• Stars
    star
    696
  • Rank 65,018 (Top 2 %)
  • Language
    PowerShell
  • License
    MIT License
  • Created almost 4 years ago
  • Updated over 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CrowdStrike Reporting Tool for Azure (CRT)

This tool queries the following configurations in the Azure AD/O365 tenant which can shed light on hard-to-find permissions and configuration settings in order to assist organizations in securing these environments.

Exchange Online (O365):

  • Federation Configuration
  • Federation Trust
  • Client Access Settings Configured on Mailboxes
  • Mail Forwarding Rules for Remote Domains
  • Mailbox SMTP Forwarding Rules
  • Mail Transport Rules
  • Delegates with 'Full Access' Permission Granted
  • Delegates with Any Permissions Granted
  • Delegates with 'Send As' or 'SendOnBehalf' Permissions
  • Exchange Online PowerShell Enabled Users
  • Users with 'Audit Bypass' Enabled
  • Mailboxes Hidden from the Global Address List (GAL)
  • Collect administrator audit logging configuration settings.

Azure AD:

  • Service Principal Objects with KeyCredentials
  • O365 Admin Groups Report
  • Delegated Permissions & Application Permissions

Querying Tenant Partner Information: In order to view Tenant Partner Information, including roles assigned to your partners, you must log into the Microsoft 365 Admin Center as Global Admin:

https://admin.microsoft.com/AdminPortal/Home#/partners

Prerequisites:

The following PowerShell modules are required and will be installed automatically:

  • ExchangeOnlineManagement
  • AzureAD

NOTE: To return the full extent of the configurations being queried, the following role is required:

  • Global Admin

When Global Admin privileges are not available, the tool will notify you about what information wonโ€™t be available to you as a result.

Usage:

No parameters specified: A folder named with date and time (YYYYDDMMTHHMM) will be created automatically in the directory the script is being run from. Default authentication method will prompt for each connection for compatibility with MFA.

.\Get-CRTReport.ps1

-BasicAuth Parameter: [OPTIONAL] If MFA is not enforced for your user principal, you can use this parameter which will prompt only once for authentication and store credentials using Get-Credential. (Not Recommended)

.\Get-CRTReport.ps1 -BasicAuth

-JobName Parameter: [OPTIONAL] Use the JobName parameter to distinguish between different tenants. If no JobName is specified, a Date/Time formatted folder will be placed within the working directory.

.\Get-CRTReport.ps1 -JobName MyJobName

-WorkingDirectory Parameter: [OPTIONAL] If you want to specify a different working directory for your jobs, you can do so with this parameter. The default working directory is the directory the script is being run from.

.\Get-CRTReport.ps1 -JobName MyJobName -WorkingDirectory 'C:\Path\to\Job\Folder'

-Commands Parameter: [OPTIONAL] With this parameter, specify the specific commands you want to run in quotes, comma or space separated.

.\Get-CRTReport.ps1 -JobName MyJobName -WorkingDirectory 'C:\Path\to\Job\Folder' -Commands "Command1,Command2"

-AzureEnvironmentName & -ExchangeEnvironmentName Parameter: [OPTIONAL] With this parameter, specify the Azure or Exchange environment names. Using tab complete you can search the acceptable values.

.\Get-CRTReport.ps1 -ExchangeEnvironmentName O365USGovGCCHigh -AzureEnvironmentName AzureUSGovernment

Available Commands:

FedConfig
FedTrust
ClientAccess
RemoteDomains
SMTPForward
TransportRules
FullAccessGranted
AnyAccessGranted
SendAsGranted
EXOPowerShell
AuditBypassEnabled
HiddenMailboxes
KeyCredentials
O365AdminGroups
DelegateAppPerms
AdminAuditLogConfig

-Interactive Parameter: [OPTIONAL] Some commands may take a long time to process depending on the amount of data in the tenant. Using the Interactive parameter, you will have the option to skip any particular command prior to the module running.

