├── Invoke-ProtectComputerFromTermedUserLogin.ps1 ├── LICENSE └── README.md /Invoke-ProtectComputerFromTermedUserLogin.ps1: -------------------------------------------------------------------------------- 1 | <#PSScriptInfo 2 | 3 | .VERSION 1.4 4 | 5 | .GUID 1583b204-6525-452a-8ae5-4c53ba2ae1fd 6 | 7 | .AUTHOR finackninja 8 | 9 | .COMPANYNAME 10 | 11 | .COPYRIGHT (c) 2024 finackninja. Released under the MIT License. 12 | 13 | .TAGS "CrowdStrike", "Contain", "TerminatedUser", "TerminatedEmployee" 14 | 15 | .LICENSEURI https://github.com/finackninja/CSFRTR/blob/main/LICENSE 16 | 17 | .PROJECTURI https://github.com/finackninja/CSFRTR 18 | 19 | .ICONURI 20 | 21 | .EXTERNALMODULEDEPENDENCIES 22 | 23 | .REQUIREDSCRIPTS 24 | 25 | .EXTERNALSCRIPTDEPENDENCIES 26 | 27 | .RELEASENOTES 28 | Fixed forced user logoff code. 29 | 30 | .PRIVATEDATA 31 | 32 | .SYNOPSIS 33 | Protects a computer endpoint upon user termination from the terminated user. 34 | .DESCRIPTION 35 | This script is designed to run through CrowdStrike Falcon realtime response (RTR) in order to protect a computer endpoint in a terminated user's possession. It takes the following actions: 36 | 37 | * Log off all users 38 | * Disables cached credentials. 39 | * Changes local account passwords. 40 | * Clears Kerberos tickets. 41 | * Shuts down the computer. 42 | #> 43 | 44 | $ExcludedLocalAccounts = @( 45 | 'DefaultAccount', 46 | 'Guest', 47 | 'WDAGUtilityAccount' 48 | ) 49 | 50 | #region LOGOFF_USERS 51 | #------------------------------------------------------------------------------- 52 | 53 | # Log off all current user sessions 54 | 55 | # This command does not seem to work as written. Commented out. 56 | #Invoke-CimMethod -ClassName Win32_Operatingsystem -ComputerName . -MethodName Win32Shutdown -Arguments @{ Flags = 4 } 57 | 58 | # Get logon sessions from the "quser.exe" command. 59 | $Sessions = [System.Collections.Generic.List[PSCustomObject]]::new() 60 | $QUser = quser 2>$null | Select-Object -Skip 1 61 | $QUser | ForEach-Object { 62 | $Result = $_ -match '.(.{22})(.{18})(.{5})(.{8})(.{11})(.{16,18})' 63 | 64 | $Session = [pscustomobject] @{ 65 | Username = $matches[1].trim() 66 | SessionName = $matches[2].trim() 67 | Id = [int]$matches[3].trim() 68 | State = $matches[4].trim() 69 | IdleTime = $matches[5].trim() 70 | LogonTime = [datetime]$matches[6].trim() 71 | } 72 | $Sessions.Add($Session) 73 | $Session = $null 74 | } 75 | $Result = $null 76 | $QUser = $null 77 | 78 | # Log off all sessions 79 | ForEach ($Session in $Sessions) { 80 | logoff $Session.Id 81 | } 82 | $Sessions = $null 83 | 84 | #------------------------------------------------------------------------------- 85 | #endregion LOGOFF_USERS 86 | 87 | 88 | #region DISABLE_CACHED_CREDENTIALS 89 | #------------------------------------------------------------------------------- 90 | 91 | # Disable cached credentials. 92 | try { 93 | if ((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name CachedLogonsCount | Select-Object -ExpandProperty CachedLogonsCount) -ne 0) { 94 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon' -Name CachedLogonsCount -Value 0 95 | } 96 | Write-Warning -Messaage 'This change requires a reboot to take effect! Please reboot the computer when it is appropriate to do so.' 97 | } 98 | catch { 99 | Write-Warning -Message 'Unable to disable cached credentials.' 100 | } 101 | 102 | #------------------------------------------------------------------------------- 103 | #endregion DISABLE_CACHED_CREDENTIALS 104 | 105 | 106 | #region CHANGE_LOCAL_PASSWORDS 107 | #------------------------------------------------------------------------------- 108 | 109 | # Change local account passwords. 