audit_from_powershell_execution

Execute a Powershell command, script or binary (even in audit mode) and parse its output to report a succes or an error.

⚙️ Compatible targets: Windows

Parameters

NameDocumentation
commandCommand or script to execute.

This parameter is required.
successRegexString or regular expression to compare the output with to define success.

This parameter is required.

Example

method: audit_from_powershell_execution
params:
  command: VALUE
  successRegex: VALUE

Documentation

Execute either a command, a script or a binary even in audit mode - it supports piping.

It will:

  • report a success if the execution succeeds and the output matches the given regex.
  • report an error otherwise.

Powershell scripts exiting with non-zero return codes will be flagged as failed.

Note: the command will be executed even in Audit mode, it is up to you to make sure it does not impact the system at all.

Note: the regular expression/string to compare to the output are not anchored and are case insensitive.

Examples:

To return success if process explorer is running, the command parameter needs to be

Get-Process | ForEach { ${const.dollar}_.ProcessName }

as the output of the command is a toString() on the generated objects, so you need to extract the relevant data. And the successRegex needs to be explorer.