SupremoRemoteDesktop

Appsv1.1

Author: epoxigen

description

Supremo Remote Desktop Control Logs

paths

2 paths

› paths use Windows environment syntax

collection commands

source:

destination:

# PowerShell Artifact Collection Script
# Target: SupremoRemoteDesktop
# Run as Administrator

#Requires -RunAsAdministrator

$ErrorActionPreference = "Continue"
$SourceRoot = "C:"
$DestBase   = "D:\Evidence"
$Summary = @{ Copied = 0; Missed = 0; Errors = 0 }

function Collect-Artifact {
    param(
        [Parameter(Mandatory)][string]$SourceDir,
        [Parameter(Mandatory)][string]$FolderName,
        [string]$FileMask = "*"
    )
    # Expand wildcards in any path segment (e.g. 'Program Files*',
    # 'ScreenConnect Client*'). robocopy itself does not glob the source.
    $sources = @(Get-Item -Path $SourceDir -ErrorAction SilentlyContinue |
        Where-Object { $_.PSIsContainer })
    if ($sources.Count -eq 0) {
        $Summary.Missed++
        return
    }
    $FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
    $null = New-Item -ItemType Directory -Force -Path $FullDest -ErrorAction SilentlyContinue
    foreach ($src in $sources) {
        robocopy $src.FullName "$FullDest" "$FileMask" /E /COPY:DAT /R:0 /W:0 /NP /NFL /NDL /NJH /NJS 2>$null | Out-Null
        if ($LASTEXITCODE -le 7) { $Summary.Copied++ } else { $Summary.Errors++ }
    }
}

# 1. Supremo Connection Logs
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Log" -FileMask "*.log" -FolderName "Supremo_Connection_Logs"

# 2. Supremo File Transfer Inbox
Collect-Artifact -SourceDir "C:\ProgramData\SupremoRemoteDesktop\Inbox" -FolderName "Supremo_File_Transfer_Inbox"

Write-Host ("Collection complete. Copied: {0}  Missed: {1}  Errors: {2}" -f $Summary.Copied, $Summary.Missed, $Summary.Errors) -ForegroundColor Green

› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1

references

supremocontrol.com https://www.supremocontrol.com/

notes

Supremo Remote Desktop is a Remote Access Tool similar to TeamViewer.

Supremo.00.Incoming.log is logging the incoming remote sessions.

Supremo.00.ReportsQueue.log is logging device related information of remote sessions.

Supremo.00.Client.log is logging application events such as program start/exit and the client-server-connections to the Supremo servers.

Supremo.00.FileTransfer.log is logging file transfers between remote sessions.

Keep in mind: Files can be transferred to any location on the remote client, not only into the Inbox folder.

included in collections

SANS_Triage KapeTriage RemoteAdmin

// description

// paths

// collection commands

// references

// notes

// included in collections