Main RedLotus Scripts

Approved PowerShell Scripts

PowerShell scripts are powerful tools for automating complex searches and collecting data efficiently. To ensure security and standardization, it is mandatory to exclusively use the scripts present in this list, executed via the provided commands. The use of unauthorized or modified scripts is strictly prohibited.

Execution Note: All provided commands include Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass. This allows the script to run for the current terminal session only, without permanently altering the player's system security policies.

Category: Comprehensive Forensic Collection and Analysis

RL Collector (RedLotus Collector)

• Author: Red Lotus (based on Eric Zimmerman's tools)

• Purpose: Performs a comprehensive and automated forensic collection of a wide range of critical artifacts (Prefetch, SRUM, Registry Hives, Event Logs, Activities Cache, ShellBags, etc.), saving them into a structured folder for in-depth analysis. It is the ideal tool to run at the beginning of a complex investigation to preserve evidence.

• Execution Command:

  powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://pastebin.com/raw/Eb6r6Vau')"

Master Timeline Script

• Author: Red Lotus Community

• Purpose: A post-analysis script to be used on the data gathered by RL Collector. It aggregates the numerous .csv files produced by various parsers into a single, chronological "master timeline," transforming scattered data into a sequential narrative of events.

• Open the link, copy the content and paste it in powershell:

  https://pastebin.com/raw/u7HAmWe1

Category: File and Integrity Analysis

RedLotus Signatures

• Author: bacanoicua / Red Lotus

• Purpose: Analyzes a list of file paths from a paths.txt file and verifies the Authenticode digital signature status of each. Essential for quickly identifying unsigned, tampered (HashMismatch), or untrusted executables or DLLs.

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusSignatures.ps1)

RedLotus Prefetch Integrity Analyzer

• Author: bacanoicua / Red Lotus

• Purpose: Scans the Prefetch folder for anomalies and tampering techniques. It checks attributes (e.g., Read-Only), header validity ("MAM"), and detects duplicate hashes, which can indicate manipulations like the "type" or "echo" bypass.

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusPrefetchIntegrityAnalyzer.ps1)

HabibiModAnalyzer

• Author: HadronCollision

• Purpose: Automates the analysis of Minecraft mods. It compares the hashes of .jar files against the Modrinth database, performs a scan for common cheat strings, and analyzes the Zone.Identifier to determine the download origin.

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/HadronCollision/PowershellScripts/refs/heads/main/HabibiModAnalyzer.ps1)

Category: Specific Artifact Analysis

RedLotus BAM Script (BAM Parser)

• Author: PureIntent / spokwn

• Purpose: Extracts and displays entries from the Background Activity Moderator (BAM), showing execution time, file path, and digital signature status. The version by spokwn generates an interactive HTML report.

• Execution Command (PureIntent):

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/PureIntent/ScreenShare/main/RedLotusBam.ps1)

• Execution Command (spokwn):

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/bamparser.ps1)

Streams Script

• Author: spokwn

• Purpose: Scans a folder (optionally recursively) to identify files with Alternate Data Streams (ADS), showing details like name, hash, owner, and the content of the Zone.Identifier stream.

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/Streams.ps1)

ActivitiesCache Parser Script

• Author: spokwn

• Purpose: Automates the download and execution of a parser for the ActivitiesCache.db (Windows Timeline) database, filtering for activities relevant to the current user logon session.

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/spokwn/powershells/refs/heads/main/activitiescache.ps1)

Task Scheduler Parsers (N0LW & Rio)

• Author: N0LW, Rio/ObsessiveBf

• Purpose: A suite of scripts for analyzing the Task Scheduler. ManualTasks lists tasks created by the user, SuspiciousScheduler flags those executing suspicious commands, and Rio's parser extracts commands and arguments from task XML files.

• ManualTasks Command (N0LW):

  powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/ManualTasks.ps1')"

• SuspiciousScheduler Command (N0LW):

  powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/nolww/project-mohr/refs/heads/main/SuspiciousScheduler.ps1')"

• Task Parser Command (Rio):

  powershell -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass; Invoke-Expression (Invoke-RestMethod 'https://raw.githubusercontent.com/ObsessiveBf/Task-Scheduler-Parser/main/script.ps1')"

Category: Utilities and Information Gathering

RedLotus HardDiskVolume Converter

• Author: bacanoicua / Red Lotus

• Purpose: Converts paths in the \Device\HarddiskVolumeX format (common in DPS logs) into standard, human-readable drive letter paths (e.g., C:\...).

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/bacanoicua/Screenshare/main/RedLotusHardDiskVolumeConverter.ps1)

Services.ps1 (Lilith-PS)

• Author: praiselily

• Purpose: Gathers and displays a detailed summary of system information, including boot time, uptime, connected drives, status of critical services, registry settings, and event history (clears, shutdowns, time changes).

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://raw.githubusercontent.com/praiselily/lilith-ps/refs/heads/main/Services.ps1)

Alt Account Finder

• Author: Red Lotus Community

• Purpose: Scans game directories and log files for strings (like "user" or "username") to find evidence of alternate accounts.

• Execution Command:

  powershell Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass && powershell Invoke-Expression (Invoke-RestMethod https://pastebin.com/raw/LBGh2Cyb)