public/Watch-VPASActivePSMSession.ps1
<#
.Synopsis MONITOR ACTIVE SESSION CREATED BY: Vadim Melamed, EMAIL: vmelamed5@gmail.com .DESCRIPTION USE THIS FUNCTION TO MONITOR ACTIVE PSM SESSION .PARAMETER token HashTable of data containing various pieces of login information (PVWA, LoginToken, HeaderType, etc). If -token is not passed, function will use last known hashtable generated by New-VPASToken .PARAMETER SearchQuery Search string to find target resource via username, address, safe, platform, etc. Comma separated for multiple fields, or to search all pass a blank value like so: " " .PARAMETER ActiveSessionID Unique ID that maps to the target ActiveSession Supply the ActiveSessionID to skip any querying to find the target ActiveSession .PARAMETER OpenRDPFile Trigger the RDPFile to open by default, rather then just display the RDPFile contents .EXAMPLE $MonitorActiveSessionRDPFile = Watch-VPASActivePSMSession -SearchQuery {SEARCHQUERY VALUE} .EXAMPLE $MonitorActiveSessionRDPFile = Watch-VPASActivePSMSession -ActiveSessionID {ACTIVE SESSION ID VALUE} .OUTPUTS RDPFile if successful $false if failed #> function Watch-VPASActivePSMSession{ [OutputType('System.Object',[bool])] [CmdletBinding()] Param( [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=0)] [String]$SearchQuery, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=1)] [String]$ActiveSessionID, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=2)] [Switch]$OpenRDPFile, [Parameter(Mandatory=$false,ValueFromPipelineByPropertyName=$true,Position=3)] [hashtable]$token ) Begin{ $tokenval,$sessionval,$PVWA,$Header,$ISPSS,$IdentityURL,$EnableTextRecorder,$AuditTimeStamp,$NoSSL,$VaultVersion,$HideWarnings,$AuthenticatedAs,$SubDomain = Get-VPASSession -token $token $CommandName = $MyInvocation.MyCommand.Name $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType COMMAND } Process{ Write-Verbose "SUCCESSFULLY PARSED PVWA VALUE" Write-Verbose "SUCCESSFULLY PARSED TOKEN VALUE" try{ if([String]::IsNullOrEmpty($ActiveSessionID)){ Write-Verbose "NO ACTIVESESSIONID PROVIDED...INVOKING HELPER FUNCTION TO RETRIEVE UNIQUE ACTIVE SESSION ID BASED ON SPECIFIED PARAMETERS" $ActiveSessionID = Get-VPASActiveSessionIDHelper -token $token -SearchQuery $SearchQuery Write-Verbose "RETURNING ACTIVE SESSION ID" } else{ Write-Verbose "ACTIVE SESSION ID SUPPLIED, SKIPPING HELPER FUNCTION" } if($NoSSL){ Write-Verbose "NO SSL ENABLED, USING HTTP INSTEAD OF HTTPS" $uri = "http://$PVWA/PasswordVault/API/LiveSessions/$ActiveSessionID/Monitor/" } else{ Write-Verbose "SSL ENABLED BY DEFAULT, USING HTTPS" $uri = "https://$PVWA/PasswordVault/API/LiveSessions/$ActiveSessionID/Monitor/" } $log = Write-VPASTextRecorder -inputval $uri -token $token -LogType URI $log = Write-VPASTextRecorder -inputval "GET" -token $token -LogType METHOD write-verbose "MAKING API CALL TO CYBERARK" if($sessionval){ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" -WebSession $sessionval } else{ $response = Invoke-RestMethod -Headers @{"Authorization"=$Header} -Uri $uri -Method GET -ContentType "application/json" } Write-Verbose "CONSTRUCTING FILENAME" $tempResponse = $response -split "`r`n" $GUID = $tempResponse[2] -split ":" $tempName = $GUID[2] + "-MONITORING.rdp" Write-Verbose "CREATING RDP FILE" $curUser = $env:UserName $outputPath = "C:\Users\$curUser\Downloads\$tempName" write-output $response | Set-Content $outputPath Write-Verbose "RDP FILE CREATED: $outputPath" if($OpenRDPFile){ write-verbose "OPENING RDP FILE" #Invoke-Expression "mstsc.exe '$outputPath'" Start-Process "$env:windir\system32\mstsc.exe" -ArgumentList "$outputPath" } else{ Write-VPASOutput -str "RDP FILE CREATED: $outputPath" -type M Write-VPASOutput -str "PLEASE NOTE THIS FILE IS VALID FOR ~15 SECONDS ONLY" -type M } $outputlog = $response $log = Write-VPASTextRecorder -inputval $outputlog -token $token -LogType RETURN Write-Verbose "RETURNING RDP FILE CONTENT" return $response }catch{ $log = Write-VPASTextRecorder -inputval $_ -token $token -LogType ERROR $log = Write-VPASTextRecorder -inputval "REST API COMMAND RETURNED: FALSE" -token $token -LogType MISC Write-Verbose "UNABLE TO MONITOR ACTIVE SESSION" Write-VPASOutput -str $_ -type E return $false } } End{ $log = Write-VPASTextRecorder -inputval $CommandName -token $token -LogType DIVIDER } } |