SCCMClientLogs
Windowsv1
Author: Andrew Rathbun
description
SCCM Client Log Files
paths
1 path
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: SCCMClientLogs
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }
function Collect-Artifact {
param(
[Parameter(Mandatory)][string]$SourceDir,
[Parameter(Mandatory)][string]$FolderName,
[string]$FileMask = "*"
)
# Expand wildcards in any path segment (e.g. 'Program Files*',
# 'ScreenConnect Client*'). robocopy itself does not glob the source.
$sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
Where-Object { $_.PSIsContainer })
if ($sources.Count -eq 0) {
$Summary.Missed++
return
}
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
$null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
foreach ($src in $sources) {
robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
}
}
# 1. SCCM Client Log Files
Collect-Artifact -SourceDir "C:\Windows\CCM\Logs" -FolderName "SCCM_Client_Log_Files"
Write-Host ("Collection complete. Copied: {0} Missed: {1} Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1
references
notes
Previous version of this Target: https://github.com/EricZimmerman/KapeFiles/commit/2199b6b7749b2f066e9f54a16626160279ab7948
I have seen reference to malicious binaries associated with a user in a log found in this folder
Sample log entry:
<![LOG[Add RecentlyUsedApp: <evil.exe DOMAIN\username>]LOG]!><time="12:22:13.679+300" date="02-27-2022" component="AssetAdvisor" context="" type="1" thread="5564" file="aa_recentlyusedapps.cpp:235">