[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $principal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()) $isAdmin = $principal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator) if (-not $isAdmin) { Start-Process powershell -Verb RunAs -ArgumentList @( "-NoProfile", "-ExecutionPolicy", "Bypass", "-Command", "iwr | iex" ) Write-Host "started sensor installation in a new elevated PowerShell window. Please follow the prompts there to complete installation.", exit 1 } $ErrorActionPreference = "Stop" # ===== injected config (from cfg) ===== $BASE_URL = "https://shuffler.io" $QUEUE = "default" $AUTH = "cb5st3d3Z!3X3zaJ*Pc" $ORG_ID = "" $SOFTWARE_LIST_ENABLED = "true" $CODE_SCANNER_ENABLED = "false" $HD_ENCRYPTED_CHECK = "true" $SCREENLOCK_CHECK = "true" $RESPONSE_ACTIONS = "full" $LOG_FORWARDING = "" # ===== install paths ===== $INSTALL_DIR = "$env:ProgramData\orborus" New-Item -ItemType Directory -Force -Path $INSTALL_DIR | Out-Null # ===== arch detection ===== if ($env:PROCESSOR_ARCHITECTURE -eq "AMD64") { $ARCH = "amd64" } elseif ($env:PROCESSOR_ARCHITECTURE -eq "ARM64") { $ARCH = "arm64" } else { Write-Error "Unsupported architecture: $env:PROCESSOR_ARCHITECTURE" exit 1 } $BIN_URL = "https://github.com/Shuffle/orborus/releases/latest/download/orborus-agent-windows-$ARCH.exe" $BIN_PATH = Join-Path $INSTALL_DIR "orborus-agent.exe" icacls $INSTALL_DIR /grant Users:R icacls $BIN_PATH /grant Users:RX # Remove if exists early as the process may be running and we need to change the file $SERVICE_NAME = "orborus-agent" echo "Deleting old sensor" schtasks /Delete /TN $SERVICE_NAME /F $p = Get-Process -Name "orborus-agent" -ErrorAction SilentlyContinue if ($p) { $p | Stop-Process -Force } Start-Sleep -Seconds 2 Write-Host "Downloading binary from $BIN_URL to $BIN_PATH..." try { Write-Host "Downloading via BITS..." Start-BitsTransfer -Source $BIN_URL -Destination $BIN_PATH -ErrorAction Stop } catch { Write-Host "BITS failed, falling back to Invoke-WebRequest..." Invoke-WebRequest -Uri $BIN_URL -OutFile $BIN_PATH -UseBasicParsing -MaximumRedirection 10 } icacls $INSTALL_DIR /grant Users:R icacls $BIN_PATH /grant Users:RX # ===== service ===== function Escape-ArgValue($v) { if ($v -match "\s") { return '"' + $v + '"' } return $v } $ARGS = @() $ARGS += "--sensor_mode=true" if ($BASE_URL) { $ARGS += "--base_url=$BASE_URL" } if ($QUEUE) { $ARGS += "--queue=$QUEUE" } if ($AUTH) { $ARGS += "--auth=$AUTH" } if ($ORG_ID) { $ARGS += "--org_id=$ORG_ID" } # Removed as they made the command more than 260 characters (hard limit) # These are now being enabled by default. #if ($SOFTWARE_LIST_ENABLED -eq "true") { $ARGS += "--software_list_enabled=true" } #if ($SOFTWARE_LIST_ENABLED -eq "false") { $ARGS += "--software_list_enabled=false" } #if ($HD_ENCRYPTED_CHECK -eq "true") { $ARGS += "--hd_encrypted_check=true" } #if ($SCREENLOCK_CHECK -eq "true") { $ARGS += "--screenlock_check=true" } if ($RESPONSE_ACTIONS) { $ARGS += "--response_actions=$RESPONSE_ACTIONS" } if ($LOG_FORWARDING) { $ARGS += "--log_forwarding=$LOG_FORWARDING" } for ($i = 0; $i -lt $ARGS.Count; $i++) { if ($ARGS[$i] -match '=') { $parts = $ARGS[$i] -split '=', 2 $key = $parts[0] $val = $parts[1] if ($val -match '\s' -and $val -notmatch '^".*"$') { $val = '"' + $val + '"' } $ARGS[$i] = "$key=$val" } } $ARGS = $ARGS -join " " # ===== create service ===== $WRAPPER = Join-Path $INSTALL_DIR "run-orborus.bat" ## Give exec permissions as user icacls $WRAPPER /grant Users:RX echo "Writing bat file to $WRAPPER" $writer = New-Item -ItemType File -Path $Wrapper -Force # Pre-prep $line2 = "cd /d " + '"' + $INSTALL_DIR + '"' $line4 = 'start "" ' + '"' + $BIN_PATH + '"' + " " + $ARGS + " >> orborus.log 2>&1" Add-Content $WRAPPER "@echo off" Add-Content $WRAPPER $line2 Add-Content $WRAPPER "echo STARTED >> debug.log" Add-Content $WRAPPER $line4 Add-Content $WRAPPER "echo EXIT CODE %ERRORLEVEL% >> debug.log" echo "Starting scheduled task" $PARSED_WRAPPER = '"' + $WRAPPER + '"' # IF you want to run it without admin permissions, don't set /RU SYSTEM here # Problem is then it's controllable by users too. That's fine for now. $RUN_AS_ROOT = "true" if ($RUN_AS_ROOT -eq "true") { echo "Running as root (default) - admin=false to disable" schtasks /Create /TN $SERVICE_NAME /TR "$PARSED_WRAPPER" /SC ONSTART /RU "SYSTEM" /RL HIGHEST /F } else { echo "Running as normal $env:USERNAME" schtasks /Create /TN $SERVICE_NAME /TR "$PARSED_WRAPPER" /SC ONSTART /RL HIGHEST /F } echo "Running service" schtasks /Run /TN $SERVICE_NAME Write-Host "orborus-agent installed"