Main RedLotus Scripts

Signature and Integrity Checks:

  • RL Signature Check (RedLotusSignatures.ps1): Takes a list of file paths (often from a paths.txt file generated by dumping process strings) and checks the Authenticode digital signature status of each file (Valid, NotSigned, HashMismatch, NotTrusted, UnknownError, or NotFound). Crucial for identifying unsigned or tampered executables/DLLs. 

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusSignatures.ps1)

  • Prefetch Integrity Analyzer (RedLotusPrefetchIntegrityAnalyzer.ps1): Scans the C:\Windows\Prefetch directory for anomalies. It checks if files are read-only, if they have the correct "MAM" header, and identifies files with duplicate hashes (potentially indicating type or echo command manipulation).

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusPrefetchIntegrityAnalyzer.ps1)

Artifact Parsing and Data Extraction:

  • RL BAM Script (RedLotusBam.ps1): Parses BAM registry keys, displays execution timestamps (UTC, User TimeZone), application path, attempts to resolve the user SID, and crucially, also performs a signature check (using the Get-Signature function) on the executable path, reporting its status or if the file was not found.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1

  • Streams Script (Streams.ps1): Scans a specified folder (optionally recursively) for files, retrieving details like path, name, hash (MD5), owner, timestamps, attributes, and importantly, lists Alternate Data Streams (ADS) including Zone.Identifier content. Helps find hidden data or trace file origins.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/Streams.ps1)

  • ActivitiesCache Parser (ActivitiesCache.ps1): Downloads and runs a dedicated .exe parser (ActivitiesCacheParser.exe) to extract and format data from the ActivitiesCache.db, filtering by the oldest logon time.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/activitiescache.ps1)

  • Task Scheduler Parsers:

  • ManualTasks.ps1: Lists scheduled tasks created specifically by the current user.

powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/SuspiciousScheduler.ps1')"

  • SuspiciousScheduler.ps1: Lists scheduled tasks and flags actions involving potentially suspicious programs often used in bypasses (cmd, powershell, rundll32, etc.).

powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/SuspiciousScheduler.ps1')"

  • Task-Scheduler-Parser/script.ps1 (Rio/ObsessiveBf): Parses XML task files in C:\Windows\System32\Tasks, extracts commands and arguments, saves them to text files, and flags tasks containing suspicious keywords.

powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/ObsessiveBf/Task-Scheduler-Parser/main/script.ps1')"

Information Gathering:

  • HardDiskVolume Converter (RedLotusHardDiskVolumeConverter.ps1): Takes a list of paths starting with \Device\HarddiskVolumeX (often found in DPS logs) from a paths.txt file and converts them to standard drive letter paths (e.g., C:\...).

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusHardDiskVolumeConverter.ps1)

Utility Scripts:

  • Alt Finders (AltChecker.ps1, message.txt script): Search user directories and log files for specific strings (like "user", "username", or custom terms) to find evidence of alternate accounts.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/LBGh2Cyb)

  • Execution Policy: Many scripts require changing the PowerShell execution policy using commands like Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass to allow them to run.

  • Hinting at Detection: PowerShell scripts serve as automated assistants in the ScreenSharing process. They rapidly collect and pre-process data from numerous system artifacts, perform checks (like signature validation), and highlight potentially suspicious entries based on predefined logic, thereby accelerating the identification of evidence related to cheats or bypass attempts.

PreviousSpecific PowerShell ScriptsNextcoming soon

Last updated