Real-time Response API Script for CrowdStrike Falcon Platform using Python and FalconPy Library on Host Group

[NSH531]

Hi everyone,

I wanted to share a Python script I created using the FalconPy library for the CrowdStrike Falcon Platform. The script allows you to run an executable file on multiple hosts in a host group.

Here's how it works:

First, the script retrieves a list of host groups from the Falcon platform using the Hosts class in the falconpy.hosts module. It then extracts the host group IDs from the list.

Next, the script retrieves a list of hosts in the specified host group using the query_hosts_by_group_id method of the HostGroup class in the falconpy.hosts module. It then extracts the host IDs from the list.

The script then encodes the contents of the executable file as a base64 string using the base64 module in Python.

It then builds the command to run the executable file using the cmd command in Windows. The command includes the decoded base64 string of the executable file and the path where the file will be saved on the remote host.

Finally, the script creates a new instance of the RealTimeResponse class in the falconpy.real_time_response module and executes the command on the remote hosts in the specified host group using the execute_command method.

Note that you'll need to update the creds dictionary with your own CrowdStrike API client ID and secret.

Here's the script:

import base64,sys
import falconpy
from falconpy.real_time_response import RealTimeResponse
from falconpy.hosts import Hosts

host_group_client = falconpy.HostGroup(creds=dict(client_id=sys.argv[3],client_secret=sys.argv[4]))

# Retrieve a list of host groups from the Falcon platform
host_groups = host_group_client.get_host_groups(limit=100)

# Extract the host group IDs from the list of host groups
host_group_ids = [host_group["id"] for host_group in host_groups["resources"]]
x = 0
for i in host_group_ids:
    print(f'{x}:{i}')
    x += 1

# Retrieve a list of hosts in the specified host group
host_list = host_group_client.query_hosts_by_group_id(
    group_id=host_group_ids[0], limit=100)

# Extract the host IDs from the list of hosts
host_ids = [host["device_id"] for host in host_list["resources"]]
x = 0
for i in host_ids:
    print(f'{x}:{i}')
    x += 1

# Specify the path to the executable file on the remote host
exe_path = sys.argv[1]

# Encode the contents of the executable file as a base64 string
with open(exe_path, "rb") as f:
    exe_content = f.read()
exe_b64 = base64.b64encode(exe_content).decode()

# Build the command to run the executable file
command = f"cmd /c echo {exe_b64} | base64 -d > {exe_path} & start {exe_path}"

# Create a new instance of the Real Time Response API client
rtr_client = falconpy.RealTimeResponse(creds=creds)

# Execute the command on the remote hosts in the specified host group
for host_id in host_ids:
    response = rtr_client.execute_command(command, host_id)
    print(response)
#Note that you'll need to update the creds dictionary with your own CrowdStrike API client ID and secret. Also

thanks,
nate