IS there any way to retrieve a value in IEM using a command line.
For eg I want to create an analysis that return the value of command W32TM /query /status
Is there any format I can use or alternative. Any assist would be appreciated.
Hello!
In order to achieve this, you must create an action that outputs the value of the command to some location (file? registry?) then return the value of the location using an analysis. Relevance language is designed to NOT be able to execute commands against a given endpoint as a security measure.
Thanks aram. By any chance do u have the commands for the actions and relevance you mentioned or atleast direct me to the right forum to get it.
thanks
You are going to need to create a Task to execute your command and capture the output to a file.
I’ve done similar things in the past retrieving the status of PGP encryption. I’ve always pulled the data into a client setting so I don’t have to worry about files vanishing. I later pull the value of the setting back with an Analysis.
To do this, create a Task with your desired Targeting Relevance.
The action script should look like …
delete w32tm.txt
waithidden W32TM /query /status > w32tm.txt
if {(exists file “w32tm.txt”)}
if {(exists lines of file “w32tm.txt”)}
setting “W32tmStatus”=“{lines of file “w32tm.txt”}” on “{now}” for client
else
setting “W32tmStatus”=“#NO LINES#” on “{now}” for client
endif
else
setting “W32tmStatus”=“#NO RESULTS#” on “{now}” for client
endif
You can then use an Analysis to return the values of the “W32tmStatus” setting.
2 Likes
I’m having trouble with the task to create the file.
This does not work.
delete w32tm.txt
waithidden W32TM /query /status > w32tm.txt
This works in PowerShell and in BigFix as PowerShell. For some reason it’s removing my backslashes when I post here but they are there, I can even see it as I’m editing.
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
However when I take a BigFix Action Script and run as PowerShell every line completes but it never creates the file. I also added start-transcript and it never even creates the transcript file.
if {not exists folder "C:\@oneneck"}
folder create "c:\@oneneck"
continue if {exists folder "C:\@oneneck"}
//1. Save old ExecutionPolicy value
parameter "PolicyExisted"="{exists value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry)}"
parameter "oldExecutionPolicy"="{if (parameter "PolicyExisted" as boolean) then (value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry) as string) else ""}"
//2. set to ExecutionPolicy=Unrestricted and Pull PowerShell exe from registry... if 64bit then pull PowerShell x64
if {x64 of operating system}
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}"
else
//we need to determine what the current execution policy is so we can put it back when we're done.
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of registry}"
endif
//3. Create PowerShell Script and save to ps1 file
delete __createfile
delete time.ps1
createfile until END_OF_FILE
Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Stop-Transcript
END_OF_FILE
move __createfile time.ps1
action uses wow64 redirection false
waithidden "{parameter "PowerShellexe"}" -file "{pathname of client folder of current site}\time.ps1"
//4. Restore ExecutionPolicy back
if {x64 of operating system}
if {parameter "PolicyExisted" as boolean}
regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{parameter "oldExecutionPolicy"}"
else
regdelete64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
endif
else
if {parameter "PolicyExisted" as boolean}
regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{parameter "oldExecutionPolicy"}"
else
regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
endif
endifHere are the results. Again, don’t know why this forum is removing the \ when I post. It should be c:@oneneck
The action executed successfully.
This action has been applied 1 time and will not be applied again.
Status Completed
Start Time 02/23/22 09:25:47
End Time 02/23/22 09:25:47
Exit Code None
Action Script Execution Detail
Completed if {not exists folder "C:\@oneneck"}
Completed folder create "c:\@oneneck"
Completed continue if {exists folder "C:\@oneneck"}
Completed //1. Save old ExecutionPolicy value
Completed parameter "PolicyExisted"="{exists value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry)}"
Completed parameter "oldExecutionPolicy"="{if (parameter "PolicyExisted" as boolean) then (value "ExecutionPolicy" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of (if exists x64 registry then x64 registry else registry) as string) else ""}"
Completed //2. set to ExecutionPolicy=Unrestricted and Pull PowerShell exe from registry... if 64bit then pull PowerShell x64
Completed if {x64 of operating system}
Completed regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
Completed parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}"
Completed else
Completed //we need to determine what the current execution policy is so we can put it back when we're done.
