Monitoring with PowerShell: Monitoring interactive system execution

Kelvin Tegelaar | 29 Aug, 2021 | 2 Mins Read

So this is a bit of a weird one, and more of an experimental idea than something I actually use in production. A friend of mine is using my PSexec monitoring script. He just has a couple of issue with that; he’s running an application that actively uses psexec to create some elevation. That’s quite annoying because he lost the ability to monitor weird behavior for that client.

To solve that, this is an alternative monitoring script that monitors any SYSTEM running application that does not have the session ID 0. Session ID 0 is normally only used for services, and things that are supposed to be running as SYSTEM. When you have an application running under any other session ID it means it has used an interactive logon; such as psexec stimulates or other remote execution tools.

Some applications might run as an interactive session, on my machine for example the Realtek audio suite does, you’ll need to exclude those processes.

$ExcludedList = "RtkAuduService64","Winlogon","SomeRMMApp"

$StrangeProcesses = get-process -IncludeUserName | Where-Object {$_.username -like "\*SYSTEM" -and $_.SessionId -ne 0 -and $\_.ProcessName -notin $ExcludedList}

if($StrangeProcesses){
Write-Host "Processes found running as system inside an interactive session. Please investigate"
$StrangeProcesses
} else {
write-host "Healthy. No processes found."
}

So with this, you’ll have a potential early warning system that is able to monitor weird execution in your environment. I’ve tested this with several tricks to self elevate and it was able to catch them early. 🙂

As always, Happy PowerShelling 🙂

CyberDrain CTF returns! (and so do I!)

It’s been since september that I actually picked up a digital pen equivalent and wrote anything down. This was due to me being busy with life but also my side projects like CIPP. I’m trying to get back into the game of scripting and blogging about these scripts. There’s still so much to automate and so little time, right? ;)

Intro

This is a monitoring script requested via Reddit, One of the reddit r/msp users wondered how they can monitor Acronis a little bit easier. I jumped on this because it happened pretty much at the same time that I was asked to speak at the Acronis CyberSummit so it kinda made sense to script this so I have something to demonstrate at my session there.

Intro

Wow! It’s been a while since I’ve blogged. I’ve just been so swamped with CIPP that I’ve just let the blogging go entirely. It’s a shame because I think out of all my hobbies it’s one I enjoy the most. It’s always nice helping others achieve their scripting target. I even got a couple of LinkedIn questions asking if I was done with blogging but I’m not. Writing always gives me some more piece of mind so I’ll try to catch up again. I know I’ve said that before but this time I’ll follow through. I’m sitting down right now and scheduling the release of 5 blogs in one go. No more whining and no more waiting.