11-27-2023 09:26 AM
Hello Everyone,
I have an issue with the action "Run Endpoint Script".
I want to trigger an executable file (.exe) through the "Run Endpoint Script" action from Cortex XDR. This executable is used to uninstall a specific software (It is not installed with MSI file, the executable file is the only way to uninstall it). I want to use the endpoint script to get the job done in a massive way
I tried several things (subprocess with commands on my own, got inspired from the Palo Alto default script to launch command, etc.). All of those, when launched on the host itself or from the Live Terminal in the Cortex XDR console worked, ALL.
But, my issue is, when launched from the "Run Endpoint Script" action, it just does not work and the logfile 'cortex-xdr-payload' does not help.
With subprocess, I tend to have the following command and arg (The path is also not an issue. I also tried to redirect the output to a file. It is well added to the correct path).
'start /B myExecutableFile.exe /S' -> cmd style
This executable file requires some elevated privileges but as we launch it through the "Run Endpoint Script" action, we should be OK, because it is launched in SYSTEM context.
As input in the configuration of the script, I choose "run by entrypoint", my function named "run".
Thank you for your help !
Antoine.
12-04-2023 06:44 AM
Hi @jourEnMulticast, thanks for contacting us using the Live Community.
Can you share the script that you are trying to run on the endpoints? Remove the confidential info from it if necessary.
Thanks
12-06-2023 09:44 AM
Hello !
The code is as follows. I took the liberty of getting some sample codes from default XDR script.
import os
import subprocess
import traceback
import psutil
import shlex
import sys
import ctypes
def run():
if psutil.WINDOWS:
return run_commands(remove_Software())
def run_commands(os_commands):
print("op")
result = dict()
if psutil.WINDOWS:
shell_encoding = "cp" + repr(ctypes.windll.kernel32.GetConsoleOutputCP())
else:
shell_encoding = "utf-8"
sys.stdout.write(f"shell_encoding={shell_encoding}\n")
for details, commands in os_commands.items():
result[details] = list()
for command in commands:
if psutil.WINDOWS:
args = shlex.split(command, posix=False)
print(args)
else:
# In POSIX env, to run in the context of shell, we pass the command as argument
# e.g. the process to be execute will be: "/bin/sh -c {command}"
args = [command]
try:
sys.stdout.write(f"Running command <{command}>\n")
print(os.getcwd())
with subprocess.Popen(args=args, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
encoding=shell_encoding, text=True, cwd=r"C:\Program Files (x86)\path_software_to_uninstall") as process:
stdout_data, stderr_data = process.communicate()
if stderr_data:
sys.stderr.write(f"stderr: \n{stderr_data}\n")
if stdout_data:
sys.stdout.write(f"stdout: \n{stdout_data}\n")
result[details].extend(stdout_data.splitlines())
except Exception:
sys.stderr.write(f"Failed open command: <{command}>, error: {traceback.format_exc()}")
if len(result[details]) == 0:
result[details] = None
return result
def remove_Software():
return {"remove_Software":["start /B uninst.exe /S > test.log"]}
Thanks !
Antoine.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
