topic Re: Cortex XDR : Run Endpoint Script in Cortex XDR Discussions

Cortex XDR : Run Endpoint Script

jourEnMulticast — Mon, 27 Nov 2023 17:26:31 GMT

Hello Everyone,

I have an issue with the action "Run Endpoint Script".

I want to trigger an executable file (.exe) through the "Run Endpoint Script" action from . This executable is used to uninstall a specific software (It is not installed with MSI file, the executable file is the only way to uninstall it). I want to use the endpoint script to get the job done in a massive way

I tried several things (subprocess with commands on my own, got inspired from the Palo Alto default script to launch command, etc.). All of those, when launched on the host itself or from the Live Terminal in the Cortex XDR console worked, ALL.

But, my issue is, when launched from the "Run Endpoint Script" action, it just does not work and the logfile 'cortex-xdr-payload' does not help.

With subprocess, I tend to have the following command and arg (The path is also not an issue. I also tried to redirect the output to a file. It is well added to the correct path).

'start /B myExecutableFile.exe /S' -> cmd style

This executable file requires some elevated privileges but as we launch it through the "Run Endpoint Script" action, we should be OK, because it is launched in SYSTEM context.

As input in the configuration of the script, I choose "run by entrypoint", my function named "run".

Thank you for your help !

Antoine.

Re: Cortex XDR : Run Endpoint Script

jmazzeo — Mon, 04 Dec 2023 14:44:35 GMT

Hi @jourEnMulticast, thanks for contacting us using the Live Community.

Can you share the script that you are trying to run on the endpoints? Remove the confidential info from it if necessary.

Thanks

Re: Cortex XDR : Run Endpoint Script

jourEnMulticast — Wed, 06 Dec 2023 17:44:27 GMT

Hello !

The code is as follows. I took the liberty of getting some sample codes from default XDR script.

import os import subprocess import traceback import psutil import shlex import sys import ctypes def run(): if psutil.WINDOWS: return run_commands(remove_Software()) def run_commands(os_commands): print("op") result = dict() if psutil.WINDOWS: shell_encoding = "cp" + repr(ctypes.windll.kernel32.GetConsoleOutputCP()) else: shell_encoding = "utf-8" sys.stdout.write(f"shell_encoding={shell_encoding}\n") for details, commands in os_commands.items(): result[details] = list() for command in commands: if psutil.WINDOWS: args = shlex.split(command, posix=False) print(args) else: # In POSIX env, to run in the context of shell, we pass the command as argument # e.g. the process to be execute will be: "/bin/sh -c {command}" args = [command] try: sys.stdout.write(f"Running command <{command}>\n") print(os.getcwd()) with subprocess.Popen(args=args, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, encoding=shell_encoding, text=True, cwd=r"C:\Program Files (x86)\path_software_to_uninstall") as process: stdout_data, stderr_data = process.communicate() if stderr_data: sys.stderr.write(f"stderr: \n{stderr_data}\n") if stdout_data: sys.stdout.write(f"stdout: \n{stdout_data}\n") result[details].extend(stdout_data.splitlines()) except Exception: sys.stderr.write(f"Failed open command: <{command}>, error: {traceback.format_exc()}") if len(result[details]) == 0: result[details] = None return result def remove_Software(): return {"remove_Software":["start /B uninst.exe /S > test.log"]}

Thanks !

Antoine.