# Main RedLotus Scripts ## Approved PowerShell Scripts PowerShell scripts are powerful tools for automating complex searches and collecting data efficiently. To ensure security and standardization, it is mandatory to exclusively use the scripts present in this list, executed via the provided commands. The use of unauthorized or modified scripts is strictly prohibited. **Execution Note:** All provided commands include `Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass`. This allows the script to run for the current terminal session only, without permanently altering the player's system security policies. #### Category: Comprehensive Forensic Collection and Analysis **RL Collector (RedLotus Collector)** * **Author:** Red Lotus (based on Eric Zimmerman's tools) * **Purpose:** Performs a comprehensive and automated forensic collection of a wide range of critical artifacts (Prefetch, SRUM, Registry Hives, Event Logs, Activities Cache, ShellBags, etc.), saving them into a structured folder for in-depth analysis. It is the ideal tool to run at the beginning of a complex investigation to preserve evidence. * **Execution Command:** ```powershell powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://pastebin.com/raw/Eb6r6Vau')" ``` **Master Timeline Script** * **Author:** Red Lotus Community * **Purpose:** A post-analysis script to be used on the data gathered by RL Collector. It aggregates the numerous `.csv` files produced by various parsers into a single, chronological "master timeline," transforming scattered data into a sequential narrative of events. * **Open the link, copy the content and paste it in powershell:** #### Category: File and Integrity Analysis **RedLotus Signatures** * **Author:** bacanoicua / Red Lotus * **Purpose:** Analyzes a list of file paths from a `paths.txt` file and verifies the Authenticode digital signature status of each. Essential for quickly identifying unsigned, tampered (`HashMismatch`), or untrusted executables or DLLs. * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusSignatures.ps1) ``` **RedLotus Prefetch Integrity Analyzer** * **Author:** bacanoicua / Red Lotus * **Purpose:** Scans the Prefetch folder for anomalies and tampering techniques. It checks attributes (e.g., Read-Only), header validity ("MAM"), and detects duplicate hashes, which can indicate manipulations like the "type" or "echo" bypass. * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusPrefetchIntegrityAnalyzer.ps1) ``` **HabibiModAnalyzer** * **Author:** HadronCollision * **Purpose:** Automates the analysis of Minecraft mods. It compares the hashes of `.jar` files against the Modrinth database, performs a scan for common cheat strings, and analyzes the Zone.Identifier to determine the download origin. * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/HadronCollision/PowershellScripts/refs/heads/main/HabibiModAnalyzer.ps1) ``` #### Category: Specific Artifact Analysis **RedLotus BAM Script (BAM Parser)** * **Author:** PureIntent / spokwn * **Purpose:** Extracts and displays entries from the Background Activity Moderator (BAM), showing execution time, file path, and digital signature status. The version by spokwn generates an interactive HTML report. * **Execution Command (PureIntent):** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1) ``` * **Execution Command (spokwn):** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/bamparser.ps1) ``` **Streams Script** * **Author:** spokwn * **Purpose:** Scans a folder (optionally recursively) to identify files with Alternate Data Streams (ADS), showing details like name, hash, owner, and the content of the Zone.Identifier stream. * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/Streams.ps1) ``` **ActivitiesCache Parser Script** * **Author:** spokwn * **Purpose:** Automates the download and execution of a parser for the ActivitiesCache.db (Windows Timeline) database, filtering for activities relevant to the current user logon session. * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/activitiescache.ps1) ``` **Task Scheduler Parsers (N0LW & Rio)** * **Author:** N0LW, Rio/ObsessiveBf * **Purpose:** A suite of scripts for analyzing the Task Scheduler. `ManualTasks` lists tasks created by the user, `SuspiciousScheduler` flags those executing suspicious commands, and Rio's parser extracts commands and arguments from task XML files. * **ManualTasks Command (N0LW):** ```powershell powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/ManualTasks.ps1')" ``` * **SuspiciousScheduler Command (N0LW):** ```powershell powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/SuspiciousScheduler.ps1')" ``` * **Task Parser Command (Rio):** ```powershell powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/ObsessiveBf/Task-Scheduler-Parser/main/script.ps1')" ``` #### Category: Utilities and Information Gathering **RedLotus HardDiskVolume Converter** * **Author:** bacanoicua / Red Lotus * **Purpose:** Converts paths in the `\Device\HarddiskVolumeX` format (common in DPS logs) into standard, human-readable drive letter paths (e.g., `C:\...`). * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusHardDiskVolumeConverter.ps1) ``` **Services.ps1 (Lilith-PS)** * **Author:** praiselily * **Purpose:** Gathers and displays a detailed summary of system information, including boot time, uptime, connected drives, status of critical services, registry settings, and event history (clears, shutdowns, time changes). * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/praiselily/lilith-ps/refs/heads/main/Services.ps1) ``` **Alt Account Finder** * **Author:** Red Lotus Community * **Purpose:** Scans game directories and log files for strings (like "user" or "username") to find evidence of alternate accounts. * **Execution Command:** ```powershell powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/LBGh2Cyb) ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://itzicehere.gitbook.io/redlotusguide/screenshare-tools/specific-powershell-scripts/key-categories-and-examples.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.