[BUG] Invoke-FalconRtr - Empty 'stdout' with 'runscript' #190
Comments
|
In v2.1.8, In testing, it only seemed to successfully convert to Json when appropriate, but I just tried your script and a few other Can you please replace your https://raw.githubusercontent.com/CrowdStrike/psfalcon/master/Public/psf-real-time-response.ps1 Thank you, and I'm sorry for causing the negative impact. Hopefully it's a quick fix! |
bk-cs
changed the title
|
I seem to be impacted by this as well. invoke-rtr command I have been running are not returning anything in stdout. This did return all the members of the local aministrator group: Now, stdout is empty. I tried the updated psf-real-time-response.ps1 file and does not seem to help unless I am missing something. Thanks |
After replacing the file in your local module directory, you have to restart PowerShell to get it to work. Replacing the file without completely unloading and reloading the module wouldn't make a difference. You should also get into the habit of forcing PowerShell output into strings in order to help ensure Real-time Response compatibility. If the reloading of PowerShell didn't fix your issue, can you try forcing string output for
I verified that the fix that I applied did solve the original user's problem by testing it on my own devices. |
|
Thanks for the reply. I must be missing a step here needed to update this file... when I try to import the module with the new file, I get an error that the file is not signed. Do I need to set an execution policy? I do have the PowerShell output going into a string... I just did show that in my example. Thanks, |
No, I think the issue is how you're replacing the file. The signature in the PSFalcon module only comes in to play with the module manifest ( If you followed the PowerShell Gallery installation instructions and you're running on Windows in PowerShell 5.1, it should be as simple as doing this: Once complete, you can restart PowerShell and |
|
Thanks very much for the "how-to". I am back operational again. Dan |
|
Thank you, this worked! I appreciate the help from both of you to assist me. |
|
Reopening for other users until next release. |
|
Created v2.1.9 release on GitHub that includes this fix. Once added to the PowerShell Gallery, I'll close this issue. |
|
v2.1.9 is now available on the PowerShell Gallery. |
Description of your question
Our aim is to be able to run a script which can RTR on multiple machines to generate file hashes for files and find the file based on a specific MD5 hash. the issue we are running into is that when the RTR command is run on the local machine we are able to return the path of the file confirming all aspects of the RTR are correct. however when we try to run this on a jump host using the Invoke-RTR command through PSFalcon we do not get any output. We added the Error suppression and that helped when running the RTR command on the local machine but provides no output for when run on the jumphost where it should output the path as similar to the local machine.
$res = Invoke-FalconRtr -Command runscript -Arguments '-Raw=```Get-ChildItem -EA SilentlyContinue -Path C:\users\ -File -Recurse | Get-FileHash -Algorithm MD5 -EA SilentlyContinue | Where-Object hash -eq D3154F18B6D99B2AEC1259279B6D871C | Select path```' -Timeout '240' -HostIds 'd2b5a5d9f1934247b43d901a8cc45324'Environment (please complete the following information):
The text was updated successfully, but these errors were encountered: