Skip to content

A PowerShell incident response script for quick triage

License

Notifications You must be signed in to change notification settings

nov3mb3r/trident

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

TRIDENT

Awesome

TRIDENT is a PowerShell script for fast triage and collection of evidence from forensic artifacts and volatile data, aimed to assist in the identification of compromise in Windows systems. The collected data will be stored inside a text file named after the hostname of the system.

Breakdown of collection details

General information

  • Group policy settings
  • Encryption information

Network

  • Active network interfaces
  • DNS cache
  • Shared folders
  • Connections by spawned processes

Process Information

  • Running processes
  • Process commandline

Persistence

  • Commands on Startup
  • Scheduled tasks
  • Services

User account activity

  • Recent USB devices
  • Recent files
  • PowerShell history
  • Kerberos sessions
  • SMB sessions
  • RDP sessions

Advanced

  • Prefetch file information
  • DLL List
  • WMI filters and consumers
  • Named pipes

Usage

Using administrative privileges, just run the script from a PowerShell console

PS >.\trident.ps1

For Advanced collection

PS >.\trident.ps1 -a

Example

About

A PowerShell incident response script for quick triage

Topics

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published