Skip to content

Real time Response

Jump to bottom
bk-cs edited this page Jan 20, 2021 · 27 revisions

NOTE: PSFalcon has a custom command named Invoke-FalconRTR that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results.

Invoke-FalconRTR -Command ls -Arguments C:\Windows -HostIds <id>, <id> [-QueueOffline]

If you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands.

NOTE: PSFalcon includes commands for each Real-time Response permission level.

  • Invoke-FalconCommand, Confirm-FalconCommand
  • Invoke-FalconResponderCommand, Confirm-FalconResponderCommand
  • Invoke-FalconAdminCommand, Confirm-FalconAdminCommand

Send Real-time Response commands to a batch of hosts

Start a batch session

$Batch = Start-FalconSession -HostIds <id>, <id>

Send a command using appropriate permissions

Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_id

Refresh the session to prevent expiration

NOTE: Required when you expect to exceed the default session expiration time (5 minutes).

Update-FalconSession -BatchId $Batch.batch_id

Send Real-time Response commands to a single host

Start a session

$Session = Start-FalconSession -HostId <id>

Send a command using appropriate permissions

$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_id

Retrieve command results

Confirm-FalconCommand -CloudRequestId $Command.cloud_request_id

Refresh the session to prevent expiration

NOTE: Required when you expect to exceed the default session expiration time (10 minutes).

Update-FalconSession -SessionId $Session.session_id

Use Real-time Response to upload and run an executable

NOTE: The command Invoke-FalconDeploy was developed to support mass-deployment of Falcon Forensics. It is designed to upload a file to your ‘Put’ Files library, create a session with target hosts, push the file to those hosts, then execute it and output the results to CSV.

NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.

Invoke-FalconDeploy -HostIds <id>, <id> -Path $pwd\File.exe [-QueueOffline]

Find Real-time Response sessions

NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.

Get-FalconSession [-Detailed] [-All]

Retrieve detail about Real-time Response sessions

NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.

Get-FalconSession -Ids <id>, <id> -Queue

Retrieve detail about queued Real-time Response sessions

NOTE: PSFalcon has a custom command named Get-FalconQueue which will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default). If you wish to get more specific, you can use Get-FalconSession to find queued sessions, and the command below to get detailed information.

Get-FalconQueue [-Days]

Manage Real-time Response scripts

Create a new Real-time Response script

Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType group

Find Real-time Response scripts

Get-FalconScript [-Detailed] [-All]

Modify Real-time Response scripts

Edit-FalconScript -Id <id>

Delete Real-time Response scripts

Remove-FalconScript -Ids <id>, <id>

Manage Real-time Response ‘put’ files

Create a new Real-time Response ‘put’ file

Send-FalconPutFile -Path $pwd\File.exe

Find Real-time Response ‘put’ files

Get-FalconPutFile [-Detailed] [-All]

Delete Real-time Response ‘put’ files

Remove-FalconPutFile -Ids <id>

See CrowdStrike API Documentation.

Clone this wiki locally