.\Get-CRTReport.ps1 -JobName MyJobName -WorkingDirectory 'C:\Path\to\Job\Folder' -Interactive

Report Summary:

With each run, CRT will output a report for each query in json as well as more readable, .TXT and .CSV formats:

No parameters specified: A folder named with date and time (YYYYDDMMTHHMM) will be created automatically in the directory the script is being run from. To support MFA, the default authentication method will prompt the user to login for each connection.

  • YYYYDDMMTHHMM\output.log (hard copy of console logging)
  • YYYYDDMMTHHMM\_CRTReportSummary.txt (Summary of scripts run and investigative tips for guidance)
  • YYYYDDMMTHHMM\Reports\<report>.csv (Report in CSV output, where applicable)
  • YYYYDDMMTHHMM\Reports\<report>.txt (Report in TXT output, where applicable)
  • YYYYDDMMTHHMM\Reports\json\<report>.json (Each report is accompanied by JSON output for additional verbosity)

Known Issues:

  • Attempting to connect to Exchange Online using Federated logins does not currently work while trying to connect to both Exchange Online and Azure AD in the same PowerShell session.
  • Retrieving results for Any/FullAccess permissions (AnyAccessGranted and FullAccessGranted commands) in some cases returns an error and may not fully complete. Running the command manually may still work:
Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission | Where-Object { ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Export-Csv "AnyAssignedPerms.csv" -NoTypeInformation -Encoding Default

Get-EXOMailbox -ResultSize Unlimited | Get-EXOMailboxPermission | Where-Object { ($_.AccessRights -eq "FullAccess") -and ($_.IsInherited -eq $false) -and -not ($_.User -like "NT AUTHORITY\SELF")} | Export-Csv "FullAccessPerms.csv" -NoTypeInformation -Encoding Default

How Can I Contribute?

If you've found a bug, please use the Issues tab to report a new issue or add your comments to an existing one.

If you have any recommendations for the tool or require critical escalation, please email: [email protected].

More Repositories

1

automactc

AutoMacTC: Automated Mac Forensic Triage Collector
Python
491
star
2

falconpy

The CrowdStrike Falcon SDK for Python
Python
358
star
3

psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
PowerShell
350
star
4

Forensics

Scripts and code referenced in CrowdStrike blog posts
Python
325
star
5

Tortilla

C
281
star
6

ember-timetree

Visualize hierarchical timeline data. Built with Ember.jsย and D3.js
JavaScript
273
star
7

SuperMem

A python script developed to process Windows memory images based on triage type.
Python
258
star
8

travel-laptop

Auxiliary documentation and scripts around "A Reasonably Safe Travel Burner Laptop"
C++
225
star
9

falcon-orchestrator

CrowdStrike Falcon Orchestrator provides automated workflow and response capabilities
JavaScript
181
star
10

CrowdDetox

The CrowdDetox plugin for Hex-Rays automatically removes junk code and variables from Hex-Rays function decompilations.
C++
157
star
11

cs-bro

Bro scripts written by CrowdStrike Services
Zeek
147
star
12

Cloud-AWS

A collection of projects supporting AWS Integration
Python
146
star
13

logscale-community-content

This repository contains Community and Field contributed content for LogScale
Shell
139
star
14

CrowdFMS

CrowdStrike Feed Management System. CrowdFMS is a framework for automating collection and processing of samples from VirusTotal, by leveraging the Private API system. This framework automatically downloads recent samples, which triggered an alert on the users YARA notification feed.
Python
123
star
15

csproto

CrowdStrike's Protocol Buffers library
Go
122
star
16

falcon-scripts

Scripts to streamline the deployment and use of the CrowdStrike Falcon sensor
PowerShell
117
star
17

