Data Loss Prevention

 View Only
  • 1.  Part II - How does DLP enforce server invoke Powershell lookup script

    Posted Jan 02, 2014 02:25 PM

     

    Happy New Year!!!

     

    I am creating a new thread based on https://www-secure.symantec.com/connect/forums/how-simulate-way-dlp-enforce-calls-dlp-look-script

     

    Based on tomcat logs, it seems that DLP enforce server is invoking lookup script from Windows Command Line (Start > Run > Type in "cmd")

     

    I created PowerShell two scripts. The first script invokes the second script using elevated credentials --- that way I don't need to use the credentials file in DLP enforce server.

     

    Script1.ps1 that calls Script2.ps2 with elevated credentials, and passes in the arguments $Sender_IP:

     

    $abc = $args
    $startInfo = $NULL
    $process = $NULL
    $standardOut = $NULL
    $userId = $NULL

     


    $line_array = @()
    $multi_array = @()
    [hashtable]$my_hash = @{}
    $Sender_IP = $NULL
    $Win32OS = $NULL
    $Build = $NULL
    $folder = $NULL
    $SysDrv = $NULL
    $key = $NULL
    $value = $NULL


    <#Previously created password file in D:\Script\cred.txt, read-host -assecurestring | convertfrom-securestring | out-file D:\Script\cred.txt#>
    $password = get-content D:\Script\cred.txt | convertto-securestring

     

    #########################################################################

    $args = (($args | % { $_ -join ", " }) -join " ")


    foreach ($i in $args){
       $line_array+= $i.split(",")
    }


    foreach ($j in $line_array){
        $multi_array += ,@($j.split("="))
    }


    foreach ($k in $multi_array){
        $key = $k[0].Trim()
        $value = $k[1].Trim()
       
        $my_hash.add($key,$value)
    }

     

    $Sender_IP = $my_hash.Get_Item("sender-ip")

     

    #########################################################################

     


    $startInfo = New-Object System.Diagnostics.ProcessStartInfo
    $startInfo.FileName = "powershell.exe"
    $startInfo.Arguments = "-noninteractive -windowstyle hidden -noprofile D:\SymantecDLP\Protect\script2.ps1 " + $Sender_IP

    $startInfo.RedirectStandardOutput = $true
    $startInfo.UseShellExecute = $false
    $startInfo.CreateNoWindow = $false
    $startInfo.Username = "system_logon"
    $startInfo.Domain = "Contoso"
    $startInfo.Password = $password

    $process = New-Object System.Diagnostics.Process
    $process.StartInfo = $startInfo
    $process.Start() | Out-Null
    $userId = $process.StandardOutput.ReadToEnd()
    $process.WaitForExit()


    return $userId
       

     

     

     Here is Script2.ps1 that takes $Sender_IP from Script1.ps1 and returns $userId to Script1.ps1

     

     

    $line_array = @()
    $multi_array = @()
    [hashtable]$my_hash = @{}
    $Sender_IP = $NULL
    $Win32OS = $NULL
    $Build = $NULL
    $folder = $NULL
    $SysDrv = $NULL
    $key = $NULL
    $value = $NULL

     

    $Sender_IP = $args

    try{
        Test-Connection $Sender_IP -count 1 -ErrorAction Stop | out-null
    }
    catch [Exception]
    {
        $userId = "userId=CannotPing"
        return $userId

    }

    try{
        $OS = (Get-WmiObject Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop).Name
    }
    catch [Exception]{
        $userId = "userId=CannotAuthenticate"
        return $userId

    }

    try{
        $Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop
    }
    catch [Exception]{
        $userId = "userId=CannotAuthenticate"
        return $userId

    }


    $SysDrv = $Win32OS.SystemDrive
    $SysDrv = $SysDrv.Replace(":","$")
    $ProfDrv = "\\" + $Sender_IP + "\" + $SysDrv
    $ProfLoc = Join-Path -Path $ProfDrv -ChildPath "Users"

    if (!(Test-Path $ProfLoc)){
        $ProfLoc = Join-Path -Path $ProfDrv -ChildPath "Documents and Settings"
    }


    try{
        $userId = Get-ChildItem $ProfLoc | ? { $_.PsIsContainer} | Sort LastWriteTime -Descending | Select -expand  Name -First 1  
        $userId = "userId=CENTRAL\"+$userId
       
    }catch [Exception]
    {
        $userId = "userId=CannotFindLastUser"
        return $userId

