NetMonitorforEmployeesProfessional

Appsv1

Author: Tristan PINCEAUX - CERT CWATCH - ALMOND

description

Net Monitor for Employees Pro

paths

6 paths

ApplicationLogsNet Monitor Server Logs

C:\ProgramData\Net Monitor for Employees Pro\log\%user%\

Contains Net Monitor server logs

CommunicationsNet Monitor Server Data

C:\ProgramData\Net Monitor for Employees Pro\data\

Contains Net Monitor server data - Indicates what have been seen as the attacker

AppsNet Monitor Server Config

C:\ProgramData\Net Monitor for Employees Pro\config\

Contains Net Monitor server config

AppsNet Monitor Server Temp Folder

C:\ProgramData\Net Monitor for Employees Pro\tmp\

ApplicationLogsNet Monitor Client Logs

C:\Program Files*\Net Monitor for Employees Pro\log\

Contains Net Monitor client logs

ApplicationLogsNet Monitor Client Config

C:\Program Files*\Net Monitor for Employees Pro\config\

Contains Net Monitor client config

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: NetMonitorforEmployeesProfessional
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle directory creation and copying
function Collect-Artifact {
    param (
        [string]$SourcePath,
        [string]$FolderName
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    if (-not (Test-Path -Path $FullDest)) {
        New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
    }
    Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}

# 1. Net Monitor Server Logs
$UserPath = Join-Path $env:USERPROFILE ""
Collect-Artifact -SourcePath "$UserPath\*" -FolderName "Net_Monitor_Server_Logs"

# 2. Net Monitor Server Data
Collect-Artifact -SourcePath "C:\ProgramData\Net Monitor for Employees Pro\data\\*" -FolderName "Net_Monitor_Server_Data"

# 3. Net Monitor Server Config
Collect-Artifact -SourcePath "C:\ProgramData\Net Monitor for Employees Pro\config\\*" -FolderName "Net_Monitor_Server_Config"

# 4. Net Monitor Server Temp Folder
Collect-Artifact -SourcePath "C:\ProgramData\Net Monitor for Employees Pro\tmp\\*" -FolderName "Net_Monitor_Server_Temp_Folder"

# 5. Net Monitor Client Logs
Collect-Artifact -SourcePath "C:\Program Files*\Net Monitor for Employees Pro\log\\*" -FolderName "Net_Monitor_Client_Logs"

# 6. Net Monitor Client Config
Collect-Artifact -SourcePath "C:\Program Files*\Net Monitor for Employees Pro\config\\*" -FolderName "Net_Monitor_Client_Config"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1