Falcon-Toolkit

Unleash the power of the Falcon Platform at the CLI
Python
108
star
18

falcon-query-assets

Welcome to the Falcon Query Assets GitHub page.
Shell
98
star
19

ansible_collection_falcon

Comprehensive toolkit for streamlining your interactions with the CrowdStrike Falcon platform.
Python
88
star
20

xwf-yara-scanner

C
84
star
21

CAST

CrowdStrike Archive Scan Tool
PowerShell
83
star
22

tf2rust

Tensorflow to Rust is a tool to convert trained Tensorflow models to pure Rust code.
Python
83
star
23

VirtualGHOST

VirtualGHOST Detection Tool
PowerShell
83
star
24

falcon-helm

Helm Charts for running CrowdStrike Falcon with Kubernetes
Smarty
71
star
25

gofalcon

Golang-based SDK to CrowdStrike's APIs
Go
57
star
26

pyspresso

The pyspresso package is a Python-based framework for debugging Java.
Python
51
star
27

falcon-operator

Go
49
star
28

ember-browser-services

Services for interacting with browser APIs so that you can have fine-grained control in tests.
TypeScript
46
star
29

MISP-tools

Import CrowdStrike Threat Intelligence into your instance of MISP
Python
39
star
30

detection-container

PHP
38
star
31

perseus

The hero we all need to defeat the kraken that is Go module dependency graphs
Go
37
star
32

gotel

GoTel - Scheduled job monitoring
Go
36
star
33

falcon-windows-host-recovery

Automated Windows host recovery
Rich Text Format
35
star
34

community

CrowdStrike's Open Source Policy & Contribution Guide
HTML
35
star
35

caracara

Developer enhancements (DX) for FalconPy, the CrowdStrike Python SDK
Python
34
star
36

container-image-scan

Code to scan a container with CrowdStrike and return response codes indicating pass/fail status.
Python
33
star
37

Dockerfiles

Automation to help create container images pre-loaded with the CrowdStrike Falcon sensor.
Shell
31
star
38

chopshop

Mitre chopshop network decoder framework
Python
30
star
39

FDR

Falcon Data Replicator
Python
29
star
40

faltest

A different take on WebDriver browser testing
JavaScript
28
star
41

ember-headless-form

Headless forms with a11y and validation support built in
TypeScript
28
star
42

Cloud-Azure

Discover for Cloud and Containers Azure
HCL
27
star
43

embersim-databank

Code for the paper "EMBERSim: A Large-Scale Databank for Boosting Similarity Search in Malware Analysis"
Python
25
star
44

apbf

Go package implementing Age-Partitioned Bloom Filters (APBF)
Go
25
star
45

go-metrics-sliding-window

A sliding window sampling implementation for the rcrowley/go-metrics library.
Go
24
star
46

ember-headless-table

TypeScript
23
star
47

ember-aria-utilities

ARIA utilities for helping create some of the more complex ARIA design patterns. Follows https://www.w3.org/TR/wai-aria-practices/
TypeScript
20
star
48

bpfmon-example

proof-of-concept example of using eBPF to Monitor for eBPF Map tampering
C
20
star
49

falcon-windows-repair

Scripts to aid in diagnosing and repairing unhealthy Windows Falcon Sensor installations
PowerShell
19
star
50

ember-resource-tasks

Resources for async functions in Ember
TypeScript
18
star
51

falcon-integration-gateway

Falcon Integration Gateway (FIG)
Python
18
star
52

cloud-resource-estimator

Cloud deployment size calculation utilities
Python
17
star
53

ember-url-hash-polyfill

Support for in/inter page linking / scrolling with hashes in EmberJS
TypeScript
17
star
54

tf-layers

Tensorflow Layers provides Rust implementations of Tensorflow model layers
Rust
16
star
55

tailwind-toucan-base

Base Tailwind config for the Toucan design system.
JavaScript
15
star
56

aws-ssm-distributor

HCL
15
star
57

omigo-data-analytics

Data Analytics Library for Python
Python
15
star
58

helpful-links

List of helpful publicly available CrowdStrike material.
14
star
59

ivan

Falcon Image Vulnerability Analysis (IVAN) is a command-line image assessment tool.
13
star
60

