Script Examples for Endpoint Privilege Management Power Rules
The scripting examples show you how to use some of the more common cmdlets available to you. Change the path in the examples to point to your instance of Power Rules.
#Enables logging to file #Shows business justification dialog and outputs result to log file #Utilizes Set-ScriptProperty to show name, version and output on event #Import the PRInterface Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1' #Import the PRTestHarness Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1' #Instantiate PRTestHarness $global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json' #Set the logging file and location Set-PRLogSettings -LogToFile $true -LogFilePath "C:\Temp\examplescriptlog.log" #Declare two variables for the prgram name an program path $ProgramName = Get-PRVariable -Name "PG_PROG_NAME" $ProgramPath = Get-PRVariable -Name "PG_PROG_PATH" #Declare a new variable for the result of the business justification and dialog result $businessJustificationDialogResult = Show-PRBusinessJustificationDialog -LabelHeader "Please enter a business justification for why you need to run $ProgramName" -Title "Business justification for launching application" #If the user clicked 'OK', write the business justification they entered to the log file If ($businessJustificationDialogResult.DialogResult -eq 'OK') { Write-PRLog -Message ("Business Justification: {0}" -f $businessJustificationDialogResult.BusinessJustification) } #If the user clicked 'Cancel', write the message and $ProgramName out to the log file ElseIf ($businessJustificationDialogResult.DialogResult -eq 'Cancel') { Write-PRLog -Message ("User chose to cancel the launch of $ProgramName") } #Sets the script properties, program name and program path to show on events Set-PRScriptProperty -ScriptName "Example Power Rules Script" -ScriptVersion "1.0.0" -ScriptOutput "User attempted to launch $ProgramName from $ProgramPath"
This example uses the message and token names in the QuickStart policy for Windows version 5.3. Please ensure you import this template into Endpoint Privilege Management prior to running this script.
#Import the PRInterface Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1' #Import the PRTestHarness Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1' #Instantiate PRTestHarness $global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json' #Sets the logging to file and to the console Set-PRLogSettings -LogToFile $true -LogFilePath "C:\Temp\examplescriptlog.log" Set-PRLogSettings -LogToConsole $true #Declare a new variable for the program path $ExecutingProgramPath = Get-PRVariable -Name "PG_PROG_PATH" #Declare a new variable for the string 'cmd.exe' $ProgramNameToMatch = 'cmd.exe' #Display a message to the user Show-PRMessageDialog -Title 'Rule Script Dialog' -LabelHeader "You just ran: $ExecutingProgramPath. This script will block $ProgramNameToMatch" -ButtonOK 'OK' #Check to see if the variable $ExecutingProgramPath contains 'cmd.exe' if($ExecutingProgramPath.Contains($ProgramNameToMatch)) { #Set the action to block and the message to the Block Message Set-PRRuleProperty -Action 'Block' -Message 'Block Message' Write-PRLog -Message 'This application was blocked' } else { #Set the action to allow, the message to the Allow Message (Yes / No) and the Token #to the Avecto Support Token Set-PRRuleProperty -Action 'Allow' -Message 'Allow Message (Yes / No)' ` -Token 'Custom' -TokenName 'Avecto Support Token' Write-PRLog -Message 'This application was allowed to run' }
#Import the PRInterface Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1' #Import the PRTestHarness Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1' #Instantiate PRTestHarness $global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json' Get-PRChallengeCode
Ensure the Settings file is present in the location you specify in the -TestSettings parameter for DefendpointAccessor.
Settings File
{ "Account": { "UserName": "Stan", "Password": "Stan" } }
#Import the PRInterface Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1' #Import the PRTestHarness Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1' #Instantiate PRTestHarness $global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json' -TestSettings "C:\PowerRules\Settings.json" # Get Account details from settings file (which is encrypted on endpoint) $Settings = Get-PRScriptSettings $AccountName = $Settings.Account.UserName $Password = $Settings.Account.Password # Set script properties to appear in audit eventsSet-PRScriptProperty -ScriptName "Run As Demo" -ScriptVersion "1.0.0" -ScriptOutput "Running as $AccountName" #Set RunAs account properties Set-PRRunAsProperty -Username "$AccountName" -Password "$Password" #Set Rule Properties to run Set-PRRuleProperty -Action "Allow" -Token "Passive"