Since 2021, I have developed a number of scripts to assist me with my investigations and remediation efforts. I figured, why not share them to the public, in hopes it helps you.
The scripts I developed are intended to work with Crowdstrike Endpoint Detection and Response (EDR). Essentially cloud scripts to quickly remediate devices remotely with a single click of a button.
The purpose of my scripts is to assist a SOC or Incident Response Analyst with their investigation. Some scripts assist with remediation of a particular unwanted software/adware. Other scripts assist with investigating a particular system by username to provide more visibility.
- WinInspect - WinInspect is a light-weight tool to assist an analyst with providing more visibility into a Windows system based on a target username.
- MACInspect - MACInspect is a light-weight tool to assist an analyst with providing more visibility into a MAC system based on a target username.
- LinInspect - LinInspect is a light-weight tool to assist an analyst with providing more visibility into a Linux system based on a target username.
- EnumChromeExt - EnumChromeExt retrieves Chrome Extensions and automatically attempts to detect the name.
- Win-PortScanner - Win-PortScanner is an extremely light port scanner.
- ScanDll - ScanDll is tool to help search processes for a particular dynamic-link library.
- ScanDllv2 - ScanDllv2 is a tool designed to search processes for a specific dynamic-link library using C#. It's much faster than ScanDll, but the output is written to a log file due to issues with standard output display on the CrowdStrike RTR UI.
- RegScanner - An amazingly fast tool designed to search for a registry key or value using a unique keyword.
- Win-DiskImage-Toolkit - A simple tool to quickly enumerate or unmount a disk image.
- ScreenConnect-C2Extractor - ScreenConnect-C2Extractor retrieves the C2 from the
user.configof ScreenConnect aka ConnectWise Client.
- CSSession - CSSession is a CrowdStrike API script that allows you to connect via Real-Time-Response by entering a target hostname as an argument. You must have the appropriate api permissions and ensure your clientid / secret is correct to use this script.
- CrowdStrike-API-queued-script - CrowdStrike API Queued script allows you to queue a cloud script of your choice to a target host. You must have the appropriate api permissions and clientid / secret is correct to use this script.
The following library contains a list of common unwanted software/adware that are seen in the wild. If you see a particular software you would like to remediate, feel free to download and use it in your environment.
- 123Movies
- 39bar
- AppMaster
- AppRun
- AskPartnerNetwork
- Ask Toolbar
- BBSK(SecureBrowser)
- Bloom
- BrightTramp
- BrowserAssistant
- ByteFence
- Cash
- Clearbar
- DSOne Agent
- DebuggerStepperBoundaryAttribute
- DriverSupportAOsvc
- DriverTonic
- Editor
- ElevenClock
- Energy
- Framework
- Gallery
- GameCenter
- Headlines
- Healthy
- IBuddy
- LiteBrowser
- Music
- OneLaunch
- Ouroborosbrowser
- PCAcceleratePro
- PCAppStore
- PCHelpSoftDriverUpdater
- PC_Cleaner
- PDFunk
- Player
- Prime
- Restoro
- SlimCleaner
- Strength
- Taskbarsystem
- Tone
- Walliant
- WaveBrowser
- WebDiscoverBrowser
- Wellness
- XMRig
- flbmusic
- leading
- streaming
- streamlink-twitch-gui
Do you find my work helpful and want to show your support? Feel free to add me on Twitter.
Any issues with a script, please feel free to report it as an issue.