    }
       

       
    if ($userId -eq "userId=ContosoAll Users"){
        $userId = (get-wmiobject win32_computersystem -computer $Sender_IP).UserName
        if ($userId -eq $NULL){
            $userId = "userId=Contoso\All Users"
        }
        else{
        $userId = "userId=Contoso\"+$userId
        }
        return $userId
    }
    else{
        return $userId
    }

     

     

    Now, when I invoke Script2.ps1 on the command prompt

     

    C:\> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe D:\SymantecDLP\Protect\Script2.ps1 Manager Last Name=Doe, discover-location=null, protocol=Clipboard, Resolution=null, file-owner=rpatel, sender-ip=10.10.10.10, Employee Type=External Employee, endpoint-file-path=null, Title=null, discover-extraction-date=null, Manager Business Unit=IT Services, Manager Phone=414-555-5555, Username=rpatel, Division=Contractor, file-created-by=DOMAIN\rpatel, file-owner-domain=DOMAIN

    It outputs the following to the command prompt


    userId=Contoso\dsmith

     

    So far, so good smiley

     

     

    Now, I try to plug this into the DLP enforce server with the following options:

    *********************************************************************************************************

    Script Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

    Arguments: -NonInteractive,-ExecutionPolicy, ByPass,-InputFormat,none,-File,D:\SymantecDLP\Protect\Script2.ps1

     

    And I UNCHECK the following options:

    Enable stdin

    Enable stdout

    Enable protocol filtering

    Enable credentials 

     

    *********************************************************************************************************

     

    Now when I load the plug in and press lookup based on IP address, the userId field is blank

     

     

    And when I check the tomcat logs I get the following:

     

    02 Jan 2014 13:50:36,969- Thread: 36 FINE [com.vontu.lookup.script.ExecLauncher] Executing: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive, -ExecutionPolicy, ByPass, -InputFormat, none, -File, D:\SymantecDLP\Protect\Script2.ps1, discover-repository-location=null, date-detected=Mon Dec 16 15:52:42 EST 2013, endpoint-machine-name=null, incident-id=1234567, sender-ip=10.10.10.10, Magic Ticket Number=null, userId=null, sender-email=10.10.10.10, Assigned To=null, sender-port=35557, endpoint-domain-name=null, endpoint-dos-volume-name=null, file-access-date=null, date-sent=Mon Dec 16 15:52:42 EST 2013, endpoint-file-name=null, file-modified-by=null, Country=null, Manager Email=null, plugin-chain-id=0, discover-server=null, data-owner-name=null, Dismissal Reason=null, Streeet Address=null, LDAP  givenName=null, Building Name=null, Last Name=null, First Name=null, Phone=null, subject=HTTP incident, Sender Email=null, endpoint-user-name=null, endpoint-volume-name=null, discover-name=null, discover-content-root-path=null, data-owner-email=null, file-create-date=null, endpoint-application-name=null, Region=null, Manager First Name=null, LDAP telephoneNumber=null, path=null, endpoint-application-path=null, Manager Last Name=null, firstName=null, discover-location=null, Reason=null, protocol=HTTP, Resolution=null, file-owner=null, Postal Code=null, OS=null, endpoint-file-path=null, City=null, discover-extraction-date=null, Manager Phone=null, State=null, file-created-by=null, Rack ID=null, file-owner-domain=null]
    02 Jan 2014 13:50:37,520- Thread: 36 FINE [com.vontu.lookup.script.ExecLauncher] Return []

     

     

    And just for grins, I plugged in the following command into Windows Command Prompt

    C:\> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive, -ExecutionPolicy, ByPass, -InputFormat, none, -File, D:\SymantecDLP\Protect\Script2.ps1, discover-repository-location=null, date-detected=Mon Dec 16 15:52:42 EST 2013, endpoint-machine-name=null, incident-id=1234567, sender-ip=10.10.10.10, Magic Ticket Number=null, userId=null, sender-email=10.10.10.10, Assigned To=null, sender-port=35557, endpoint-domain-name=null, endpoint-dos-volume-name=null, file-access-date=null, date-sent=Mon Dec 16 15:52:42 EST 2013, endpoint-file-name=null, file-modified-by=null, Country=null, Manager Email=null, plugin-chain-id=0, discover-server=null, data-owner-name=null, Dismissal Reason=null, Streeet Address=null, LDAP  givenName=null, Building Name=null, Last Name=null, First Name=null, Phone=null, subject=HTTP incident, Sender Email=null, endpoint-user-name=null, endpoint-volume-name=null, discover-name=null, discover-content-root-path=null, data-owner-email=null, file-create-date=null, endpoint-application-name=null, Region=null, Manager First Name=null, LDAP telephoneNumber=null, path=null, endpoint-application-path=null, Manager Last Name=null, firstName=null, discover-location=null, Reason=null, protocol=HTTP, Resolution=null, file-owner=null, Postal Code=null, OS=null, endpoint-file-path=null, City=null, discover-extraction-date=null, Manager Phone=null, State=null, file-created-by=null, Rack ID=null, file-owner-domain=null]
     

