Main RedLotus Scripts

Signature and Integrity Checks:

  • RL Signature Check (RedLotusSignatures.ps1): Takes a list of file paths (often from a paths.txt file generated by dumping process strings) and checks the Authenticode digital signature status of each file (Valid, NotSigned, HashMismatch, NotTrusted, UnknownError, or NotFound). Crucial for identifying unsigned or tampered executables/DLLs. 

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusSignatures.ps1)

  • Prefetch Integrity Analyzer (RedLotusPrefetchIntegrityAnalyzer.ps1): Scans the C:\Windows\Prefetch directory for anomalies. It checks if files are read-only, if they have the correct "MAM" header, and identifies files with duplicate hashes (potentially indicating type or echo command manipulation).

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusPrefetchIntegrityAnalyzer.ps1)

Artifact Parsing and Data Extraction:

  • RL BAM Script (RedLotusBam.ps1): Parses BAM registry keys, displays execution timestamps (UTC, User TimeZone), application path, attempts to resolve the user SID, and crucially, also performs a signature check (using the Get-Signature function) on the executable path, reporting its status or if the file was not found.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1

  • Streams Script (Streams.ps1): Scans a specified folder (optionally recursively) for files, retrieving details like path, name, hash (MD5), owner, timestamps, attributes, and importantly, lists Alternate Data Streams (ADS) including Zone.Identifier content. Helps find hidden data or trace file origins.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/Streams.ps1)

  • ActivitiesCache Parser (ActivitiesCache.ps1): Downloads and runs a dedicated .exe parser (ActivitiesCacheParser.exe) to extract and format data from the ActivitiesCache.db, filtering by the oldest logon time.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/activitiescache.ps1)

  • Task Scheduler Parsers:

  • ManualTasks.ps1: Lists scheduled tasks created specifically by the current user.

powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/SuspiciousScheduler.ps1')"

  • SuspiciousScheduler.ps1: Lists scheduled tasks and flags actions involving potentially suspicious programs often used in bypasses (cmd, powershell, rundll32, etc.).

powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/SuspiciousScheduler.ps1')"

  • Task-Scheduler-Parser/script.ps1 (Rio/ObsessiveBf): Parses XML task files in C:\Windows\System32\Tasks, extracts commands and arguments, saves them to text files, and flags tasks containing suspicious keywords.

powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/ObsessiveBf/Task-Scheduler-Parser/main/script.ps1')"

Information Gathering:

  • HardDiskVolume Converter (RedLotusHardDiskVolumeConverter.ps1): Takes a list of paths starting with \Device\HarddiskVolumeX (often found in DPS logs) from a paths.txt file and converts them to standard drive letter paths (e.g., C:\...).

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusHardDiskVolumeConverter.ps1)

Utility Scripts:

  • Alt Finders (AltChecker.ps1, message.txt script): Search user directories and log files for specific strings (like "user", "username", or custom terms) to find evidence of alternate accounts.

powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/LBGh2Cyb)

  • Execution Policy: Many scripts require changing the PowerShell execution policy using commands like Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass to allow them to run.

  • Hinting at Detection: PowerShell scripts serve as automated assistants in the ScreenSharing process. They rapidly collect and pre-process data from numerous system artifacts, perform checks (like signature validation), and highlight potentially suspicious entries based on predefined logic, thereby accelerating the identification of evidence related to cheats or bypass attempts.

Automated Forensic Collection

  • RL Collector (RLCollector-CLI):

    • Description: This is a comprehensive, automated forensic collection script that leverages Eric Zimmerman's industry-standard tools. It is designed to be the starting point for any in-depth investigation by systematically gathering a wide range of critical artifacts from a live Windows system.

    • Functionality: The script automatically downloads and runs the necessary tools to collect Prefetch, ShellBags, SRUM/SUM databases, Registry Hives, Event Logs, Activities Cache, and more, saving all evidence into a structured Evidence folder. A full transcript is logged for auditability.

    • Detection Utility: By automating the collection of nearly all relevant forensic artifacts, it saves significant time, reduces human error, and provides the complete dataset needed for subsequent timeline analysis and event correlation.

    powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://pastebin.com/raw/Eb6r6Vau')"

Timeline Generation and Analysis

  • Master Timeline Script (Master Timeline):

    • Description: This is a post-collection analysis script designed to process the output from tools like RL Collector. Its primary function is to aggregate the numerous CSV files from various artifact parsers into a single, chronologically sorted "master timeline."

    • Functionality: It intelligently recognizes formats from different Zimmerman tools, extracts key information (Timestamp, Activity, Source, Details), and merges them into one cohesive timeline. Large and complex logs (like Event Logs) are typically excluded for separate manual review to maintain clarity.

    • Detection Utility: This script transforms scattered raw data into a coherent narrative of "what happened and when." It allows an SSer to easily see the sequence of events (e.g., file download followed by execution) and is the key tool for correlating evidence across different artifacts to build a solid, irrefutable case. Copy the link, paste it on the browser, copy paste the script on powershell and run it.

    https://pastebin.com/raw/u7HAmWe1
PreviousSpecific PowerShell ScriptsNextcoming soon

Last updated