Cortex XDR : Run Endpoint Script

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cortex XDR : Run Endpoint Script

L0 Member

Hello Everyone,

I have an issue with the action "Run Endpoint Script".

 

I want to trigger an executable file (.exe) through the "Run Endpoint Script" action from Cortex XDR. This executable is used to uninstall a specific software (It is not installed with MSI file, the executable file is the only way to uninstall it). I want to use the endpoint script to get the job done in a massive way

 

I tried several things (subprocess with commands on my own, got inspired from the Palo Alto default script to launch command, etc.). All of those, when launched on the host itself or from the Live Terminal in the Cortex XDR console worked, ALL.

 

But, my issue is, when launched from the "Run Endpoint Script" action, it just does not work and  the logfile 'cortex-xdr-payload' does not help.

 

With subprocess, I tend to have the following command and arg (The path is also not an issue. I also tried to redirect the output to a file. It is well added to the correct path).

 

'start /B myExecutableFile.exe /S' -> cmd style

 

This executable file requires some elevated privileges but as we launch it through the "Run Endpoint Script" action, we should be OK, because it is launched in SYSTEM context.

 

As input in the configuration of the script, I choose "run by entrypoint", my function named "run".

 

Thank you for your help !

 

Antoine.

 

 

 

2 REPLIES 2

L5 Sessionator

Hi @jourEnMulticast, thanks for contacting us using the Live Community.

Can you share the script that you are trying to run on the endpoints? Remove the confidential info from it if necessary.

Thanks

JM

Hello !

The code is as follows. I took the liberty of getting some sample codes from default XDR script.

import os
import subprocess
import traceback
import psutil
import shlex
import sys
import ctypes

def run():
    if psutil.WINDOWS:
        return run_commands(remove_Software())

def run_commands(os_commands):
    print("op")
    result = dict()

    if psutil.WINDOWS:
        shell_encoding = "cp" + repr(ctypes.windll.kernel32.GetConsoleOutputCP())
    else:
        shell_encoding = "utf-8"

    sys.stdout.write(f"shell_encoding={shell_encoding}\n")

    for details, commands in os_commands.items():
        result[details] = list()
        for command in commands:
            if psutil.WINDOWS:
                args = shlex.split(command, posix=False)
                print(args)
            else:
                # In POSIX env, to run in the context of shell, we pass the command as argument
                # e.g. the process to be execute will be: "/bin/sh -c {command}"
                args = [command]
            try:
                sys.stdout.write(f"Running command <{command}>\n")
                print(os.getcwd())
                with subprocess.Popen(args=args, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
                                      encoding=shell_encoding, text=True, cwd=r"C:\Program Files (x86)\path_software_to_uninstall") as process:
                    stdout_data, stderr_data = process.communicate()
                    if stderr_data:
                        sys.stderr.write(f"stderr: \n{stderr_data}\n")
                    if stdout_data:
                        sys.stdout.write(f"stdout: \n{stdout_data}\n")
                        result[details].extend(stdout_data.splitlines())
            except Exception:
                sys.stderr.write(f"Failed open command: <{command}>, error: {traceback.format_exc()}")
        if len(result[details]) == 0:
            result[details] = None

    return result

def remove_Software():
    return {"remove_Software":["start /B uninst.exe /S > test.log"]}


Thanks !

Antoine.

  • 1591 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!