Script Examples for Endpoint Privilege Management Power Rules
The scripting examples show you how to use some of the more common cmdlets available to you. Change the path in the examples to point to your instance of Power Rules.
Variables, Enable and Catch Logs, Audit Events, Request User Input, and Messages
#Enables logging to file
#Shows business justification dialog and outputs result to log file
#Utilizes Set-ScriptProperty to show name, version and output on event
#Import the PRInterface
Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1'
#Import the PRTestHarness
Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1'
#Instantiate PRTestHarness
$global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json'
#Set the logging file and location
Set-PRLogSettings -LogToFile $true -LogFilePath "C:\Temp\examplescriptlog.log"
#Declare two variables for the prgram name an program path
$ProgramName = Get-PRVariable -Name "PG_PROG_NAME"
$ProgramPath = Get-PRVariable -Name "PG_PROG_PATH"
#Declare a new variable for the result of the business justification and dialog result
$businessJustificationDialogResult = Show-PRBusinessJustificationDialog -LabelHeader "Please enter a business justification for why you need to run $ProgramName" -Title "Business justification for launching application"
#If the user clicked 'OK', write the business justification they entered to the log file
If ($businessJustificationDialogResult.DialogResult -eq 'OK')
{
Write-PRLog -Message ("Business Justification: {0}" -f
$businessJustificationDialogResult.BusinessJustification)
}
#If the user clicked 'Cancel', write the message and $ProgramName out to the log file
ElseIf ($businessJustificationDialogResult.DialogResult -eq 'Cancel')
{
Write-PRLog -Message ("User chose to cancel the launch of $ProgramName")
}
#Sets the script properties, program name and program path to show on events
Set-PRScriptProperty -ScriptName "Example Power Rules Script" -ScriptVersion "1.0.0" -ScriptOutput "User attempted to launch $ProgramName from $ProgramPath"Variables, Enable and Catch Logs, Change Rule Behavior, and Messages
This example uses the message and token names in the QuickStart policy for Windows version 5.3. Please ensure you import this template into Endpoint Privilege Management prior to running this script.
#Import the PRInterface
Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1'
#Import the PRTestHarness
Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1'
#Instantiate PRTestHarness
$global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json'
#Sets the logging to file and to the console
Set-PRLogSettings -LogToFile $true -LogFilePath "C:\Temp\examplescriptlog.log"
Set-PRLogSettings -LogToConsole $true
#Declare a new variable for the program path
$ExecutingProgramPath = Get-PRVariable -Name "PG_PROG_PATH"
#Declare a new variable for the string 'cmd.exe'
$ProgramNameToMatch = 'cmd.exe'
#Display a message to the user
Show-PRMessageDialog -Title 'Rule Script Dialog' -LabelHeader "You just ran: $ExecutingProgramPath. This script will block $ProgramNameToMatch" -ButtonOK 'OK'
#Check to see if the variable $ExecutingProgramPath contains 'cmd.exe'
if($ExecutingProgramPath.Contains($ProgramNameToMatch))
{
#Set the action to block and the message to the Block Message
Set-PRRuleProperty -Action 'Block' -Message 'Block Message'
Write-PRLog -Message 'This application was blocked'
}
else
{
#Set the action to allow, the message to the Allow Message (Yes / No) and the Token
#to the Avecto Support Token
Set-PRRuleProperty -Action 'Allow' -Message 'Allow Message (Yes / No)' `
-Token 'Custom' -TokenName 'Avecto Support Token'
Write-PRLog -Message 'This application was allowed to run'
}Use the PRInterface and PRTestHarness Modules as well as a Settings file to get the Challenge Code
#Import the PRInterface Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1' #Import the PRTestHarness Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1' #Instantiate PRTestHarness $global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json' Get-PRChallengeCode
Use the Set-PRRunAsProperty and a Settings file
Ensure the Settings file is present in the location you specify in the -TestSettings parameter for DefendpointAccessor.
Settings File
{
"Account": {
"UserName": "Stan",
"Password": "Stan"
}
}#Import the PRInterface Import-Module 'C:\PowerRules\Output\PRInterface\PRInterface.psd1' #Import the PRTestHarness Import-Module 'C:\PowerRules\Output\PRTestHarness\PRTestHarness.psd1' #Instantiate PRTestHarness $global:DefendpointAccessor = New-PRTestHarness -TestConfig 'C:\PowerRules\Output\PRTestHarness\AddAdmin_ExampleApp.json' -TestSettings "C:\PowerRules\Settings.json" # Get Account details from settings file (which is encrypted on endpoint) $Settings = Get-PRScriptSettings $AccountName = $Settings.Account.UserName $Password = $Settings.Account.Password # Set script properties to appear in audit eventsSet-PRScriptProperty -ScriptName "Run As Demo" -ScriptVersion "1.0.0" -ScriptOutput "Running as $AccountName" #Set RunAs account properties Set-PRRunAsProperty -Username "$AccountName" -Password "$Password" #Set Rule Properties to run Set-PRRuleProperty -Action "Allow" -Token "Passive"