110 | 111 | function Get-RandomCharacters($length, $characters) { 112 | $random = 1..$length | ForEach-Object { Get-Random -Maximum $characters.length } 113 | $private:ofs='' 114 | return [String]$characters[$random] 115 | } 116 | 117 | function Scramble-String([string]$inputString){ 118 | $characterArray = $inputString.ToCharArray() 119 | $scrambledStringArray = $characterArray | Get-Random -Count $characterArray.Length 120 | $outputString = -join $scrambledStringArray 121 | return $outputString 122 | } 123 | 124 | Get-LocalUser | Where-Object {$ExcludedLocalAccounts -notcontains $_.Name} | ForEach-Object { 125 | $Password = $null 126 | 127 | try { 128 | try{ 129 | add-type -AssemblyName System.Web 130 | [system.web.security.membership] 131 | $Password = [system.web.security.membership]::generatepassword(20,4) 132 | } 133 | catch{ 134 | Write-Error -Message 'Unable to load system.web assembly' 135 | # generate 4 numbers which add up to 16 136 | Do{ 137 | $total = 0 138 | $numberofcharactersperitem = Get-Random -minimum 4 -maximum 10 -count 4 139 | $numberofcharactersperitem | ForEach-Object {$total += $_} 140 | } Until ($total -ge 20) 141 | 142 | $password = Get-RandomCharacters -length $numberofcharactersperitem[0] -characters 'abcdefghijklmnopqrstuvwxyz' 143 | $password = $password + (Get-RandomCharacters -length $numberofcharactersperitem[1] -characters 'ABCDEFGHKLMNOPRSTUVWXYZ') 144 | $password = $password + (Get-RandomCharacters -length $numberofcharactersperitem[2] -characters '1234567890') 145 | $password = $password + (Get-RandomCharacters -length $numberofcharactersperitem[3] -characters "~!@#$%^&*_-+=`|\(){}[]:;`"'<>,.?/'") 146 | 147 | $password = Scramble-String($password) 148 | } 149 | $_ | Set-LocalUser -Password $Password -ErrorAction Stop 150 | $Password.Dispose() 151 | } 152 | catch { 153 | Write-Warning -Message "Unable to change the password for $($_.Name)." 154 | } 155 | } 156 | 157 | #------------------------------------------------------------------------------- 158 | #endregion CHANGE_LOCAL_PASSWORDS 159 | 160 | 161 | #region CLEAR_KERBEROS_TICKETS 162 | #------------------------------------------------------------------------------- 163 | 164 | # Make best effort to clear all Kerberos tickets. Runs as a separate job because this process occassionally hangs. 165 | try { 166 | Start-Job -ScriptBlock { 167 | Get-CimInstance -ClassName 'Win32_LogonSession' -ErrorAction Stop | Where-Object {$_.AuthenticationPackage -ne 'NTLM'} | ForEach-Object { 168 | Start-process klist.exe purge -li ([Convert]::ToString($_.LogonId, 16)) 169 | } 170 | } 171 | } 172 | catch { 173 | Write-Warning -Message 'There was an exception when attempting to clear Kerberos tickets.' 174 | } 175 | 176 | #------------------------------------------------------------------------------- 177 | #endregion CLEAR_KERBEROS_TICKETS 178 | 179 | 180 | #region SHUTDOWN 181 | #------------------------------------------------------------------------------- 182 | 183 | # Shutdown the computer once completed 184 | Start-Sleep 10 185 | Stop-Computer -Force 186 | 187 | #------------------------------------------------------------------------------- 188 | #endregion SHUTDOWN -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 finackninja 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # CSFRTR 2 | A collection of scripts for use with CrowdStrike Falcon RTR 3 | --------------------------------------------------------------------------------