topic Re: is there a way to pass the password to cytool via cmd? in Cortex XDR Discussions

is there a way to pass the password to cytool via cmd?

Nachum — Fri, 04 Sep 2020 17:14:15 GMT

let say I want to run protect disable on 100 computers.... I tried the following but didn't work:

C:\PSTools>psexec -i -d -s \\pc100 cmd /c echo 5Nstall22#| "c:\program files\Palo Alto Networks\Traps\cytool.exe" protect disable

5Nstalll22# is the pass....

thank you!

Re: is there a way to pass the password to cytool via cmd?

Nachum — Fri, 04 Sep 2020 17:15:52 GMT

btw:

echo 5Nstall22#| "c:\program files\Palo Alto Networks\Traps\cytool.exe" protect disable

this works locally...

Re: is there a way to pass the password to cytool via cmd?

Max.Segura — Sat, 05 Sep 2020 01:48:28 GMT

Try this:

wmic /node:"COMPUTERNAME" process call create "cmd /c echo 5Nstall22# | 'c:\program files\Palo Alto Networks\Traps\cytool.exe' protect disable"

If that doesn't work, you can try the following bat:

@echo off echo echo 5Nstall22# ^| "c:\program files\Palo Alto Networks\Traps\cytool.exe" protect disable > c:\tmp\cytool.bat wmic /node:"COMPUTERNAME" process call create "cmd /c c:\tmp\cytool.bat"

You also have other possibilities by running, one time, remote scheduled tasks. You have options.

Re: is there a way to pass the password to cytool via cmd?

Nachum — Mon, 07 Sep 2020 14:41:41 GMT

thank you! the results I got was:

Executing (Win32_Process)->Create()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ProcessId = 5032;
ReturnValue = 0;
};

--------------------------------------------------

yet the query shows its still Enabled...

--------------------------------------------------

c:\PSTools>psexec -i -d -s \\9020m-77 cmd /c "c:\program files\Palo Alto Networks\Traps\cytool.exe" protect query
Connecting to 9020m-77...Protection Mode State
Process Enabled Enabled
Registry Enabled Enabled
File Enabled Enabled
Service Enabled Enabled
Starting cmd on 9020m-77...ice on 9020m-77...
cmd started on 9020m-77 with process ID 5044.

-----------------------------------------------

Thank you though, you are right, I have other options... I decided to just use the web console to update the agents... it was more of a challenge and if it did work, I would use it in the future in other cases where its needed.

Re: is there a way to pass the password to cytool via cmd?

mrowland — Mon, 13 Sep 2021 04:46:05 GMT

You have to make sure there is no space between the end of the password and the | otherwise the space is included as part of the password.

Re: is there a way to pass the password to cytool via cmd?

LLevitchi — Tue, 26 Mar 2024 16:27:30 GMT

You can also use a PowerShell script for that, e.g. for a list of servers, like:

param( [Parameter(Mandatory = $true)] [string[]]$servers ) Set-Location -Path $PSScriptRoot # Assuming $Secret:cortexpass is how you're securely storing and accessing the password # Ensure you have a secure method to access this password in the context of the remote session $password = $Secret:cortexpass $cytoolPath = 'C:\Program Files\Palo Alto Networks\Traps\cytool.exe' $scriptBlock = { param($password, $cytoolPath) $processStartInfo = New-Object System.Diagnostics.ProcessStartInfo $processStartInfo.FileName = $cytoolPath $processStartInfo.Arguments = "protect disable" $processStartInfo.RedirectStandardInput = $true $processStartInfo.UseShellExecute = $false $process = [System.Diagnostics.Process]::Start($processStartInfo) $process.StandardInput.WriteLine($password) $process.StandardInput.Close() $process.WaitForExit() } foreach ($server in $servers) { try { Invoke-Command -ComputerName $server -ScriptBlock $scriptBlock -ArgumentList $password, $cytoolPath Write-Output "Successfully disabled tamper protection on $server." } catch { Write-Output "Failed to disable tamper protection on $server. Error: $_" } }