audit_from_powershell_execution
Execute a Powershell command, script or binary (even in audit mode) and parse its output to report a succes or an error.
⚙️ Compatible targets: Windows
Parameters
| Name | Documentation |
|---|---|
| command | Command or script to execute. This parameter is required. |
| successRegex | String or regular expression to compare the output with to define success. This parameter is required. |
Example
method: audit_from_powershell_execution
params:
successRegex: VALUE
command: VALUE
Documentation
Execute either a command, a script or a binary even in audit mode - it supports piping.
It will:
- report a success if the execution succeeds and the output matches the given regex.
- report an error otherwise.
Powershell scripts exiting with non-zero return codes will be flagged as failed.
Note: the command will be executed even in Audit mode, it is up to you to make sure it does not impact the system at all.
Note: the regular expression/string to compare to the output are not anchored and are case insensitive.
Examples:
To return success if process explorer is running, the command parameter needs to be
Get-Process | ForEach { ${const.dollar}_.ProcessName }
as the output of the command is a toString() on the generated objects, so you need to extract the relevant data. And the successRegex needs to be explorer.