windowspowershellstart-job

Powershell start-job with arguments not working


I cannot figure this one out. what should have been simple, became a real pain. The following code works. It just that I need to start it in the background and inside a function.

The code:

   $EvidenceDirectory = "C:\Evidence"
   $Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
   $Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
   $Sigmarules = "C:\Tools\chainsaw\sigma_rules"
   Set-Alias Chainsaw $Chainsawpath
   $run = Chainsaw hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
  

From inside a function:

    function Chainsaw
{
    
  start-job { 
  $EvidenceDirectory = "C:\Evidence"
  $Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
  $Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
  $Sigmarules = "C:\Tools\chainsaw\sigma_rules"
  & $Chainsawpath hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
  }

    if ($LASTEXITCODE -ne 0)
    {
        
        write-host "$LASTEXITCODE"
        
        return
    }
    else
    {
        write-host "$Time Chainsaw analysis completed successfully"
    }
    Start-Sleep -s 2
}

Solution

  • You can run a variable with the call operator.

    $run = & $Chainsawpath hunt $EvidenceDirectory\EVTX --rules $Sigmarules --mapping $Sigmamappings --csv $EvidenceDirectory\Chainsaw
    

    As a job:

    start-job { 
      $EvidenceDirectory = "C:\Evidence"
      $Chainsawpath="C:\Tools\chainsaw\chainsaw.exe"
      $Sigmamappings="C:\Tools\chainsaw\mapping_files\sigma-mapping.yml"
      $Sigmarules = "C:\Tools\chainsaw\sigma_rules"
      & $Chainsawpath hunt "$EvidenceDirectory\EVTX" --rules "$Sigmarules" --mapping "$Sigmamappings" --csv "$EvidenceDirectory\Chainsaw"
    }