PS2EXE icon indicating copy to clipboard operation
PS2EXE copied to clipboard
verified publisher icon MScholtes

Executable Compiled with PS2EXE Fails to Trigger from Wazuh Active Response

Open joseraeiro opened this issue 1 year ago • 1 comments

Environment

  • Operating System: Windows 11
  • Wazuh Version: 4.7.4
  • PS2EXE Version: 1.0.13

Issue Description

I am encountering a problem where an executable, compiled from a PowerShell script using PS2EXE, fails to trigger as expected when called from a Wazuh agent's active response on Windows. While the executable runs perfectly when executed manually, it does not output or function when triggered by the security platform (Wazuh).

Detailed Description

The compiled executable is meant to be triggered by Wazuh's active response mechanism as part of our security procedures. Although the executable works flawlessly when triggered manually (both from PowerShell and a CMD script), it does not produce any output or log entries when called via Wazuh's active response system. Interestingly, when the Wazuh service is restarted, the executable then processes as expected, which leads me to believe there might be an issue with how the executable is initialized or executed in this specific environment.

Steps to Reproduce

  1. Compile a PowerShell script using PS2EXE.
  2. Configure the executable to be triggered by Wazuh's active response.
  3. Observe that the executable does not function when triggered, but works when the service is restarted or when executed manually.

Expected Behavior

The executable should function the same way it does when executed manually, regardless of whether it is triggered by Wazuh.

Actual Behavior

The executable does not produce output or perform its functions until after the Wazuh service has been restarted.

Troubleshooting Steps Already Taken

  • Confirmed executable permissions and paths.
  • Increased logging verbosity on Wazuh, but no relevant errors or warnings are produced.
  • Manually executed the executable with success multiple times.

Hypothesis

There might be an initialization issue or a compatibility problem with the runtime environment when the executable is triggered by external systems like Wazuh. The discrepancy between manual execution and automated triggering via Wazuh suggests a potential issue in the way PS2EXE-compiled scripts handle such environments or are initialized by external triggers.

Request for Help

I would greatly appreciate any insights or suggestions on why this behavior might be occurring with PS2EXE-compiled executables in automated environments. Is there a known issue or limitation with the initialization process for executables compiled with PS2EXE that could cause such behavior?

Thank you for any help or guidance you can provide!

joseraeiro avatar Jun 05 '24 16:06 joseraeiro

Hello @joseraeiro, as I don't know Wazuh, I have to rely a lot on guesswork. PS2EXE requires .Net version 4 and a Powershell version 4.x or 5.x.

In an automated execution, the compiled program may not be able to start a cmd.exe due to the environment (for a console program, try "cmd.exe /c PROGRAM.EXE"), if the context is LocalSystem, environment variables may be missing, for a console program, the input or output channel may be missing (try the compile parameters -noOutput and -noError). To test whether a PS2EXE compiled programme works in principle, you could first run a programme that only contains the Powershell command "Read-Host" (you would have to check the start in Task Manager and also end the program there). What happens when you compile a GUI program (compile parameter -NoConsole)?

Just some ideas, greetings

Markus

MScholtes avatar Jun 16 '24 14:06 MScholtes

I assume that the issue no longer exists as there is no feedback.

MScholtes avatar Sep 22 '24 15:09 MScholtes