-
Notifications
You must be signed in to change notification settings - Fork 72
Real time Response
PSFalcon has a custom command named Invoke-FalconRtr
that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results. Invoke-FalconRtr
can target a single host (-HostId
), multiple hosts (-HostIds
), or the members of a Host Group (-GroupId
).
Invoke-FalconRtr -Command ls -Arguments C:\Windows -HostIds <id>, <id>
If the hosts you're targeting are currently offline, you can add your Real-time Response commands to the "offline queue" using the -QueueOffline
parameter.
Invoke-FalconRtr -Command runscript -Arguments "-CloudFile='HelloWorld'" -HostIds <id>, <id> -QueueOffline $true
See Upload and execute a local script.
See Upload and execute a local script as a secondary process.
WARNING: This command is not designed for a multi-step Real-time Response workflow and will negatively impact certain operations.
For instance, if you were to cd
into a directory and attempt to put
a file by running Invoke-FalconRtr
twice, Invoke-FalconRtr
will reset back to the root of your system drive between the cd
and put
commands, causing the file to be placed in the wrong directory.
If you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands. PSFalcon includes commands for each Real-time Response permission level.
-
Invoke-FalconCommand
,Confirm-FalconCommand
-
Invoke-FalconResponderCommand
,Confirm-FalconResponderCommand
-
Invoke-FalconAdminCommand
,Confirm-FalconAdminCommand
Invoke-FalconDeploy
was developed to support mass-deployment of Falcon Forensics, but has since been expanded to support additional file types. It is designed to upload a file to your 'Put Files' library, create a session with target hosts, push the file to those hosts, then execute it (after expanding archives, when appropriate) and output the results to CSV.
The -File
and -Run
parameters accept exectuables or scripts (.ps1
, .sh
, .zsh
) while -Archive
accepts .zip
, .tar
, tar.gz
or .tgz
.
Files to be delivered to the host will be stored in the appropriate temporary directory (C:\Windows\Temp
or /tmp
) under a unique folder each time the command is run (FalconDeploy_<FileDateTime>
).
NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.
Invoke-FalconDeploy -File .\File.exe -HostId <id>, <id> [-QueueOffline]
Invoke-FalconDeploy -File ./npp.8.2.1.Installer.x64.exe -Argument '/S' -GroupId <groupId>
Archive: ./npp_installer.zip
Length Date Time Name
--------- ---------- ----- ----
4399816 04-20-2022 09:51 npp.8.2.1.Installer.x64.exe
173 03-28-2022 12:35 some_other_file.csv
--------- -------
4399989 2 files
Invoke-FalconDeploy -Archive npp_installer.zip -Run "npp.8.2.1.Installer.x64.exe" -Argument "/S" -HostId <id>
Results will be output to FalconDeploy_<FileDateTime>.csv
within your local directory.
Get-FalconQueue
will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default).
Get-FalconQueue [-Days]
$Batch = Start-FalconSession -HostIds <id>, <id>
Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_id
NOTE: Required when you expect to exceed the default batch session expiration time (5 minutes).
Update-FalconSession -BatchId $Batch.batch_id
$Session = Start-FalconSession -HostId <id>
$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_id
Confirm-FalconCommand -CloudRequestId $Command.cloud_request_id
NOTE: This step is important! Without retrieving the results from an issued command, the Real-time Response session may not reflect that actions have taken place. For instance, If you cd
and don't confirm, you'll stay in your current directory.
NOTE: Refreshing the session is required when you expect to exceed the default expiration time (10 minutes).
Update-FalconSession -SessionId $Session.session_id
NOTE: Invoke-FalconRtr
can be used to initialize a batch session and issue the get
command. The results will include the batch_get_cmd_req_id
that can be used with Confirm-FalconGetFile
to verify the extraction has completed, and then Receive-FalconGetFile
can be used to download the file(s).
