Comments (12)
I noticed that the endpoint that is being called on the console is different than the one used in Falconpy.
The console uses "falcon.crowdstrike.com/api2/remote-response/entities/command/v1"
Falconpy uses "api.crowdstrike.com/real-time-response/entities/active-responder-command/v1"
I have tried the following values in addition.
"command_string": "runscript -Raw=gci /
" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw, value: gci /'}]" "command_string": "runscript -Raw=ls /
" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw, value: ls /'}]" "command_string": "runscript -Raw gci /
" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw'},
from falconpy.
Hello!
- The console UX API is not the same API, so the endpoints won't line up. FalconPy does not currently support the UX API.
- I mocked together a quick test case, and am getting 201s when I make these calls. I'm not sure if this matches your environment / use case though.
- NOTE: My test key had RTR and RTR-Admin READ/WRITE.
import json
from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id_here,
'client_secret': falcon_client_secret_here
}
)
BODY = {
'device_id': 'DEVICE_ID_GOES_HERE'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]
BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))
BODY = {
"base_command": "runscript",
"command_string": "ls",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))
First result
{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "262",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 17:24:15 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.136629922,
"powered_by": "empower-api",
"trace_id": "45efe752-912d-40af-b790-ee8daca60067"
},
"resources": [
{
"session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
"cloud_request_id": "f34b2cbc-eeb7-40f6-8d96-fbf47ff6d30b",
"queued_command_offline": false
}
],
"errors": null
}
}
Second result
{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "263",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 17:24:15 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5996"
},
"body": {
"meta": {
"query_time": 0.059785859,
"powered_by": "empower-api",
"trace_id": "c058de02-cd8f-4c8c-b82b-50a9dd388e6d"
},
"resources": [
{
"session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
"cloud_request_id": "be3faa14-d219-47f0-b05c-342cd6c7c889",
"queued_command_offline": false
}
],
"errors": null
}
}
Can you provide us a sample of the code you are trying to execute? (Don't forget to sanitize keys / IDs from your post.) 😄
from falconpy.
import json
from falconpy import api_complete as FalconSDK
falcon_client_id="<fortesting>"
falcon_client_secret="<fortesting>"
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id,
'client_secret': falcon_client_secret
}
)
try:
falcon.authenticate()
except:
print("failed to authenticate")
BODY = {
'device_id': '<Device_id>'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]
BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))
BODY = {
"base_command": "runscript",
"command_string": "ls",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))
from falconpy.
with a response of
{
"status_code": 400,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "213",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 20:26:10 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5998"
},
"body": {
"meta": {
"query_time": 0.007503424,
"powered_by": "empower-api",
"trace_id": "e0dddb05-f3a9-4e8b-bd54-6dc2a43de6d0"
},
"resources": [],
"errors": [
{
"code": 40014,
"message": "Unrecognized flag found: Raw, value: gci /"
}
]
}
}
from falconpy.
second one
{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "263",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 20:42:26 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.077975362,
"powered_by": "empower-api",
"trace_id": "87a3bac9-94bc-42e5-bcdf-e43fc934f48b"
},
"resources": [
{
"session_id": "581e002d-6129-48d8-b924-cb0635f595e5",
"cloud_request_id": "6aa2407a-262d-4dd5-890c-c97004ceb92c",
"queued_command_offline": false
}
],
"errors": null
}
}
from falconpy.
That's really strange, when I run the code above, this is the response I'm receiving:
{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "264",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 20:36:57 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.067345881,
"powered_by": "empower-api",
"trace_id": "e72bb697-f9ae-4f1d-85b7-04c2b33bfb91"
},
"resources": [
{
"session_id": "f14d86b1-f082-4150-a3c6-7d9af020c8e6",
"cloud_request_id": "fc7b7c3a-0b19-492e-91bb-af13ad9435f8",
"queued_command_offline": false
}
],
"errors": null
}
}
I only have RTR Read/Write and RTR-Admin Read enabled on the API key at the moment.
A few more questions:
- Does this happen with all devices you try to start a session with?
- Does this happen if you just call ls instead of the the raw call to GCI?
- Looks like ls does work.
