jafarspalace
commented
9 months ago That is so cool to hear my script landed in a SOC folder somewhere!
I wrote this script (pretty barbaric now that I look at it again) when I worked at Yahoo and needed to automate pulling back forensic artifacts based on the hit. And I did it all within powershell and used shadow copies due to locked files but also compatibility reasons.
I actually thought of revisiting this to make it much better. One other thing that came to mind was adding conditions based on OS (Server, Win10, etc) and I had created a mac version but Crowdstrike (at the time) was having issues running it due to character limit so I removed it from my github. I can probably add it back but that was for Catalina I think at this point.
A collab would be fun, but I don't really have access anymore to test Crowdstrike and also during my tests, I found LOTS of bugs and reported it to our Rep at the time. I moved on to a different employer now so that would probably be one of the greater challenges I'd face now.
Thanks again for reaching out. This made my day!
Ryan
On Wed, Jan 17, 2024 at 5:39 AM Robert McCurdy @.***> wrote:
I found your script in our SOC CS Custom scripts folder :P
https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts
check out RECON IR.ps1 https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts/blob/main/RECON%20IR.ps1 and srum_dump2.ps1 https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts/blob/main/srum_dump2.ps1 maybe WinPMEM_Portable.ps1 https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts/blob/main/WinPMEM_Portable.ps1 and you may also be intrested in Portable_Volatility https://github.com/freeload101/Portable_Volatility specifically. All of these run without alerts from CS
You can runas trusted installer via tricks like triggers CS 🏴☠️
sc config TrustedInstaller binPath= "Reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CcmExec" /v Start /t reg_dword /d 4 /f" sc start "TrustedInstaller" :: dont remove this or things will go wrong...it will fix the service back sc config TrustedInstaller binPath= "C:\Windows\servicing\TrustedInstaller.exe"
more stuff:
https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting
😉 LMK if you want to colab on something any time !
-RMcCurdy.com
— Reply to this email directly, view it on GitHub https://github.com/jafarspalace/Crowdstrike-Falcon-Scripts/issues/2, or unsubscribe https://github.com/notifications/unsubscribe-auth/APSXBISLNCIEVT4Z7D63XBLYO7IC3AVCNFSM6AAAAABB6R7LR2VHI2DSMVQWIX3LMV43ASLTON2WKOZSGA4DMMRRG42TCNQ . You are receiving this because you are subscribed to this thread.Message ID: @.***>
I found your script in our SOC CS Custom scripts folder :P
https://github.com/freeload101/CrowdStrike_RTR_Powershell_Scripts
check out RECON IR.ps1 and srum_dump2.ps1 maybe WinPMEM_Portable.ps1 and you may also be intrested in Portable_Volatility specifically. All of these run without alerts from CS
You can runas trusted installer via tricks like triggers CS 🏴☠️
more stuff: https://github.com/freeload101/SCRIPTS/tree/master/CrowdStrike%20Threat%20Hunting
😉 LMK if you want to colab on something any time !
-RMcCurdy.com