ISLOnline

Appsv1

Author: Thomas Burnette

description

ISLOnline Remote Access Tool

paths

8 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: ISLOnline
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. ISL AlwaysOn Logs - Sessions List
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "session.xml" -FolderName "ISL_AlwaysOn_Logs_Sessions_List"

# 2. ISL AlwaysOn Logs - Sessions
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\sessions\*" -FileMask "trace.out" -FolderName "ISL_AlwaysOn_Logs_Sessions"

# 3. ISL AlwaysOn - App Logs
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "*.out" -FolderName "ISL_AlwaysOn_App_Logs"

# 4. ISL AlwaysOn - Email Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn\status" -FileMask "tray" -FolderName "ISL_AlwaysOn_Email_Configuration"

# 5. ISL AlwaysOn - Configuration
Collect-Artifact -SourceDir "C:\Program Files (x86)\ISL Online\ISL AlwaysOn" -FileMask "StaticConfiguration.ini" -FolderName "ISL_AlwaysOn_Configuration"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # ISLOnline Logs - Sessions - *.out
        $UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "ISLClient.out" -FolderName "ISLOnline_Logs_Sessions_out_$UserName"
        # ISLOnline Logs - Session Configurations
        $UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light Client\*\conf"
        Collect-Artifact -SourceDir $UserPath -FileMask "*" -FolderName "ISLOnline_Logs_Session_Configurations_$UserName"
        # ISL Light Logs - Sessions
        $UserPath = "$($_.FullName)\AppData\Local\ISL Online Cache\ISL Light\*"
        Collect-Artifact -SourceDir $UserPath -FileMask "trace.out" -FolderName "ISL_Light_Logs_Sessions_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

islonline.com https://www.islonline.com/us/enus/

anomali.com https://www.anomali.com/blog/anomali-cyber-watch-earth-kitsune-uses-chrome-native-messaging-for-persistence-wip26-targets-middle-east-telco-from-abused-clouds-azerbaijan-sponsored-group-geofenced-its-payloads-to-armenian-ips

bleepingcomputer.com https://www.bleepingcomputer.com/news/security/coinbase-cyberattack-targeted-employees-with-fake-sms-alert/

notes

ISL Online is a remote access tool with several methods of connecting to clients. ISL Light allows for installed or run once clients.

ISL AlwaysOn allows for unattended access to clients and requires elevated privileges to install the ISL Online client.

Forensic artifacts vary based on method of use.

One of the most common methods of connecting to a client is to ask them to navigate to islonline.net and enter a connection code which will then download a single use ISL client.

The most useful artifacts are ISLClient.out, trace.out, and session.xml. With these files you can identify how many sessions occured, when they occurred, as well as what took place (ie. file transfers in or out)

included in collections

SANS_Triage KapeTriage RemoteAdmin

// description

// paths

// collection commands

// references

// notes

// included in collections