container-image-scan-action

CrowdStrike Container Image Scan Github Action
Shell
13
star
61

zscaler-FalconX-integration

This is the integration to feed Falcon X IOC data into zscaler's platform
Python
13
star
62

ember-velcro

Ember Velcro sticks one element to another with Floating UI.
TypeScript
13
star
63

kafka-replicator

Kafka replicator is a tool used to mirror and backup Kafka topics across regions
Go
13
star
64

OWASSRF

PowerShell
13
star
65

falconjs

CrowdStrike Falcon API JS library for the browser and Node
TypeScript
12
star
66

rusty-falcon

Rust bindings for CrowdStrike Falcon API
Rust
12
star
67

Identity-Protection

PowerShell
11
star
68

monorepo-next

Detach monorepo packages from normal linking
JavaScript
10
star
69

NotPetyaDecryptor

Python
9
star
70

ember-toucan-core

Toucan Design System
TypeScript
9
star
71

aws-security-lake

Integration guide for CrowdStrike and Amazon Security Lake
Shell
8
star
72

terraform-provider-crowdstrike

https://registry.terraform.io/providers/CrowdStrike/crowdstrike/latest/docs
Go
7
star
73

puppet-falcon

Ruby
7
star
74

terraform-kubectl-falcon

Module to manage CrowdStrike Falcon Sensor and the Kubernetes Protection Agent on a Kubernetes cluster.
HCL
7
star
75

Cloud-GCP

A collection of projects supporting GCP integration
Shell
6
star
76

cloud-tools-image

Command-line tools for remote communication with public and private cloud environments.
Shell
6
star
77

aws-verified-access

Integration details between CrowdStrike Falcon Zero Trust Assessments (ZTA) and AWS Verified Access
6
star
78

foundry-sample-mitre

Triage with MITRE Attack sample Foundry app
CSS
6
star
79

HEC-Log-Shipper

This repository contains examples of code used to send data to Humio instances
Python
5
star
80

image-scan-example

HCL
5
star
81

Container-Security

HCL
5
star
82

cloud-scripts-hide-host

Event driven solution to automatically hide hosts from CrowdStrike upon termination.
Python
5
star
83

foundry-sample-scalable-rtr

Scalable RTR sample Foundry app
TypeScript
5
star
84

foundry-fn-go

Go
4
star
85

crimson-falcon

A Shiny Ruby SDK of our Falcon API
Ruby
4
star
86

ember-toucan-styles

Ember wrapper, CSS, and JS utilities for working with the Toucan design system
JavaScript
4
star
87

ember-three

Ember.js three.js shim
JavaScript
4
star
88

foundry-sample-rapid-response

Rapid Response sample Foundry app
TypeScript
4
star
89

falcon-cli

Go
3
star
90

logscale-azure-event-hub-collector

LogScale Azure Event Hub Collector
Python
3
star
91

cloud-pov

HCL
3
star
92

devdays

Shell
3
star
93

cs.aws_account

Python
3
star
94

chronicle-intel-bridge

CrowdStrike to Chronicle Intel Bridge
Python
3
star
95

kubectl-falcon

Plug-in to kubectl command-line tool that helps with manipulation of Falcon Container.
Go
3
star
96

upb-cloud-workshop

A cloud workshop organised by Crowdstrike in Bucharest, Romania for the students of Universitatea Politehnica Bucharest
Go
3
star
97

opensource.crowdstrike.com

JavaScript
3
star
98

CrowdStrike-Spotlight-Humio-Package-Integration

Python
3
star
99

ember-number-to-words-shim

Ember.js number-to-words shim
JavaScript
3
star
100

template-gitbook-workshop

Code behind https://crowdstrike.gitbook.io/template-gitbook-workshop/
CSS
3
star