audit_from_powershell_execution

Execute a Powershell command, script or binary (even in audit mode) and parse its output to report a succes or an error.

⚙️ Compatible targets: Windows

Parameters

NameDocumentation
commandCommand or script to execute.

This parameter is required.
successRegexString or regular expression to compare the output with to define success.

This parameter is required.

Outcome conditions

You need to replace ${command} with its actual canonified value.

  • ✅ Ok: audit_from_powershell_execution_${command}_ok
    • ☑️ Already compliant: audit_from_powershell_execution_${command}_kept
    • 🟨 Repaired: audit_from_powershell_execution_${command}_repaired
  • ❌ Error: audit_from_powershell_execution_${command}_error

Example

method: audit_from_powershell_execution
params:
  command: VALUE
  successRegex: VALUE

Documentation

Execute either a command, a script or a binary even in audit mode - it supports piping.

It will:

  • report a success if the execution succeeds and the output matches the given regex.
  • report an error otherwise.

Powershell scripts exiting with non-zero return codes will be flagged as failed.

Note: the command will be executed even in Audit mode, it is up to you to make sure it does not impact the system at all.

Note: the regular expression/string to compare to the output are not anchored and are case insensitive.

Examples:

To return success if process explorer is running, the command parameter needs to be

Get-Process | ForEach { ${const.dollar}_.ProcessName }

as the output of the command is a toString() on the generated objects, so you need to extract the relevant data. And the successRegex needs to be explorer.