- Anything else you can think of that might be impacting?
- Are you executing from a console prompt or via an IDE like VSCode?
- Any proxies involved ?
- What version of FalconPy? (Updated package, v.0.3.0 released today.)
from falconpy.
- Tried a secondary API key with only those perms
- Tried a different device
- Installed latest
- Executing from a interactive python shell
- Am using a proxy
-"command_string": "runscript -Raw=```gci /```"
- Changing gci to ls gets "Unrecognized flag" (still)
- ls will work because it's a built in command for the shell
- ls is baked into the shell used more for a test of functionality
from falconpy.
Just re-confirmed; command_string has to make use of the triple-backticks and should include the equals.
BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
}
from falconpy.
Correct code is exactly the same.
Curious if you are attempting from a windows, mac, or nix env?
from falconpy.
Attempted same code on a Ubutu box in a python shell same results.
from falconpy.
Was able to recreate the error and in the process of researching the issue, I believe I've discovered the problem.
A couple of notes:
- I have been testing from Windows, MacOS and Linux
- I have been testing commands TO Windows and Linux instances
- I'm using Python 3.9 and FalconPy 0.3.0
- API key has RTR and RTR-Admin READ/WRITE
Since runscript allows responders to execute any script, including dynamically generated ones, you cannot execute this command using the RTR-ExecuteActiveResponderCommand operation. You will need to use the RTR-Admin API and make use of the RTR-ExecuteAdminCommand operation. This also means your API key will need WRITE to RTR-Admin.
Example
import json
from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id_here,
'client_secret': falcon_client_secret_here
}
)
BODY = {
'device_id': 'HOST_AID_GOES_HERE'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]
BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteAdminCommand', body=BODY)
print(json.dumps(response, indent=4))
Result
{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "264",
"Content-Type": "application/json",
"Date": "Fri, 19 Feb 2021 02:30:31 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5995"
},
"body": {
"meta": {
"query_time": 0.068811425,
"powered_by": "empower-api",
"trace_id": "de27b54b-34b5-4ca7-9599-71a405eae5e2"
},
"resources": [
{
"session_id": "9fc07322-a524-4910-8885-ce97230f7065",
"cloud_request_id": "84789879-a5c2-4113-b87b-817f82aef3f7",
"queued_command_offline": false
}
],
"errors": null
}
}
Could you test from your side and let us know the results?
from falconpy.
Not a bug, moving this over to discussions.
from falconpy.
Related Issues (20)
- [ BUG ] FirewallPolicy.performFirewallPoliciesAction returns 500 error with 'add-rule-group'. HOT 6
- [ LINK ] https://assets.falcon.crowdstrike.com/support/api/swagger.html#/user-management/combinedUserRolesV1
- [ BUG ] policy_id key is missing from body payload handler for the update_policy_container operation.
- [ BUG ] after property is not available in the Meta class
- [ DOC ] Update Spotlight-Vulnerabilities with new vulnerability filter fields.
- [ BUG ] tokens_update payload handler does not properly handle the revoked keyword argument
- [ BUG ] Result expansion is returning null results regardless of API response.
- [ BUG ] Per-operation pythonic override is not working as expected
- [ DOC ] Add scope details to operation documentation
- [ DOC ] Default value for limit is incorrectly listed in documentation for the QueryDetects operation HOT 2
- [ DOC ] Question: QueryDetections reading Detections from deprecated API HOT 1
- [ DOC ] Falcon Scripts not documented HOT 2
- [ BUG ] member_cid argument is not being included when authenticating as a parent using Environment Authentication
- [ BUG ] firewall management - update_rule_group - "version" should be renamed to "tracking" HOT 1
- [ BUG ] Removing the only firewall rule left within a rule group keeps asking for rule id array HOT 1
- [ BUG ] Host management - perform_action method missing two actions support
- [ REQUEST ] Information cannot be retrieved
- [ BUG ] ArchiveUploadV2 is not properly passing the password value to the formData payload
- [ BUG ] No FalconPy API for "sca" and "system-tray" policies. HOT 1
- [ BUG ] Boolean query string parameters are not being converted to lower case strings
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from falconpy.