When I run this, I have found more than a few that alert with “Processes found running as system inside an interactive session. Please investigate.” However it doesn’t show the processes running as system. So do I have to manually search all processes on each machine or should the alert show the processes running as system, or is there something else I can do to make this a more useful script to run?
Here’s a modified version that should output the processes:
Import-Module $env:SyncroModule
$ExcludedList = $ExcludedList -split ","
$StrangeProcesses = get-process -IncludeUserName | Where-Object { $_.username -like "*SYSTEM" -and $_.SessionId -ne 0 -and $_.ProcessName -notin $ExcludedList } | Out-String
if ($StrangeProcesses) {
Rmm-Alert -Category 'Security' -Body "Processes found running as system inside an interactive session: $StrangeProcesses"
if ($CreateTicket -eq "Yes") {
Create-Syncro-Ticket -Subject "Security issues found: System Execution" -IssueType "Security" -Status "New"
}
}
Or if you don’t want the table and just care about the process name you can replace the middle line with:
$StrangeProcesses = (get-process -IncludeUserName | Where-Object { $_.username -like "*SYSTEM" -and $_.SessionId -ne 0 -and $_.ProcessName -notin $ExcludedList }).ProcessName | Out-String
2 Likes
BLESSINGS UPON YOU, ISAACG! Thank you so much!
Did you try it? What results did you get?