Question 1

How to run PSRecon on a remote Windows host?

Accepted Answer

Use the -remote and -target parameters with PSRecon, ensuring PSRemoting is enabled on the remote host. You must choose output methods like -sendEmail or -share, and provide administrative credentials, preferably via prompt to avoid exposure.

Question 2

PSRecon or Kansa for PowerShell forensics?

Accepted Answer

PSRecon excels at rapid data acquisition and endpoint quarantine with built-in lockdown, while Kansa is a modular framework for extensive data collection. Choose PSRecon for quick containment and self-contained reports, Kansa for customizable, broad-spectrum analysis.

Question 3

Is PSRecon forensically sound for legal evidence?

Accepted Answer

No, the README states PSRecon modifies the filesystem and may not hold up in court. It's designed for live incident response and internal use, not for legally admissible forensic imaging.

Question 4

How to disable PSRemoting after using PSRecon?

Accepted Answer

Manually disable PSRemoting and set execution policies back to restricted post-use, as the README cautions leaving them enabled is risky. This requires additional steps not automated by PSRecon.

Question 5

Can PSRecon be integrated with SIEMs other than LogRhythm?

Accepted Answer

Yes, while optimized for LogRhythm SmartResponse, PSRecon's output methods like email or network shares allow adaptation to other SIEMs, though custom scripting may be needed for seamless integration.

Question 6

What are the risks of hard-coding credentials in PSRecon?

Accepted Answer

Hard-coding credentials can expose them to compromised hosts or logs, increasing the attack surface. The README advises using credential prompts instead for safer execution.

PSRecon

What is PSRecon?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions