CrowdResponse

CrowdResponse is a lightweight console application that can be used as part of an incident response scenario to gather contextual information such as a process list, scheduled tasks, or Shim Cache. Using embedded YARA signatures you can also scan your host for malware and report if there are any indicators of compromise.

To run CrowdsResponse, extract the ZIP file and launch a Command Prompt with Administrative Privileges. Navigate to the folder where the CrowdResponse*.exe process resides and enter your command parameters. At minimum, you must include the output path and the ‘tool’ you wish to use to collect data. For a full list of ‘tools’, enter CrowdResponse64.exe in the command prompt and it will bring up a list of supported tool names and example parameters.

Once you’ve exported the data you need, you can use CRconvert.exe to convert the data from XML to another file format like CSV or HTML.

Key features

Comes with three modules – directory-listing, active running module, and YARA processing module.
Displays application resource information
Verifies the digital signature of the process executable.
Scans memory, loaded module files, and on-disk files of all currently running processes

URL: https://www.crowdstrike.com/resources/community-tools/crowdresponse/