UEMS
Appsv1
Author: Abdelkarim CHORFI - CERT CWATCH - ALMOND
description
UEMS Manage Engine Agent
paths
2 paths
RMM ToolUnified endpoint management and security solutions from ManageEngine
C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs*.logCollects all logs for UEMS
RMM ToolUnified endpoint management and security solutions from ManageEngine
C:\Users\%user%\AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs*.logCollects User logs for UEMS
› paths use Windows environment syntax
collection commands
# PowerShell Artifact Collection Script
# Target: UEMS
# Run as Administrator
#Requires -RunAsAdministrator
$ErrorActionPreference = "SilentlyContinue"
$DestBase = "D:\Evidence"
# Function to handle directory creation and copying
function Collect-Artifact {
param (
[string]$SourcePath,
[string]$FolderName
)
$FullDest = Join-Path -Path $DestBase -ChildPath $FolderName
if (-not (Test-Path -Path $FullDest)) {
New-Item -ItemType Directory -Path $FullDest -Force | Out-Null
}
Copy-Item -Path $SourcePath -Destination $FullDest -Recurse -Force
}
# 1. Unified endpoint management and security solutions from ManageEngine
Collect-Artifact -SourcePath "C:\Program Files (x86)\ManageEngine\UEMS_Agent\logs\*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine"
# 2. Unified endpoint management and security solutions from ManageEngine
$UserPath = Join-Path $env:USERPROFILE "AppData\Local\VirtualStore\Program Files (x86)\ManageEngine\UEMS_Agent\logs"
Collect-Artifact -SourcePath "$UserPath\*.log" -FolderName "Unified_endpoint_management_and_security_solutions_from_ManageEngine"
Write-Host "Collection complete!" -ForegroundColor Green› Save as .ps1 and run as Administrator. Use: powershell -ExecutionPolicy Bypass -File script.ps1