Merge pull request #871 from dfirtnt/master

Added a Xeox target and updated the remoteMonitoring compound with 3 targets
EricZimmerman · Sep 8, 2023 · 91b2848 · 91b2848
2 parents e9ecc9e + cd4856b
commit 91b2848
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/Targets/Apps/Xeox.tkape b/Targets/Apps/Xeox.tkape
@@ -0,0 +1,15 @@
+Description: Xeox Application Logs
+Author: Andrew Skatoff @DFIR_TNT
+Version: 1.0
+Id: 5e2c322f-616c-42e4-9cd7-4546cf2412e6
+RecreateDirectories: true
+Targets:
+    -
+        Name: Xeox RMM Client Application logs
+        Category: ApplicationLogs
+        Path: C:\Program Files\Xeox
+        FileMask: '*.log'
+        Comment: "Contains Application Log entries such as service start and incomming connections."
+
+# Documentation
+# https://dfirtnt.wordpress.com/2023/08/01/rmm-xeox-client-side-evidence/
diff --git a/Targets/Compound/RemoteAdmin.tkape b/Targets/Compound/RemoteAdmin.tkape
@@ -4,6 +4,10 @@ Version: 1.9
 Id: 31cf5a4e-c44c-4457-b11f-74dca73e141b
 RecreateDirectories: true
 Targets:
+    -
+        Name: Action1
+        Category: ApplicationLogs
+        Path: Action1.tkape
     -
         Name: Ammyy
         Category: ApplicationLogs
@@ -24,6 +28,10 @@ Targets:
         Name: Kaseya
         Category: ApplicationLogs
         Path: Kaseya.tkape
+    -
+        Name: Level
+        Category: ApplicationLogs
+        Path: Level.tkape
     -
         Name: LogMeIn
         Category: ApplicationLogs
@@ -81,6 +89,10 @@ Targets:
         Name: VNC
         Category: ApplicationLogs
         Path: VNCLogs.tkape
+    -
+        Name: Xeox
+        Category: ApplicationLogs
+        Path: Xeox.tkape
     -
         Name: ZohoAssist
         Category: ApplicationLogs