Completed regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="Unrestricted"
Completed parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of registry}"
Completed endif
Completed //3. Create PowerShell Script and save to ps1 file
Completed delete __createfile
Completed delete time.ps1
Completed createfile until END_OF_FILE
Completed
Completed Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Completed Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
Completed W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Completed Stop-Transcript
Completed
Completed END_OF_FILE
Completed move __createfile time.ps1
Completed action uses wow64 redirection false
Completed waithidden "{parameter "PowerShellexe"}" -file "{pathname of client folder of current site}\time.ps1"
Completed //4. Restore ExecutionPolicy back
Completed if {x64 of operating system}
Completed if {parameter "PolicyExisted" as boolean}
Completed regset64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{parameter "oldExecutionPolicy"}"
Completed else
Completed regdelete64 "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
Completed endif
Completed else
Completed if {parameter "PolicyExisted" as boolean}
Completed regset "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"="{parameter "oldExecutionPolicy"}"
Completed else
Completed regdelete "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell]" "ExecutionPolicy"
Completed endif
Completed endif
Apparently it works like this
waithidden cmd.exe /c “w32tm.exe /query /status > c:@oneneck\timesource.txt”
I usually run bat files and then dump to the registry. Then use analysis to read the data.
Use the createfile until to create your batch file so you dont have to do the prefetch
The Batch file…
Execute it then pull the data from the registry in an analysis
2 Likes
The backslash thing is because the forum is interpreting your text as Markdown tags. Use the ‘Code’ format when pasting your scripts…highlight the code text and select the "</>" format button.
1 Like
Yes that’s the right way…output redirection is a function of the shell, so you need to launch the CMD shell to get the output redirection options.
Any idea why it was failing running in PowerShell under the BigFix action script but not running in the new PowerShell mode in BigFix? That’s the one that has me confused. Preformatted text
This should have been written to a ps1 file and executed but it’s like the file was blank. It’s almost like there was a character that made it escape but when I saw that in the past I would get a fail on the line. In the past the issue I had was with { making the line fail so I just had to {{ to escape the relevance.
Completed Remove-Item -Path “C:@oneneck\w32tm.txt” -ErrorAction SilentlyContinue
Completed W32TM /query /status | out-file -FilePath “c:@oneneck\w32tm.txt”
I’m afraid I’m not all that well-versed on PowerShell, but is C:@oneneck a valid path, or does that need to be C:@oneneck or c:\oneneck maybe?
The path is valid. It got edited here. C:\@oneneck
It worked when I changed it from BigFix action script to PowerShell. You can see above what I did with the BF action script. I copied and pasted all that from another action script I used and just changed the PowerShell inside the createfile section. So that one has me completely baffled.
Ok I went back and edited your old posts to put the code tags in.
Does the “C:\@oneneck” path already exist before you run your action? If the directory doesn’t exist, you’ll need to create it before trying to write a file in it - from a quick test I ran, PowerShell won’t automatically create the folder path for you.
It’s not clear to me whether you’re using the right ActionScript Types.
If you’re running this as the PowerShell script type, you can’t mix ActionScript commands like ‘if {condition}’ - with the PowerShell script type, you would include only PowerShell script commands, no ActionScript, no Relevance Substitutions, no ‘createfile’ commands, or any of that.
If you’re running this as the ActionScript script type, where you build the PowerShell script using ‘createfile’ and then execute it via PowerShell.exe…instead of all that business about saving the ExecutionPolicy, changing it, and then restoring it after, it’s far easier to just bypass the policy on the command line like
waithidden "{parameter "PowerShellexe"}" -ExecutionPolicy Bypass -file "{pathname of client folder of current site}\time.ps1"
When I run this as BigFix ActionScript, it works. You don’t need to check whether the “`c:@oneneck’” folder exists, just use the ‘folder create’ command and it will be created if it’s missing, or skipped if the folder already exists.
delete __createfile
delete time.ps1
folder create C:\@oneneck
parameter "PowerShellexe"="{value "Path" of key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell" of x64 registry}"
createfile until END_OF_FILE
Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Stop-Transcript
END_OF_FILE
move __createfile time.ps1
action uses wow64 redirection false
waithidden "{parameter "PowerShellexe"}" -ExecutionPolicy Bypass -file "{pathname of client folder of current site}\time.ps1"
Likewise, if I execute this action with the Action Type set to PowerShell, it also works (note I create the C:\@oneneck folder as part of the Powershell script)
mkdir c:\@oneneck
Start-Transcript -path "C:\@oneneck\w32transcript.txt" -verbose
Remove-Item -Path "C:\@oneneck\w32tm.txt" -ErrorAction SilentlyContinue
W32TM /query /status | out-file -FilePath "c:\@oneneck\w32tm.txt"
Stop-TranscriptThank you Jason.
My coworker set up debugging and said there was something going on with the if statement. The odd this is I copied and pasted this all from a working BigFix task. It’s worked on dozens of other tasks but wasn’t happy with this one. I’ll clean this up though. Thank you for the help.
Usually this is because Powershell will not run unsigned scripts unless you tell it to. See:
The downside of using the built in poweshell support is that you cannot do relevance substitution in it.
1 Like