NetMonitorforEmployeesProfessional

Appsv1

Author: Tristan PINCEAUX - CERT CWATCH - ALMOND

description

Net Monitor for Employees Pro

paths

6 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: NetMonitorforEmployeesProfessional
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Net Monitor Server Data
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\data" -FolderName "Net_Monitor_Server_Data"

# 2. Net Monitor Server Config
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Server_Config"

# 3. Net Monitor Server Temp Folder
Collect-Artifact -SourceDir "C:\ProgramData\Net Monitor for Employees Pro\tmp" -FolderName "Net_Monitor_Server_Temp_Folder"

# 4. Net Monitor Client Logs
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\log" -FolderName "Net_Monitor_Client_Logs"

# 5. Net Monitor Client Config
Collect-Artifact -SourceDir "C:\Program Files*\Net Monitor for Employees Pro\config" -FolderName "Net_Monitor_Client_Config"

# Iterate every user profile under the source drive
Get-ChildItem "$SourceRoot\Users" -Directory -ErrorAction SilentlyContinue |
    Where-Object { $_.Name -notin @('All Users', 'Default', 'Default User', 'Public') } |
    ForEach-Object {
        $UserName = $_.Name
        # Net Monitor Server Logs
        $UserPath = $_.FullName
        Collect-Artifact -SourceDir $UserPath -FolderName "Net_Monitor_Server_Logs_$UserName"
    }

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

networklookout.com https://networklookout.com/

networklookout.com https://networklookout.com/doc/NetMonitorForEmployees.pdf

notes

Net Monitor for employees is a monitoring software for office, that allows live screen monitoring and employee activity tracking.

It can be used as remote access tool, to control applications and processes, to fetch and drop files on target, and to deploy further malicious binaries.

It can also be used as a keylogger to collect further credentials on compromised targets.

We have seen this tool used in financial scam and data theft.

included in collections

SANS_Triage KapeTriage RemoteAdmin

// description

// paths

// collection commands

// references

// notes

// included in collections