Happy New Year!!!
I am creating a new thread based on https://www-secure.symantec.com/connect/forums/how-simulate-way-dlp-enforce-calls-dlp-look-script
Based on tomcat logs, it seems that DLP enforce server is invoking lookup script from Windows Command Line (Start > Run > Type in "cmd")
I created PowerShell two scripts. The first script invokes the second script using elevated credentials --- that way I don't need to use the credentials file in DLP enforce server.
Script1.ps1 that calls Script2.ps2 with elevated credentials, and passes in the arguments $Sender_IP:
$abc = $args
$startInfo = $NULL
$process = $NULL
$standardOut = $NULL
$userId = $NULL
$line_array = @()
$multi_array = @()
[hashtable]$my_hash = @{}
$Sender_IP = $NULL
$Win32OS = $NULL
$Build = $NULL
$folder = $NULL
$SysDrv = $NULL
$key = $NULL
$value = $NULL
<#Previously created password file in D:\Script\cred.txt, read-host -assecurestring | convertfrom-securestring | out-file D:\Script\cred.txt#>
$password = get-content D:\Script\cred.txt | convertto-securestring
#########################################################################
$args = (($args | % { $_ -join ", " }) -join " ")
foreach ($i in $args){
$line_array+= $i.split(",")
}
foreach ($j in $line_array){
$multi_array += ,@($j.split("="))
}
foreach ($k in $multi_array){
$key = $k[0].Trim()
$value = $k[1].Trim()
$my_hash.add($key,$value)
}
$Sender_IP = $my_hash.Get_Item("sender-ip")
#########################################################################
$startInfo = New-Object System.Diagnostics.ProcessStartInfo
$startInfo.FileName = "powershell.exe"
$startInfo.Arguments = "-noninteractive -windowstyle hidden -noprofile D:\SymantecDLP\Protect\script2.ps1 " + $Sender_IP
$startInfo.RedirectStandardOutput = $true
$startInfo.UseShellExecute = $false
$startInfo.CreateNoWindow = $false
$startInfo.Username = "system_logon"
$startInfo.Domain = "Contoso"
$startInfo.Password = $password
$process = New-Object System.Diagnostics.Process
$process.StartInfo = $startInfo
$process.Start() | Out-Null
$userId = $process.StandardOutput.ReadToEnd()
$process.WaitForExit()
return $userId
Here is Script2.ps1 that takes $Sender_IP from Script1.ps1 and returns $userId to Script1.ps1
$line_array = @()
$multi_array = @()
[hashtable]$my_hash = @{}
$Sender_IP = $NULL
$Win32OS = $NULL
$Build = $NULL
$folder = $NULL
$SysDrv = $NULL
$key = $NULL
$value = $NULL
$Sender_IP = $args
try{
Test-Connection $Sender_IP -count 1 -ErrorAction Stop | out-null
}
catch [Exception]
{
$userId = "userId=CannotPing"
return $userId
}
try{
$OS = (Get-WmiObject Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop).Name
}
catch [Exception]{
$userId = "userId=CannotAuthenticate"
return $userId
}
try{
$Win32OS = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $Sender_IP -ErrorAction Stop
}
catch [Exception]{
$userId = "userId=CannotAuthenticate"
return $userId
}
$SysDrv = $Win32OS.SystemDrive
$SysDrv = $SysDrv.Replace(":","$")
$ProfDrv = "\\" + $Sender_IP + "\" + $SysDrv
$ProfLoc = Join-Path -Path $ProfDrv -ChildPath "Users"
if (!(Test-Path $ProfLoc)){
$ProfLoc = Join-Path -Path $ProfDrv -ChildPath "Documents and Settings"
}
try{
$userId = Get-ChildItem $ProfLoc | ? { $_.PsIsContainer} | Sort LastWriteTime -Descending | Select -expand Name -First 1
$userId = "userId=CENTRAL\"+$userId
}catch [Exception]
{
$userId = "userId=CannotFindLastUser"
return $userId
}
if ($userId -eq "userId=ContosoAll Users"){
$userId = (get-wmiobject win32_computersystem -computer $Sender_IP).UserName
if ($userId -eq $NULL){
$userId = "userId=Contoso\All Users"
}
else{
$userId = "userId=Contoso\"+$userId
}
return $userId
}
else{
return $userId
}
Now, when I invoke Script2.ps1 on the command prompt
C:\> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe D:\SymantecDLP\Protect\Script2.ps1 Manager Last Name=Doe, discover-location=null, protocol=Clipboard, Resolution=null, file-owner=rpatel, sender-ip=10.10.10.10, Employee Type=External Employee, endpoint-file-path=null, Title=null, discover-extraction-date=null, Manager Business Unit=IT Services, Manager Phone=414-555-5555, Username=rpatel, Division=Contractor, file-created-by=DOMAIN\rpatel, file-owner-domain=DOMAIN
It outputs the following to the command prompt
userId=Contoso\dsmith
