Skip to content

freeload101/CrowdStrike_RTR_Powershell_Scripts

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits
Browser_History_Hindsight.ps1
Browser_History_Hindsight.ps1
 
 
CLEAN_ALL_USERS_TMP.ps1
CLEAN_ALL_USERS_TMP.ps1
 
 
Get-BrowserData.ps1
Get-BrowserData.ps1
 
 
Get_RecyleBin
Get_RecyleBin
 
 
Linux_File_Seach.bash
Linux_File_Seach.bash
 
 
Log4j_Linux.bash
Log4j_Linux.bash
 
 
PSFalcon_Runscript_loop_1_0_OLD_PUBLIC.ps1
PSFalcon_Runscript_loop_1_0_OLD_PUBLIC.ps1
 
 
PSFalcon_Runscript_loop_2_0_PUBLIC.ps1
PSFalcon_Runscript_loop_2_0_PUBLIC.ps1
 
 
README.md
README.md
 
 
RECON IR.ps1
RECON IR.ps1
 
 
RTR_browsinghistoryview.ps1
RTR_browsinghistoryview.ps1
 
 
Remote_Bitlocker_lock.ps1
Remote_Bitlocker_lock.ps1
 
 
SET_ACL_FORCE_DELETE.ps1
SET_ACL_FORCE_DELETE.ps1
 
 
SHOW_DISK_SPACE
SHOW_DISK_SPACE
 
 
Wavesor_AKA_WebNav.ps1
Wavesor_AKA_WebNav.ps1
 
 
Win10_etl_2_pcap.ps1
Win10_etl_2_pcap.ps1
 
 
WinPMEM_Portable.ps1
WinPMEM_Portable.ps1
 
 
srum_dump2.ps1
srum_dump2.ps1
 
 

Repository files navigation

More Stuff:

https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting

https://github.com/freeload101/SCRIPTS/tree/master/Bash/CS_BADGER

CrowdStrike_RTR_Powershell_Scripts

RTR_browsinghistoryview.ps1 image

Getting into RTR scripting

  • add my Rekall / yara scrtipts ( full powershell )
  • search / find a IR powershell script ( I have url some place ... I just can't find it .. )
  • https://github.com/KurtDeGreeff/PlayPowershell ( add anything cool from here )
  • RTR to zip all the info up and pull it down ( some code I saw for this some place .. ? )

Reference:

https://github.com/meirwah/awesome-incident-response

https://github.com/rshipp/awesome-malware-analysis

https://github.com/KurtDeGreeff/PlayPowershell

https://github.com/PolarBearGod/CrowdStrike-RTR-Scripts

https://github.com/bk-CS/PSFalcon

https://github.com/bk-cs/PSFalcon/tree/master/real-time-response

https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts/blob/main/PSFalcon_Runscript_loop_PUBLIC.ps1

auto retry

hostname input

string "ALL DONE" to verify scripts completed

add to RTR group

foreach ($Property in (Get-CimInstance Win32_Process  )) { 
if (((Invoke-CimMethod -InputObject $Property -MethodName GetOwner).User) -eq "USERNAMEHERE" ) {
Write-Output  Killing $Property.ProcessId
Stop-Process -Id $Property.ProcessId   -Force
}
}
Write-Output  "ALL DONE"```

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

66 stars

Watchers

7 watching

Forks

9 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages