Python Script isn't being executed completely in Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Python Script isn't being executed completely in Cortex XDR

L0 Member

Hi,

I'm trying to use a Python script in Cortex XDR to execute a certificate installation on Windows machines.

The main goal is to import a certificate.p12 with a password to be installed in all the Windows. However, the script is not behaviour as expected since Cortex XDR allows you to personalize the script you want in Python to be executed in the endpoints.

In local tests, all the scripts being executed in Python so far have had a success in its results. But, as soon as you try to execute the same codes in Cortex Console, only partial commands are executed or nothing happen in endpoint Windows machines.

Here is the script that I'm trying to use in Cortex XDR but isn't working as the local tests are:

 

 

 

import subprocess
import os
import requests

# Path to save the downloaded certificate and the CMD script
cert_file_path = 'C:\\client.p12'
cmd_script_path = 'C:\\install_certificate.cmd'

# URL of the certificate to download
cert_url = 'https://drive.google.com/xxxx'

# Password for the certificate
cert_password = 'test'

# Download the certificate from the URL
response = requests.get(cert_url)
if response.status_code == 200:
with open(cert_file_path, 'wb') as cert_file:
cert_file.write(response.content)
else:
print("Failed to download the certificate.")
exit()

# Content of the new CMD script
cmd_script_content = f"""
@echo off
setlocal

:: Import the certificate using PowerShell
powershell -Command "Import-PfxCertificate -FilePath \"{cert_file_path}\" -Password (ConvertTo-SecureString -String \"{cert_password}\" -AsPlainText -Force) -CertStoreLocation Cert:\\CurrentUser\\My"
echo Certificate installed successfully.

exit /b 0
"""

# Create the new CMD script file
with open(cmd_script_path, 'w') as cmd_script_file:
cmd_script_file.write(cmd_script_content)

# Run the new CMD script
subprocess.run([cmd_script_path], shell=True)

 

 

 


In resume, the client.p12 is hosted on Google driver in a direct link and then the script writes down a Powershell script and save as "install_certificate.cmd". Finally, the script should execute the file saved as "install_certificate.cmd" to import the certificate automatically.

However, in Cortex XDR, the process of downloading the client.p12 from Google Driver and creating a new file in Powershell with the name "install_certificate.cmd" are doing ok. The only step isn't being executed is to start the file "install_certificate.cmd".

Again, if you take this script and execute in a local test installed Python, the script will work quite well. The only problem is with Cortex right now.

I've already changed some process in the script, like, instead of creating a new file as I'm doing right now, working as an alternative B, the right script bellow does the task only needing the certificated client.p12 downloaded with the password (which is more simple than previous script) but nothing works in Cortex XDR again, only the certficate is download to the endpoint:

 

 

 

import requests
import os
import subprocess

# URL of the certificate to download
cert_url = 'https://onedrive.live.com/xxx'
# Path to save the downloaded certificate
cert_file_path = 'client.p12'
# Password for the certificate
cert_password = 'test'

# Download the certificate from the URL
response = requests.get(cert_url)
if response.status_code == 200:
    with open(cert_file_path, 'wb') as cert_file:
        cert_file.write(response.content)
else:
    print("Failed to download the certificate.")
    exit()

# Run PowerShell command to import the certificate
command = f'powershell -Command "certutil -p "test" -importpfx -user client.p12"'
subprocess.run(command, shell=True)

print("Certificate installed successfully.")

 

 

 


Either way, somehow, Cortex isn't getting right to execute the script or something in the script isn't being good to Cortex. I even did one script apart that tries to execute only the file "install_certificate.cmd" after Cortex created the file to import the certificate and download the client.p12 as a first script but it's not working either divinding the script in two parts...

I don't know what to do anymore 😞

Again, I just want to import a certificate p12 with password to the all the Windows machine in mass deployment and not doing it manually like a crazy. It's too many machines for that.

Here the last code I mentioned to execute only the file "install_certificate.cmd" that has been created by Cortex after through the first script but it didn't work 😕 

 

 

 

import subprocess

# Path to the install_certificate.cmd file
cmd_file_path = r'C:\install_certificate.cmd'

# Function to execute the CMD file
def execute_cmd_file(cmd_file_path):
    try:
        # Run CMD file
        process = subprocess.Popen(cmd_file_path, stdout=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
        output, error = process.communicate()
        
        # Check for errors
        if process.returncode == 0:
            return output.decode('utf-8')
        else:
            return f"Error: {error.decode('utf-8')}"
    except Exception as e:
        return f"An error occurred: {str(e)}"

# Example usage
if __name__ == "__main__":
    # Execute the CMD file
    result = execute_cmd_file(cmd_file_path)
    print(result)

 

 

 


Remember, all the scripts mentioned have worked in local tests. But, at this point, I accept any tips, suggestion or solution for that, pls


3 REPLIES 3

L4 Transporter

Hello @luglg100 

 

Thanks for reaching out on LiveCommunity!

Please make sure that you have fulfilled all the below prerequisites to run scripts on an endpoint.

  • Cortex XDR Pro Per Endpoint license

  • Endpoints running the Agent v7.1 and later. Since the agent uses its built-in capabilities and many available Python modules to execute the scripts, no additional setup is required on the endpoint.

  • Role with the following permissions to run and configure scripts:

    • Run Standard scripts

    • Run High-risk scripts

    • Script configuration (required to upload a new script, run a snippet, and edit an existing script)

    • Scripts (required to view the Scripts Library and the script execution results)

     

    Note: Running snippets requires both Run High-risk scripts and Script configuration permissions. Additionally, all scripts are executed as System User on the endpoint.

     

    Please click Accept as Solution to acknowledge that the answer to your question has been provided.

Hi @nsinghvirk 

Yeap, all these requirements were/are being fully filled

L4 Transporter

@luglg100 

 

Please open a support case to investigate further.

  • 629 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!