PulseSecure
Appsv1
Author: Paul CABON CERT Cwatch Almond
description
Pulse Secure
paths
4 paths
AppsPulse Secure logs in Programmes Files
C:\Program Files (x86)\Pulse Secure\Logging*Logs for Pule Secure
AppsPulse Secure logs in ProgramData
C:\ProgramData\Pulse Secure\Logging*Logs for Pule Secure
AppsPulse Secure setup logs
C:\Users\*\AppData\Roaming\Pulse Secure\Setup Client*.logSetup logs for Pule Secure
AppsPulse Secure PSAL logs
C:\Users\*\AppData\Local\Pulse Secure\LoggingPulseClient.logPSAL logs
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: PulseSecure
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Pulse Secure logs in Programmes Files
Collect-Artifact -SourcePath "C:\Program Files (x86)\Pulse Secure\Logging\*" -FolderName "Pulse_Secure_logs_in_Programmes_Files"
# 2. Pulse Secure logs in ProgramData
Collect-Artifact -SourcePath "C:\ProgramData\Pulse Secure\Logging\*" -FolderName "Pulse_Secure_logs_in_ProgramData"
# 3. Pulse Secure setup logs
Collect-Artifact -SourcePath "C:\Users\*\AppData\Roaming\Pulse Secure\Setup Client\*.log" -FolderName "Pulse_Secure_setup_logs"
# 4. Pulse Secure PSAL logs
Collect-Artifact -SourcePath "C:\Users\*\AppData\Local\Pulse Secure\Logging\PulseClient.log" -FolderName "Pulse_Secure_PSAL_logs"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1