Giter Site home page Giter Site logo

crowdstrikertrscripts's Introduction

CrowdStrike RTR Scripts

Real Time Response is one feature in my CrowdStrike environment which is underutilised. I wanted to start using my PowerShell to augment some of the gaps for collection and response. Each script will contain an inputschema or outputschema if neccessary, with the intended purpose to use them in Falcon Fusion Workflows.

Hopefully the files are self explanatory.

Collect-User-Information

This was born from the need to attribute user actions to detections or incidents by capturing their screen, their browser history, download directory and more at the time it occurred. This is a work in progress as it does not yet upload the captured information to CrowdStrike.

An upshot of the code:

  • Currently attempts to install the PSSQLite module. I dislike that, and would like to replace it to deploy an assembly at some point.
  • Temporary path is set to c:\windows\temp\collect-user-information\ because couldn't get the output path from CrowdStrike Fusion to then download
  • Collects:
    • Script variables and environment variables, noting this is collected as SYSTEM
    • Screenshots of all monitors, noting that 2k and 4k screens mess with this. The work around to execute as a user creates a scheduled task and runs in the users context. That will look bad if you are not aware of it.
    • Open TCP connections
    • PowerShell history
    • DNS cache
    • Running processes
    • Cached outlook files
    • List of files in recycle bin and downloads folder, along with SHA256 hashes
    • All Chromium variant browser history and download history as CSV (with PSSQLite module) or fallback to grabbing whole sqlite file and dump url strings for quick lookup.
    • INetCache files, this needs to be improved for Internet Explorer (yes, it's still in use in places)
    • Firefox browser history as CSV (with PSSQLite module) or fallback to grabbing whole sqlite file and dump url strings for quick lookup.
    • Windows Event log for past hour

This is all compressed into file c:\windows\temp\collect-user-information.zip

Execute from Real Time Response:

runscript -CloudFile=Collect-User-Information

or

runscript -CloudFile=Collect-User-Information -CommandLine=```'{"Username": "USERNAMEHERE"}'```

Message-User

This script is simple and uses Remote Desktop messaging to present a messagebox to the user. It's not very robust, as I cannot get the user session dynamically just yet and it would be better as a toast popup. It was just thrown together as a proof of concept for use with automatic containment to inform the user, but can be used for anything.

Execute from Real Time Response:

runscript -CloudFile=Message-User -CommandLine=```'{"message": "test"}'```

crowdstrikertrscripts's People

Contributors

flimbot avatar

Stargazers

avatar avatar avatar

Watchers

avatar

crowdstrikertrscripts's Issues

Message-User does not work without RDUser-Message

C:> runscript -CloudFile=Message-User -CommandLine='{"message": "all your base are belong to us"}'
The term 'Send-RDUserMessage' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Need to identify new method.

Error executing on server

C:> runscript -CloudFile=Collect-User-Information

Exception calling "ShouldContinue" with "2" argument(s): "A command that prompts the user failed because the host program or the command type does not support user interaction. The host was attempting to request confirmation with the following message: PowerShellGet requires NuGet provider version '2.8.5.201' or newer to interact with NuGet-based repositories. The NuGet provider must be available in 'C:\Program Files\PackageManagement\ProviderAssemblies' or 'C:\Windows\system32\config\systemprofile\AppData\Local\PackageManagement\ProviderAssemblies'. You can also install the NuGet provider by running 'Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force'. Do you want PowerShellGet to install and import the NuGet provider now?"NuGet provider is required to interact with NuGet-based repositories. Please ensure that '2.8.5.201' or newer version of NuGet provider is installed.

Get Application, System and Security Logs from an Endpoint

Hey Guys,

I am looking to find something in PowerShell that would help us in getting and downloading the Application, System and Security Logs from an endpoint using Falcon RTR (Edit and Run Scripts). I know Analysts usually uses commands in the "Run Commands" section, which upload the logs to the CrowdStrike cloud and then we can download it using a get statement (Windows). I am looking to create a script that could be utilized to run in the RTR and that would fetch the types of logs from endpoints (both Windows & Linux).

Is this possible in Falcon RTR? If yes, is there any documentation available online that can assist me with it? Assistance on this would be highly appreciated.

Thank you!

IOCs withing captured files are detected

IOCs such as domains which are within files such as browser history are detected.
I expect this is due to when the Prevention Policy Memory Scanning is enabled.

Potential fix is to add an IOA exclusion for the path c:\windows\collect-user-information* however this will only work where a subscription has more than just Falcon Detect (as custom IOA's are in another license)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.