-08
Fix bug in Get-ClientCertificate when using Get-Variable. Make the
certificate authentication working again.
v0.4.1 - 2017-08-08
Fix typo in variable name in Invoke-GRRFlow for flow type FileFinder.
v0.4.0 - 2017-08-07
🎉 Add support for macOS and Linux 🎉
In general, the open source implementation of PowerShell for non-Windows platforms is mostly working in the exact same way as on Windows. However, some minor issues have been fixed in order to support 🍎 and 🐧 - a slightly different certificate error handling was implemented and the user profile environment variable changed...easy, isn't it?
- Add support for macOS and Linux. Some OS checks were added and a slightly different certificate error handling was implemented.
- Add correct userprofile config location for macOS and Linux.
- Add new parameters ClientRate and ClientLimit to
New-GRRHunt. By default client rate is set to 20 and client limit is set to 100.
- Set parameters HuntDescription and RuleType to mandatory in
New-GRRHunt.
- Improve error handling when the server returns no items in
New-GRRClientApprovaland when no labels were found inNew-GRRHuntwhen using RuleType Label. - Fix error handling in
Get-GRRSessionwhen web request fails.
v0.3.0 - 2017-07-31
This version changed the config file handling. PowerGRR supports now
the user profile or the module root as locations for the config file. This
is useful when updating PowerGRR through with Update-Module because each
version is stored in an own folder. Using the profile folder for the config
prevents from constantly moving your config file. Beside the file name change
different improvements were made in regards to config checks.
The dynamic parameters which are used in Invoke-GRRFlow and New-GRRHunt
are now autocompleted correctly. The change in the parameter handling
mitigates a PowerShell bug, see details below.
The dynamic parameters in New-GRRHunt were improved. The 'OS' and the
'Label' parameter are now defined as dynamic parameters and are only shown
based on the corresponding rule type. Furthermore, the label handling was
improved to only run a hunt if at least one label was valid (that means found
in GRR).
- Add and improve Pester tests in
Invoke-GRRFlowandGet-GRRArtifact- Add tests for ArtifactCollectorFlow and ExecutePythonHack flow
- Improve tests when no response was returned from
Invoke-GRRRequest
- Add function and corresponding help file for reading the current loaded
config (
Get-GRRConfig).
- Change the name of the configuration file from
'Configuration.ps1' to 'powergrr-config.ps1'. PowerGRR supports now having
the config file also in the profile folder (
$env:userprofile) and not only within the root of the module (#7). This allows the use of PowerShellGallery's update-module function more easily because each version is saved in a dedicated folder. - Improve dynamic parameter handling in
New-GRRHunt. Add 'OS' and 'Label' as dynamic parameters. - Make the parameter FileNameRegex as optional and use '.' as default value in New-GRRHunt and in corresponding section in Invoke-GRRFlow.
- The configuration file name 'Configuration.ps1' was deprecated. The new name is 'powergrr-config.ps1'. This change was introduced to make things ready for storing the config file within the user profile.
- Fix issue with dynamic parameter autocompletion in
Invoke-GRRFlowandNew-GRRHunt(#6). After using a parameter of typePSCredentialwithin a PowerShell command, the dynamic parameters were not autocompleted anymore. The issue is known and was already reported the PowerShell team. PowerGRR doesn't use the PSCredential parameter anymore for the mentioned functions but checks the credentials in the code. - Improve error handling in
Invoke-GRRFlowandGet-GRRArtifact- when no artifacts were found
- when no available artifact matched with the given one in the parameters
- Fix bug in
Get-GRRArtifactwhen no items were returned byInvoke-GRRRequest
v0.2.1 - 2017-07-28
Fix bug in ExecutePythonHack flow and make that great feature working again in PowerGRR.
v0.2.0 - 2017-07-27
This version introduces the ArtifactCollectorFlow and the handling of GRR
artifacts and the possibiliy to use the OS rule type within flows and hunts.
It's now possible with Get-GRRArtifact to filter and search for specific
artifacts. The return object is a custom PowerShell objects with the most
important fields.
- Add examples to the markdown help files and PowerShell help. Use
help <command> -Examplesto show the example from the help. - Add rule type 'OS' to
New-GRRHunt. Use os_windows, os_linux or os_darwin as filter (#3). - Add cmdlet for getting a list of all available flows
(
Get-GRRFlowDescriptor) and add corresponding Pester tests (#4). - Add flow type ArtifactCollectorFlow in
Invoke-GRRFlowandNew-GRRHunt(#2). The artifacts are checked against the available artifacts within GRR. If not defined, the artifact is skipped. - Add cmdlet
Get-GRRArtifactfor getting a list of all available artifacts (#5). Internally, this function is used withinInvoke-GRRFlowandNew-GRRHuntto check if the given artifacts for ArtifactCollectorFlow are defined within GRR.
- Fix bug when GRRIgnoreCertificateErrors is not set in the config file (#1).
- Fix bug with uninitialized variable when using WhatIf in
Invoke-GRRFlow
v0.1.0 - 2017-07-21
Initial public release.
This initial version includes functions for hunts, flows, client handling, search functionality and label handling. All function takes the computer name as input which is then converted to the needed client id internally. If multiple client id's are available for one client then the functions use just the latest seen client (LastSeenOn property).
Most functions allow returning plain JSON instead of the converted GRR object. Various functions has pipeline support. See help and the markdown documentation. The configuration allows using certificate authentication.
- Add basic project structure for Pester tests and markdown documentation with platyPS. Add initial external documentation for PowerShell.
- Add Pester tests for different functions (heavily work in progress).
- Add functions for hunt handling
Get-GRRHunt: Display all hunts using a custom output PowerShell objects, allowing filtering for dates, creators etc. Use filers like count, created by, description, ...Get-GRRHuntInfo: Get new hunt info in form of a PowerShell object.Get-GRRHuntResult: Get hunt results in form of a PowerShell object.New-GRRHunt: Create a new hunt. Return only GRR URL to hunt.Start-GRRHunt: Start hunt. If approval system is in use, you have to request that before.Stop-GRRHunt: Stop a hunt based on the hunt id.
- Add functions for flow handling
Invoke-GRRFlow: Start a GRR flow which is supported by PowerGRR (ListProcesses, FileFinder, RegistryFinder, ExecutePythonHack). Dynamic parameters are used for the plugin specific parameters. A dedicated PowerShell object with computername, clientid and flow id is returned for better post-processing.Get-GRRFlowResult: Get flow results. Use the parameter OnlyPayload to only show the result without the full return object.
- Add functions for client handling
Get-GRRComputerNameFromClientId: Get the computername based on the client id. You can just show the latest seen computername if multiple GRR client ids are available for one computerGet-GRRClientIdFromComputerName
- Add functions for search and client handling
Find-GRRClientFind-GRRClientByLabel
- Add functions for label
Get-GRRLabelSet-GRRLabelRemove-GRRLabel
- Add function for requesting approvals
New-GRRClientApprovalNew-GRRHuntApproval
- Add new wrapper functions for handling GRR API requests:
Invoke-GRRRequestandGet-GRRSession. You can useInvoke-GRRRequestalso directly from the shell if some API calls are not supported by default with PowerGRR. - Add support for common PowerShell parameters (e.g. whatif) for functions with actions (add or remove label, start a flow, ...)
- Add some supporting functions, e.g.
ConvertFrom-Base64which is used for result data or a function for the time conversion for showing the unix timestamps in human readable form orNew-DynamicParamfor easier usage of the dynamic parameters.