(Short answer: This tool can deploy Crowdstrike from Microsoft Defender Live Response or Palo Alto XDR Live Terminal and even on a local machine)
Have you ever been in an incident response situation where the only remote investigation tool available was something like Microsoft Defender? We all know the limitations of Microsoft Defender's Live Response, especially when it comes to executing PowerShell commands during a session.
That's why I created Crowdstrike Deploy! Crowdstrike Deploy is the ultimate solution for incident responders who need to deploy Crowdstrike sensors quickly and discreetly from the client Live Terminal\Live Response EDR tool.
No longer do you have to wait for the client's IT team to find time to install your Crowdstrike sensor. With Crowdstrike Deploy, you can install the Crowdstrike sensor secretly, without triggering any alerts on the client's side.
Whether your client is using Palo Alto XDR Live Terminal, Microsoft Defender Live Response, or even if there is no EDR solution in place, Crowdstrike Deploy gets the job done with a single push of a button. Save precious time, take control of the situation, and stop incidents in their tracks with Crowdstrike Deploy!
This table represents the current platforms supported by Crowdstrike Deploy.
Operation System | Support Status | Cloud Service | Support Status | Platforms | Support Status |
---|---|---|---|---|---|
Windows 10 | ✔ | OneDrive | ✔ | Locally | ✔ |
Windows 11 | ✔ | Dropbox | ✖ | Falcon Crowdstrike | ✔ |
Linux | ✔ | Google Drive | ✖ | Microsoft Defender | ✔ |
Mac | ✖ | MEGA | ✖ | Palo Alto XDR | ✔ |
First, you need to configure the following variable inside the Crowdstrike-Deploy.ps1 code:
###### Please Paste Your Information in Here ######
$SensorLink = "" # Crowdstrike Sensor Download Link
$SensorSig1 = "" # Crowdstrike Sensor Hash (SHA256)
$TenantCID = "" # Crowdstrike Tenant CID
$TenantName = "" # Crowdstrike Tenant Name
###################################################
-
Create a OneDrive direct download link for your Crowdstrike sensor, and paste it inside
$SensorLink = ""
.
1.1 How to download Crowdstrike sensor..
1.2 How to create a OneDrive direct download link. -
Create a SHA256 file signature for your Sensor file and paste it inside
$SensorSig1 = ""
.
2.1 How to create a SHA256 file signature. -
Copy your tenant CID and paste it inside
$TenantCID = ""
.
3.1 How to get your tenant CID. -
Copy your tenant name and paste it inside
$TenantName = ""
.
After you finished configuring the necessary variables inside the code,
you can now execute the tool in any supported environment you want!
- Open PowerShell and execute Crowdstrike-Deploy.ps1, that's it.
- Choose a machine and initiate a Live Response session.
- Upload Crowdstrike-Deploy.ps1 to the Defender library.
- Run the script from the Live Response session.
- Done.
- Choose a machine and initiate Live a Live Terminal.
- From the Live Terminal upload Crowdstrike-Deploy.ps1 to the machine.
- Click on "PowerShell" and execute Crowdstrike-Deploy.ps1.
- Done.
Just drop the file locally on your machine or any platform mentioned above
and run the "Crowdstrike-Deploy.sh" bash script as root, like in this example:
eilay@UBUSRV01:~$ sudo ./Crowdstrike-Deploy.sh
Found a bug? Need help? do you want to add a feature?
Don't hesitate to contact me by creating an issue.