Cybereason

Antivirusv1

Author: piesecurity

description

Cybereason Sensor/Detection Logs

paths

3 paths

AntivirusCybereason Anti-Ransomware Logs

C:\ProgramData\crs1\Logs

AntivirusCybereason Sensor Communications and Anti-Malware Logs

C:\ProgramData\apv2\Logs

AntivirusCybereason Application Control and NGAV Logs

C:\ProgramData\crb1\Logs

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: Cybereason
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Cybereason Anti-Ransomware Logs
Collect-Artifact -SourcePath "C:\ProgramData\crs1\Logs\*" -FolderName "Cybereason_Anti_Ransomware_Logs"

# 2. Cybereason Sensor Communications and Anti-Malware Logs
Collect-Artifact -SourcePath "C:\ProgramData\apv2\Logs\*" -FolderName "Cybereason_Sensor_Communications_and_Anti_Malware_Logs"

# 3. Cybereason Application Control and NGAV Logs
Collect-Artifact -SourcePath "C:\ProgramData\crb1\Logs\*" -FolderName "Cybereason_Application_Control_and_NGAV_Logs"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

included in collections

SANS_Triage Antivirus KapeTriage

// description

// paths

// collection commands

// included in collections

description

paths

collection commands

included in collections