So far, so good
Now, I try to plug this into the DLP enforce server with the following options:
*********************************************************************************************************
Script Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Arguments: -NonInteractive,-ExecutionPolicy, ByPass,-InputFormat,none,-File,D:\SymantecDLP\Protect\Script2.ps1
And I UNCHECK the following options:
Enable stdin
Enable stdout
Enable protocol filtering
Enable credentials
*********************************************************************************************************
Now when I load the plug in and press lookup based on IP address, the userId field is blank
And when I check the tomcat logs I get the following:
02 Jan 2014 13:50:36,969- Thread: 36 FINE [com.vontu.lookup.script.ExecLauncher] Executing: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive, -ExecutionPolicy, ByPass, -InputFormat, none, -File, D:\SymantecDLP\Protect\Script2.ps1, discover-repository-location=null, date-detected=Mon Dec 16 15:52:42 EST 2013, endpoint-machine-name=null, incident-id=1234567, sender-ip=10.10.10.10, Magic Ticket Number=null, userId=null, sender-email=10.10.10.10, Assigned To=null, sender-port=35557, endpoint-domain-name=null, endpoint-dos-volume-name=null, file-access-date=null, date-sent=Mon Dec 16 15:52:42 EST 2013, endpoint-file-name=null, file-modified-by=null, Country=null, Manager Email=null, plugin-chain-id=0, discover-server=null, data-owner-name=null, Dismissal Reason=null, Streeet Address=null, LDAP givenName=null, Building Name=null, Last Name=null, First Name=null, Phone=null, subject=HTTP incident, Sender Email=null, endpoint-user-name=null, endpoint-volume-name=null, discover-name=null, discover-content-root-path=null, data-owner-email=null, file-create-date=null, endpoint-application-name=null, Region=null, Manager First Name=null, LDAP telephoneNumber=null, path=null, endpoint-application-path=null, Manager Last Name=null, firstName=null, discover-location=null, Reason=null, protocol=HTTP, Resolution=null, file-owner=null, Postal Code=null, OS=null, endpoint-file-path=null, City=null, discover-extraction-date=null, Manager Phone=null, State=null, file-created-by=null, Rack ID=null, file-owner-domain=null]
02 Jan 2014 13:50:37,520- Thread: 36 FINE [com.vontu.lookup.script.ExecLauncher] Return []
And just for grins, I plugged in the following command into Windows Command Prompt
C:\> C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive, -ExecutionPolicy, ByPass, -InputFormat, none, -File, D:\SymantecDLP\Protect\Script2.ps1, discover-repository-location=null, date-detected=Mon Dec 16 15:52:42 EST 2013, endpoint-machine-name=null, incident-id=1234567, sender-ip=10.10.10.10, Magic Ticket Number=null, userId=null, sender-email=10.10.10.10, Assigned To=null, sender-port=35557, endpoint-domain-name=null, endpoint-dos-volume-name=null, file-access-date=null, date-sent=Mon Dec 16 15:52:42 EST 2013, endpoint-file-name=null, file-modified-by=null, Country=null, Manager Email=null, plugin-chain-id=0, discover-server=null, data-owner-name=null, Dismissal Reason=null, Streeet Address=null, LDAP givenName=null, Building Name=null, Last Name=null, First Name=null, Phone=null, subject=HTTP incident, Sender Email=null, endpoint-user-name=null, endpoint-volume-name=null, discover-name=null, discover-content-root-path=null, data-owner-email=null, file-create-date=null, endpoint-application-name=null, Region=null, Manager First Name=null, LDAP telephoneNumber=null, path=null, endpoint-application-path=null, Manager Last Name=null, firstName=null, discover-location=null, Reason=null, protocol=HTTP, Resolution=null, file-owner=null, Postal Code=null, OS=null, endpoint-file-path=null, City=null, discover-extraction-date=null, Manager Phone=null, State=null, file-created-by=null, Rack ID=null, file-owner-domain=null]
It outputs the following error to the command prompt
'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe[-NonInteractive' is not recognized as an internal or external command,
operable program or batch file.
What options do I use so that this powershell lookup script runs when it is invoked by DLP enforce server? Is there anything else you can think of?