Alert but not processes shown for Cyberdrain Monitoring Interactive System Execution script

When I run this, I have found more than a few that alert with “Processes found running as system inside an interactive session. Please investigate.” However it doesn’t show the processes running as system. So do I have to manually search all processes on each machine or should the alert show the processes running as system, or is there something else I can do to make this a more useful script to run?

Here’s a modified version that should output the processes:

Import-Module $env:SyncroModule
$ExcludedList = $ExcludedList -split ","
 
$StrangeProcesses = get-process -IncludeUserName | Where-Object { $_.username -like "*SYSTEM" -and $_.SessionId -ne 0 -and $_.ProcessName -notin $ExcludedList } | Out-String

if ($StrangeProcesses) {
    Rmm-Alert -Category 'Security' -Body "Processes found running as system inside an interactive session: $StrangeProcesses"
    if ($CreateTicket -eq "Yes") {
        Create-Syncro-Ticket -Subject "Security issues found: System Execution" -IssueType "Security" -Status "New"
    } 
}

Or if you don’t want the table and just care about the process name you can replace the middle line with:

$StrangeProcesses = (get-process -IncludeUserName | Where-Object { $_.username -like "*SYSTEM" -and $_.SessionId -ne 0 -and $_.ProcessName -notin $ExcludedList }).ProcessName | Out-String
2 Likes

BLESSINGS UPON YOU, ISAACG! Thank you so much!

Did you try it? What results did you get?