What are the limitations of PowerShell Script Within BigFix

adeilson 2023-05-19 18:13:34 UTC #1

Hello guys,

I am trying to create a script on BigFix, I already tested in my computer using PowerShell and it is working, but when I copied this script to BigFix and selected PowerShell and run, it failed.

I am trying to remove a certain Antivirus software which requires a password to remove its protection, this password can be set through command line. It needs, of course, administrative privileges.

Then after disabling it will execute msiexec.exe to remove with the proper GUID.

I tried to sent over BigFix, using the powershell option, but it was not possible.

Do BigFix requires admin privileges? Is it being blocked by UAC?

Is there any workaround for that?

Thanks in advance.

JasonWalker 2023-05-19 18:17:20 UTC #2

Are you using the built-in PowerShell script type, or using ActionScript to generate the script and then executing the PowerShell command line to run it?

The most common problem is that the 32-bit PowerShell would run by default. In ActionScript, use the command

Action uses wow64 redirection false

…to disable wow32 redirection, on any line of the ActionScript before the ‘wait’ or ‘run’ command that launches the PowerShell command.

adeilson 2023-05-19 18:33:50 UTC #3

I am trying to uninstall cortex xdr. I know it can be done through their console, but we do not have access to it anymore, due to licensing reasons, for we will no longer use it in our environment, instead we’ll deploy another one we close a deal.

That being said, cortex uses a cytool.exe to receive commands, I tested that in my own machine and it worked through powershell, I was able to disable the anti-tampering protection.

Here’s the script I am using:

$Password = "R3d4ct3d"
$command = "echo $Password | .\cytool.exe protect disable"
$workingDirectory = "C:\Program Files\Palo Alto Networks\Traps"

# Create a new PowerShell process with elevated permissions
$psi = New-Object System.Diagnostics.ProcessStartInfo
$psi.FileName = "powershell"
$psi.Arguments = "-NoProfile -WindowStyle Hidden -Command `"$command`""
$psi.WorkingDirectory = $workingDirectory
$psi.Verb = "RunAs"
$psi.CreateNoWindow = $true
$psi.UseShellExecute = $false

# Start the process
$process = [System.Diagnostics.Process]::Start($psi)
$process.WaitForExit()

# Wait for 1 minute before executing the second code
Start-Sleep -Seconds 60

# Second code
$processInfo = New-Object System.Diagnostics.ProcessStartInfo
$processInfo.FileName = "msiexec.exe"
$processInfo.Arguments = "/X{BESFX-TST3HML-848F-A2D589DSWE52} /qn"
$processInfo.WindowStyle = "Hidden"

$process = [System.Diagnostics.Process]::Start($processInfo)
$process.WaitForExit()

I just placed in BigFix using the built-in PowerShell Script type.

JasonWalker 2023-05-19 19:06:09 UTC #4

When you run this manually, is it giving any pop-up messages (like the prompt for Elevation)? Those would not be visible when launched by BigFix, they’re running as LocalSystem (and are already elevated, so you can skip that step)

SLB 2023-05-20 09:59:21 UTC #5

Just wondering if you could accomplish the desired effect by using simple actionscript. For testing in the local FixletDebugger would recommend using wait instead of waithidden and use /k for the CMD command instead of /c so you see any output results. The CMD syntax may need tweaking to deal with the quotes…I do not have the app on my machine to validate to syntax to that level.

action uses wow64 redirection false
parameter "password"="yourpassword"

waithidden cmd.exe /c "echo {parameter "password"} | "C:\Program Files\Palo Alto Networks\Traps\cytool.exe" protect disable"

waithidden msiexec.exe /X{{BESFX-TST3HML-848F-A2D589DSWE52} /qn

adeilson 2023-05-20 14:30:32 UTC #6

Bro, how can you be that good?

So simple, yet so functional.

It worked!

I used the fixlet to test and I got it working.

Thank you very much for your help, also big thanks @JasonWalker!