-
-
Save keyboardcrunch/6c2451815eb48c42bc3efbc01a809a9d to your computer and use it in GitHub Desktop.
| $Installed = Get-WmiObject -Class Win32Reg_AddRemovePrograms | Where-Object { $_.DisplayName -eq "Sentinel Agent" } | |
| If ( -Not $Installed ) { | |
| # Sentinel Agent not installed/missing. | |
| Return $false | |
| } Else { | |
| $Version = $Installed.Version | |
| $SentinelCtl = "C:\Program Files\SentinelOne\Sentinel Agent $Version\SentinelCtl.exe" | |
| $Status = & $SentinelCtl "status" | |
| $Compliant = $true | |
| If ( $Status -contains "SentinelAgent is not loaded" ) { | |
| $Compliant = $false | |
| } | |
| If ( $Status -contains "SentinelCtl.exe was run from an old") { | |
| # Indicates mismatch between installed version and running version. Could be corrupted install. | |
| $Compliant = $false | |
| } | |
| If ( $Status -contains "SentinelMonitor is not loaded" ) { | |
| $Compliant = $false | |
| } | |
| <# Disabled, unsure how common this is disabled on healthy clients but common on systems with Agent unloaded. | |
| If ( $Status -contains "Self-Protection status: Off" ) { | |
| $Compliant = $false | |
| } | |
| #> | |
| Return $Compliant | |
| } |
I've not see that repository before but I'm aware of SentinelOne's use and commented in this thread on Twitter a while back, it's part of the PowershellProtection feature of the agent. It can be turned off locally on a single host with ./SentinelCtl.exe config powershellProtection false -k "AGENT PASSPHRASE", doing so will not disable AMSI so CommandScript EDR data will still be collected by the agent.
I wouldn't do this globally, but it can be done by and administrator through Policy Override. Standard Interoperability exclusion should also resolve any issues you're running into, so you could just exclude your impacted script.
Thanks again! Big help. I don't see that configuration Item. I see the below when searching the config for "power".
agent.deepVisibility.scripts.powershell
agent.monitorConfig.preemptionConfig.processes
To "fix" on my end, I add the below to my $PROFILE. Otherwise, my powershell.exe session workflow isn't usable especially with modules like ZLocation.
# Sentinel One Clean up.
# VS Code doesn't have the same issue for some reason.
if ($PSVersionTable.PSEdition -eq 'Desktop' -and $env:TERM_PROGRAM -ne 'vscode') {
# Addition of breakpoints slow down the session. Calling fully qualified function to avoid using function override.
Microsoft.PowerShell.Utility\Get-PSBreakpoint | Microsoft.PowerShell.Utility\Remove-PSBreakpoint
# Software doesn't clean up these variables
Remove-Variable -Name 'item', 'Po_wer_Spl_oit_Indicators' -ErrorAction 'Ignore'
# Software overrides and hooks into these functions and breaks things. For instance, `gbp | rbp` doesn't work
Remove-Item -Path 'Function:\Get-PSBreakpoint' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\New-Object' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Set-ExecutionPolicy' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Remove-PSBreakpoint' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Disable-PSBreakpoint' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Enable-PSBreakpoint' -ErrorAction 'Ignore'
# Other functions added that aren't needed
Remove-Item -Path 'Function:\Disable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Enable-PSBreakpoint_Hook' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Get-PSBreakpoint_Hook' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\New-Object_Hook' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Remove-PSBreakpoint_Hook' -ErrorAction 'Ignore'
Remove-Item -Path 'Function:\Set-ExecutionPolicy_Hook' -ErrorAction 'Ignore'
}
@keyboardcrunch , you are the best! 👍 That is a neat tool! I was able to get that help output once I tried it.
And I was wondering if you knew anything about this repo? I go into more depth in this issue. Additionally, what your take, generally speaking, on the behavior and the performance of these injected scripts and breakpoints. I didn't like it because it broke piping behavior like
get-psbreakpoint | remove-psbreakpoint. And they pollute the global variable namespace with other variables like$item. I assume this behavior can be managed by an item insentinelctl.exe configure?