To download a file from a single host, start with a Real-time Response session:
$Init = Start-FalconSession -HostId <id>
Follow it with a get
command:
$Get = Invoke-FalconAdminCommand -SessionId $Init.session_id -Command get -Arguments C:\path\to\file.exe
Verify that the extraction of the file has completed:
$Confirm = Confirm-FalconGetFile -SessionId $Init.session_id
Once the results of Confirm-FalconGetFile
contain a SHA256 value (indicating the extraction has completed), you can download the file:
Receive-FalconGetFile -Sha256 $Confirm.sha256 -SessionId $Init.session_id -Path C:\path\to\local\download.7z
The process is similar for multiple hosts, but uses slightly different commands after starting the session:
$Init = Start-FalconSession -HostIds <id>, <id>
Send the get
command to the session:
$Get = Invoke-FalconBatchGet -BatchId $Init.batch_id -FilePath C:\path\to\file.exe
Verify that extraction of the files has completed:
$Confirm = Confirm-FalconGetFile -BatchGetCmdReqId $Get.batch_get_cmd_req_id
The upload from the host has completed once the file has populated sha256
and created_at
values. You can use the sha256
and session_id
values to download the files, and in the following example, each file will be downloaded and saved in your local directory, using the sha256
and aid
values to name the archive.
$Confirm | Where-Object { $_.sha256 -and $_.created_at -and $_.session_id } | ForEach-Object {
$Param = @{
Sha256 = $_.sha256
SessionId = $_.session_id
Path = ".\$($_.aid)_$($_.sha256).7z"
}
Receive-FalconGetFile @Param
}
You can re-run the previous command examples (Confirm-FalconGetFile
and Receive-FalconGetFile
) repeatedly to download additional files as their uploads complete from each individual host.
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession [-Detailed] [-All]
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession -Ids <id>, <id> [-Queue]
Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType group
Get-FalconScript [-Detailed] [-All]
Edit-FalconScript -Id <id>
Remove-FalconScript -Ids <id>, <id>
Send-FalconPutFile -Path .\File.exe
Get-FalconPutFile [-Detailed] [-All]
Remove-FalconPutFile -Ids <id>
- Using PSFalcon
-
Commands by Permission
- Actors (Falcon Intelligence)
- Alerts
- API integrations
- App Logs
- Channel File Control Settings
- Configuration Assessment
- Content Update Policies
- Correlation Rules
- CSPM registration
- Custom IOA rules
- Detections
- Device Content
- Device control policies
- Event streams
- Falcon Complete Dashboards
- Falcon Container Image
- Falcon Data Replicator
- Falcon Discover
- Falcon FileVantage
- Falcon FileVantage Content
- Firewall management
- Flight Control
- Host groups
- Host Migration
- Hosts
- Identity Protection Entities
- Identity Protection GraphQL
- Identity Protection Policy Rules
- Incidents
- Indicators (Falcon Intelligence)
- Installation tokens
- Installation token settings
- IOA Exclusions
- IOC Manager APIs
- IOCs
- Kubernetes Protection
- Machine Learning exclusions
- MalQuery
- Malware Families (Falcon Intelligence)
- Message Center
- Mobile Enrollment
- Monitoring rules (Falcon Intelligence Recon)
- On demand scans (ODS)
- OverWatch Dashboard
- Prevention Policies
- Quarantined Files
- QuickScan Pro
- Real time response
- Real time response (admin)
- Reports (Falcon Intelligence)
- Response policies
- Rules (Falcon Intelligence)
- Sample uploads
- Sandbox (Falcon Intelligence)
- Scheduled Reports
- Sensor Download
- Sensor update policies
- Sensor Usage
- Sensor Visibility Exclusions
- Snapshot
- Snapshot Scanner Image Download
- Tailored Intelligence
- Threatgraph
- User management
- Vulnerabilities
- Vulnerabilities (Falcon Intelligence)
- Workflow
- Zero Trust Assessment
- Other Commands
- Examples
-
CrowdStrike SDKs
- FalconPy - Python 3
- goFalcon - Go
- Rusty Falcon - Rust