akaleeroy/Conjoined-Twins.md

## Conjoined-Twins.md

      
    Raw
  

              Conjoined-Twins.md
            
          
    Conjoined Twins

IFTTT-style application actions using auditing and scheduled tasks under Windows

How it works

The script audits a trigger application to make it raise an event when it's executed, then schedules a task to run an action command on that event. For example an automation script, or a batch file, or another app.
Advantages


Action is always conjoined with the trigger app, even when it starts from opening a file or from another script


No additional thing running in the background, polling every few seconds to see if your trigger app has started


Easily disable/enable in Task Scheduler


Limitations


You may not have permissions to audit some Windows executables


Slight lag after the trigger before the action runs


False positive when clicking properties on your trigger app the action is executed.


Usage

Run from gist:
PS:>[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PS:>iex ((new-object net.webclient).DownloadString('https://gist.github.com/akaleeroy/01ddea07dc51bb2b0509/raw/conjoinedtwins.ps1'))
The script first asks you for the trigger application - this is the one you want to bind the action to.
You can type in a path or hit Enter and browse for it with a GUI dialog.
Then it asks you for the action - what you want to start together with the trigger application.
Finally you must enter a task name - so you can find it in Task Scheduler.

  
## conjoinedtwins.ps1
# Conjoined Twins
# IFTTT-style application actions using auditing and scheduled tasks under Windows

#TODO: Do something about Write-Host and Read-Host
#TODO: Write output for file selection and auditing setting

Function Get-FileName($initialDirectory, $Title) {
  [void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

  $OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
  $OpenFileDialog.Title = $Title
  $OpenFileDialog.initialDirectory = $initialDirectory
  $OpenFileDialog.filter = "Executable Files(*.exe;*.bat;*.cmd)|*.exe;*.bat;*.cmd|All files (*.*)|*.*"
  $OpenFileDialog.ShowHelp = $true # Without ShowHelp set to true the dialog doesn't show up!
  $OpenFileDialog.ShowDialog() | Out-Null
  $OpenFileDialog.filename
} #end function Get-FileName

Function Audit-Executable($File) {
  if($File) {
    $AuditUser = "$env:UserName" # or "Everyone"
    $AuditRules = "ExecuteFile"
    $AuditType = "Success"
    $AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$AuditType)

    $ACL = Get-Acl $File
    $ACL.SetAuditRule($AccessRule)
    $ACL | Set-Acl $File

    # Show the new auditing settings to confirm
    # Get-Acl -Audit $File | Select -Expand Audit
  }
} #end function Audit-Executable

# Choose trigger application to watch
$triggerapp = Read-Host "Select trigger application to watch... `n[Press Enter to browse]"
if(!$triggerapp) {
  $triggerapp = Get-FileName -initialDirectory "D:\Demo" -Title "Select trigger application to watch..."
}
if($triggerapp) { Write-Host "`n$triggerapp is the trigger`n" }
else { Exit }

# Audit ExecuteFile on trigger application executable
Audit-Executable($triggerapp)

# Craft XPath Query for scheduled task trigger
$triggerquery = "*[System[(EventID=4663)]] and *[EventData[Data[@Name='ObjectName'] and (Data='$triggerapp')]]"

# Choose action to run conjoined with trigger app
$action = Read-Host "Select action to run... `n[Press Enter to browse]"
if(!$action) {
  $action = Get-FileName -initialDirectory $env:SystemRoot\system32 -Title "Select action to run..."
}
if($action) { Write-Host "`n$action is the action `n" }

if($triggerapp -and $action) {
  # Ask user for task name. No description param in schtasks :(
  $taskname = Read-Host -Prompt "Name the scheduled task"

  # Register scheduled task, via http://serverfault.com/a/533660
  schtasks /Create /TN $taskname /TR $action /SC ONEVENT /EC Security /MO $triggerquery
}
	# Conjoined Twins
	# IFTTT-style application actions using auditing and scheduled tasks under Windows

	#TODO: Do something about Write-Host and Read-Host
	#TODO: Write output for file selection and auditing setting

	Function Get-FileName($initialDirectory, $Title) {
	[void][System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")

	$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog
	$OpenFileDialog.Title = $Title
	$OpenFileDialog.initialDirectory = $initialDirectory
	$OpenFileDialog.filter = "Executable Files(.exe;.bat;.cmd)\|.exe;.bat;.cmd\|All files (.)\|."
	$OpenFileDialog.ShowHelp = $true # Without ShowHelp set to true the dialog doesn't show up!
	$OpenFileDialog.ShowDialog() \| Out-Null
	$OpenFileDialog.filename
	} #end function Get-FileName

	Function Audit-Executable($File) {
	if($File) {
	$AuditUser = "$env:UserName" # or "Everyone"
	$AuditRules = "ExecuteFile"
	$AuditType = "Success"
	$AccessRule = New-Object System.Security.AccessControl.FileSystemAuditRule($AuditUser,$AuditRules,$AuditType)

	$ACL = Get-Acl $File
	$ACL.SetAuditRule($AccessRule)
	$ACL \| Set-Acl $File

	# Show the new auditing settings to confirm
	# Get-Acl -Audit $File \| Select -Expand Audit
	}
	} #end function Audit-Executable

	# Choose trigger application to watch
	$triggerapp = Read-Host "Select trigger application to watch... `n[Press Enter to browse]"
	if(!$triggerapp) {
	$triggerapp = Get-FileName -initialDirectory "D:\Demo" -Title "Select trigger application to watch..."
	}
	if($triggerapp) { Write-Host "`n$triggerapp is the trigger`n" }
	else { Exit }

	# Audit ExecuteFile on trigger application executable
	Audit-Executable($triggerapp)

	# Craft XPath Query for scheduled task trigger
	$triggerquery = "[System[(EventID=4663)]] and [EventData[Data[@Name='ObjectName'] and (Data='$triggerapp')]]"

	# Choose action to run conjoined with trigger app
	$action = Read-Host "Select action to run... `n[Press Enter to browse]"
	if(!$action) {
	$action = Get-FileName -initialDirectory $env:SystemRoot\system32 -Title "Select action to run..."
	}
	if($action) { Write-Host "`n$action is the action `n" }

	if($triggerapp -and $action) {
	# Ask user for task name. No description param in schtasks :(
	$taskname = Read-Host -Prompt "Name the scheduled task"

	# Register scheduled task, via http://serverfault.com/a/533660
	schtasks /Create /TN $taskname /TR $action /SC ONEVENT /EC Security /MO $triggerquery
	}