PulseSecure

Appsv1

Author: Paul CABON CERT Cwatch Almond

description

Pulse Secure

paths

4 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: PulseSecure
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"

# Function to handle artifact collection with robocopy
function Collect-Artifact {
    param (
        [string]$SourceDir,
        [string]$FolderName,
        [string]$FileMask = "*"
    )
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    robocopy "$SourceDir" "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS | Out-Null
}

# 1. Pulse Secure logs in Programmes Files
Collect-Artifact -SourceDir "C:\Program Files (x86)\Pulse Secure\Logging" -FileMask "*" -FolderName "Pulse_Secure_logs_in_Programmes_Files"

# 2. Pulse Secure logs in ProgramData
Collect-Artifact -SourceDir "C:\ProgramData\Pulse Secure\Logging" -FileMask "*" -FolderName "Pulse_Secure_logs_in_ProgramData"

# 3. Pulse Secure setup logs
Collect-Artifact -SourceDir "C:\Users\*\AppData\Roaming\Pulse Secure\Setup Client" -FileMask "*.log" -FolderName "Pulse_Secure_setup_logs"

# 4. Pulse Secure PSAL logs
Collect-Artifact -SourceDir "C:\Users\*\AppData\Local\Pulse Secure\Logging" -FileMask "PulseClient.log" -FolderName "Pulse_Secure_PSAL_logs"

Write-Host "Collection complete!" -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

https://help.ivanti.com/ps/help/en_US/ISAC/vNow/cscg/setup_files_for_win_log_file_location.htm

https://forums.ivanti.com/s/article/How-to-collect-PSAL-Setup-Client-Log-Files-from-Windows-OS?language=en_US

included in collections

VPNClients

// description

// paths

// collection commands

// references

// included in collections

description

paths

collection commands

references

included in collections