     

    It outputs the following error to the command prompt

     

    'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive' is not recognized as an internal or external command,
    operable program or batch file.

     

     

    What options do I use so that this powershell lookup script runs when it is invoked by DLP enforce server? Is there anything else you can think of?



  • 2.  RE: Part II - How does DLP enforce server invoke Powershell lookup script

    Trusted Advisor
    Posted Jan 02, 2014 02:45 PM

    RSASKA,

    Couple of things that might be causing the issue..

     

    1. Move the password file (all) to the same directory as the script. There might be some JAVA restrictions on reading a file that is not in the Tree.
    2. Also there might be an issue with JAVA to call another script within a script. So that might be why you are not getting any information back.
    3. In the first script I would have it output a variable "foo=bar" just to see where the script is failing or working, also do it in the 2nd script too. I think the issue is #2
    4. You may need to use the credential option in the long run since you need an elevated user.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak



  • 3.  RE: Part II - How does DLP enforce server invoke Powershell lookup script

    Posted Jan 02, 2014 03:04 PM

    Ronak,

     

     

    1. Move the password file (all) to the same directory as the script. There might be some JAVA restrictions on reading a file that is not in the Tree.

     

    But I am no longer using a password file. Unless you mean the file with encrypted $password which is used by the script. Ok, I'll move this even though the script is able to run perfectly by itself. The problem is when I integrate it with DLP enforce server ....

     

    2. Also there might be an issue with JAVA to call another script within a script. So that might be why you are not getting any information back.

    One script is calling another script with elevated credentials, and when I try it WITHOUT DLP enforce server, it works perfectly.

     

    3. In the first script I would have it output a variable "foo=bar" just to see where the script is failing or working, also do it in the 2nd script too. I think the issue is #2

     

     When I plug in *what I think* DLP Enforce Server is invoking through command line, I get error,

     

    'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive' is not recognized as an internal or external command,

    So it is not even executing the script ..... hence it's returning null output instead of one of the errors that the script is supposed to return, i.e.

    userId=CannotPing

    userId=CannotAuthenticate

    userId=CannotFindLastUser

     

    4. You may need to use the credential option in the long run since you need an elevated user.

     

    I suppose I can try this option for grins and see what it does ... even though it is already built into Script1.ps1



  • 4.  RE: Part II - How does DLP enforce server invoke Powershell lookup script

    Trusted Advisor
    Posted Jan 02, 2014 03:39 PM

    RSASKA,

    Can you send me a screen shot of the configuration age of the script.. Attach it to the post.

    It might be the arguments.

    Ronak

     



  • 5.  RE: Part II - How does DLP enforce server invoke Powershell lookup script

    Posted Jan 03, 2014 09:54 AM

    Did you mean the Script Lookup Plugin?

    Script_Lookup_Plugin_1.png

     

    After -File is the entire path, D:\SymantecDLP\Protect\Script2.ps1

     

    So the entire line of Arguments are:

     

    -NonInteractive,-ExecutionPolicy, ByPass,-InputFormat,none,-File,D:\SymantecDLP\Protect\Script2.ps1



  • 6.  RE: Part II - How does DLP enforce server invoke Powershell lookup script

    Trusted Advisor
    Posted Jan 03, 2014 02:16 PM

    RSASKA,

    First of all remove all of the commas from the arugments.. they are not needed when using powershell. This may be the issue you are having. Just use spaces, the "-" is how powershell knows that is an argument.

    Then if that does not work, then try removing individual arguments. Not sure if ByPass is needed or even the -noninteractive. Also I might add the "-NoLogo" argument too.

    Overall it looks good.

    Hope this makes sense.

    If this solves your questions please marked as solved.

    Ronak