PSRecon
PSRecon copied to clipboard
gfoss
Wrong informations on remote collection
if you collect the informations from a remote system, most of the data is useless because the script is reading informations from the current security context which is of course my own remote login and not the user currently logged on the infected computer. To do a good and full investigation it would be important to get informations about the user who triggered the infection...
any solution for that?
Yeah, that's correct. You will get process and system data, but the user context will be related to whatever account you used to run the scan. I'll look into a way to possibly migrate processes or something similar to target the appropriate user. That should be doable as long as the script is run with a DA account.
Thanks! On Aug 10, 2015 6:41 AM, "compr00t" [email protected] wrote:
if you collect the informations from a remote system, most of the data is useless because the script is reading informations from the current security context which is of course my own remote login and not the user currently logged on the infected computer. To do a good and full investigation it would be important to get informations about the user who triggered the infection...
any solution for that?
— Reply to this email directly or view it on GitHub https://github.com/gfoss/PSRecon/issues/2.
Unfortunately I haven't had much time to dig into this one yet. Hope to have a resolution soon.
Hi,
Yeah I feel the same pain as target user is not other than the user script is currently running under. One way I could think of is to get the list of all active users and loop each user to collect user's data. Any thoughts?
Also some of the extracted output is not parsed into the the main html file (such as Downloads, installed softwares etc).
On a separate note note the script is still useful and I appreciate your efforts in this regards.
