Real time Response
PSFalcon has a custom command named Invoke-FalconRtr that is designed to perform all the necessary steps to initiate a session with one or more hosts, send a command and output the results. Invoke-FalconRtr can target a single host (-HostId), multiple hosts (-HostIds), or the members of a Host Group (-GroupId).
Invoke-FalconRtr -Command ls -Arguments C:\Windows -HostIds <id>, <id>If the hosts you're targeting are currently offline, you can add your Real-time Response commands to the "offline queue" using the -QueueOffline parameter.
Invoke-FalconRtr -Command runscript -Arguments "-CloudFile='HelloWorld'" -HostIds <id>, <id> -QueueOffline $trueSee Upload and execute a local script.
See Upload and execute a local script as a secondary process.
WARNING: This command is not designed for a multi-step Real-time Response workflow and will negatively impact certain operations.
For instance, if you were to cd into a directory and attempt to put a file by running Invoke-FalconRtr twice, Invoke-FalconRtr will reset back to the root of your system drive between the cd and put commands, causing the file to be placed in the wrong directory.
If you find that your script needs to be more complex, you can follow the instructions below to create a custom Real-time Response workflow with multiple commands. PSFalcon includes commands for each Real-time Response permission level.
-
Invoke-FalconCommand,Confirm-FalconCommand -
Invoke-FalconResponderCommand,Confirm-FalconResponderCommand -
Invoke-FalconAdminCommand,Confirm-FalconAdminCommand
Invoke-FalconDeploy was developed to support mass-deployment of Falcon Forensics, but has since been expanded to support more file types. It is designed to upload a file to your 'Put Files' library, create a session with target hosts, push the file to those hosts, then execute it and output the results to CSV. Supported file types via -File or -Archive are: (.ps1, .sh, .sh), executables, and archives (zip, tar, or tar.gz).
The files to be pushed to the host will be stored in the tmp directory (c:\windows\temp, /tmp/) under a folder called FalconDeploy_TIMESTAMP/.
NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.
# Execute File.exe
Invoke-FalconDeploy -HostIds <id>, <id> -Path .\File.exe [-QueueOffline]
# Install Notepad++ with the Silent switch "/S" on a group of machines
Invoke-FalconDeploy -File ./npp.8.2.1.Installer.x64.exe -Argument "/S" -GroupId <groupId>
# Upload an archive and execute a file inside
# List contents of npp_installer.zip
unzip -l ./npp_installer.zip
Archive: ./npp_installer.zip
Length Date Time Name
--------- ---------- ----- ----
4399816 04-20-2022 09:51 npp.8.2.1.Installer.x64.exe
173 03-28-2022 12:35 some_other_file.csv
--------- -------
4399989 2 files
Invoke-FalconDeploy -Archive npp_installer.zip -Run "npp.8.2.1.Installer.x64.exe" -Argument "/S" -HostId <aid>Results will be stored locally in a FalconDeploy_TIMESTAMP.csv
Get-FalconQueue will create a CSV file with information about sessions that have pending queued commands or have been created in the last 7 days (by default).
Get-FalconQueue [-Days]$Batch = Start-FalconSession -HostIds <id>, <id>Invoke-FalconCommand -Command ls -Arguments C:\Windows -BatchId $Batch.batch_idNOTE: Required when you expect to exceed the default batch session expiration time (5 minutes).
Update-FalconSession -BatchId $Batch.batch_id$Session = Start-FalconSession -HostId <id>$Command = Invoke-FalconCommand -Command ls -Arguments C:\Windows -SessionId $Session.session_idConfirm-FalconCommand -CloudRequestId $Command.cloud_request_idNOTE: This step is important! Without retrieving the results from an issued command, the Real-time Response session may not reflect that actions have taken place. For instance, If you cd and don't confirm, you'll stay in your current directory.
NOTE: Refreshing the session is required when you expect to exceed the default expiration time (10 minutes).
Update-FalconSession -SessionId $Session.session_idNOTE: Invoke-FalconRtr can be used to initialize a batch session and issue the get command. The results will include the batch_get_cmd_req_id that can be used with Confirm-FalconGetFile to verify the extraction has completed, and then Receive-FalconGetFile can be used to download the file(s).
To download a file from a single host, start with a Real-time Response session:
$Init = Start-FalconSession -HostId <id>Follow it with a get command:
$Get = Invoke-FalconAdminCommand -SessionId $Init.session_id -Command get -Arguments C:\path\to\file.exeVerify that the extraction of the file has completed:
$Confirm = Confirm-FalconGetFile -SessionId $Init.session_idOnce the results of Confirm-FalconGetFile contain a SHA256 value (indicating the extraction has completed), you can download the file:
Receive-FalconGetFile -Sha256 $Confirm.sha256 -SessionId $Init.session_id -Path C:\path\to\local\download.7zThe process is similar for multiple hosts, but uses slightly different commands after starting the session:
$Init = Start-FalconSession -HostIds <id>, <id>Send the get command to the session:
$Get = Invoke-FalconBatchGet -BatchId $Init.batch_id -FilePath C:\path\to\file.exeVerify that extraction of the files has completed:
$Confirm = Confirm-FalconGetFile -BatchGetCmdReqId $Get.batch_get_cmd_req_idThe upload from the host has completed once the file has populated sha256 and created_at values. You can use the sha256 and session_id values to download the files, and in the following example, each file will be downloaded and saved in your local directory, using the sha256 and aid values to name the archive.
$Confirm | Where-Object { $_.sha256 -and $_.created_at -and $_.session_id } | ForEach-Object {
$Param = @{
Sha256 = $_.sha256
SessionId = $_.session_id
Path = ".\$($_.aid)_$($_.sha256).7z"
}
Receive-FalconGetFile @Param
}You can re-run the previous command examples (Confirm-FalconGetFile and Receive-FalconGetFile) repeatedly to download additional files as their uploads complete from each individual host.
NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession [-Detailed] [-All]NOTE: Only sessions created by your OAuth2 API Client will be visible using the following commands.
Get-FalconSession -Ids <id>, <id> [-Queue]Send-FalconScript -Path $pwd\hello_world.ps1 -Platform windows -PermissionType groupGet-FalconScript [-Detailed] [-All]Edit-FalconScript -Id <id>Remove-FalconScript -Ids <id>, <id>Send-FalconPutFile -Path .\File.exeGet-FalconPutFile [-Detailed] [-All]Remove-FalconPutFile -Ids <id>