Describe the bug unable to execute command syntax error using

Hello! The console UX API is not the same API, so the endpoint

<div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clip

with a response of <div class="snippet-clipboard-content notranslate position-rela

second one <div class="snippet-clipboard-content notranslate position-relative ove

Tried a secondary API key with only those perms Tried a different devic

can not execute commands on endpoint about falconpy HOT 12 CLOSED

crowdstrike commented on May 30, 2024

can not execute commands on endpoint

from falconpy.

Comments (12)

mwilco03 commented on May 30, 2024

I noticed that the endpoint that is being called on the console is different than the one used in Falconpy.

The console uses "falcon.crowdstrike.com/api2/remote-response/entities/command/v1"
Falconpy uses "api.crowdstrike.com/real-time-response/entities/active-responder-command/v1"
I have tried the following values in addition.
"command_string": "runscript -Raw=gci /" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw, value: gci /'}]" "command_string": "runscript -Raw=ls /" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw, value: ls /'}]" "command_string": "runscript -Raw gci /" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw'},

from falconpy.

jshcodes commented on May 30, 2024

Hello!

The console UX API is not the same API, so the endpoints won't line up. FalconPy does not currently support the UX API.
I mocked together a quick test case, and am getting 201s when I make these calls. I'm not sure if this matches your environment / use case though.
- NOTE: My test key had RTR and RTR-Admin READ/WRITE.

import json
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id_here,
      'client_secret': falcon_client_secret_here
   }
)

BODY = {
    'device_id': 'DEVICE_ID_GOES_HERE'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4)) 

BODY = {
    "base_command": "runscript",
    "command_string": "ls",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))

First result

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "262",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 17:24:15 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5997"
    },
    "body": {
        "meta": {
            "query_time": 0.136629922,
            "powered_by": "empower-api",
            "trace_id": "45efe752-912d-40af-b790-ee8daca60067"
        },
        "resources": [
            {
                "session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
                "cloud_request_id": "f34b2cbc-eeb7-40f6-8d96-fbf47ff6d30b",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

Second result

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "263",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 17:24:15 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5996"
    },
    "body": {
        "meta": {
            "query_time": 0.059785859,
            "powered_by": "empower-api",
            "trace_id": "c058de02-cd8f-4c8c-b82b-50a9dd388e6d"
        },
        "resources": [
            {
                "session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
                "cloud_request_id": "be3faa14-d219-47f0-b05c-342cd6c7c889",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

Can you provide us a sample of the code you are trying to execute? (Don't forget to sanitize keys / IDs from your post.) 😄

from falconpy.

mwilco03 commented on May 30, 2024

import json
from falconpy import api_complete as FalconSDK

falcon_client_id="<fortesting>"
falcon_client_secret="<fortesting>"

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

try:
    falcon.authenticate()
except:
    print("failed to authenticate")


BODY = {
    'device_id': '<Device_id>'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))

BODY = {
    "base_command": "runscript",
    "command_string": "ls",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))

from falconpy.

mwilco03 commented on May 30, 2024

with a response of

{
    "status_code": 400,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "213",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 20:26:10 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5998"
    },
    "body": {
        "meta": {
            "query_time": 0.007503424,
            "powered_by": "empower-api",
            "trace_id": "e0dddb05-f3a9-4e8b-bd54-6dc2a43de6d0"
        },
        "resources": [],
        "errors": [
            {
                "code": 40014,
                "message": "Unrecognized flag found: Raw, value: gci /"
            }
        ]
    }
}

from falconpy.

mwilco03 commented on May 30, 2024

second one

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "263",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 20:42:26 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5997"
    },
    "body": {
        "meta": {
            "query_time": 0.077975362,
            "powered_by": "empower-api",
            "trace_id": "87a3bac9-94bc-42e5-bcdf-e43fc934f48b"
        },
        "resources": [
            {
                "session_id": "581e002d-6129-48d8-b924-cb0635f595e5",
                "cloud_request_id": "6aa2407a-262d-4dd5-890c-c97004ceb92c",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

from falconpy.

jshcodes commented on May 30, 2024

That's really strange, when I run the code above, this is the response I'm receiving:

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "264",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 20:36:57 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5997"
    },
    "body": {
        "meta": {
            "query_time": 0.067345881,
            "powered_by": "empower-api",
            "trace_id": "e72bb697-f9ae-4f1d-85b7-04c2b33bfb91"
        },
        "resources": [
            {
                "session_id": "f14d86b1-f082-4150-a3c6-7d9af020c8e6",
                "cloud_request_id": "fc7b7c3a-0b19-492e-91bb-af13ad9435f8",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

I only have RTR Read/Write and RTR-Admin Read enabled on the API key at the moment.

A few more questions:

Does this happen with all devices you try to start a session with?
Does this happen if you just call ls instead of the the raw call to GCI?
- Looks like ls does work.
Anything else you can think of that might be impacting?
- Are you executing from a console prompt or via an IDE like VSCode?
- Any proxies involved ?
What version of FalconPy? (Updated package, v.0.3.0 released today.)

from falconpy.

mwilco03 commented on May 30, 2024

Tried a secondary API key with only those perms
Tried a different device
Installed latest
Executing from a interactive python shell
Am using a proxy
-"command_string": "runscript -Raw=```gci /```"

Changing gci to ls gets "Unrecognized flag" (still)

ls will work because it's a built in command for the shell

ls is baked into the shell used more for a test of functionality

from falconpy.

jshcodes commented on May 30, 2024

Just re-confirmed; command_string has to make use of the triple-backticks and should include the equals.

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}

from falconpy.

mwilco03 commented on May 30, 2024

Correct code is exactly the same.
Curious if you are attempting from a windows, mac, or nix env?

from falconpy.

mwilco03 commented on May 30, 2024

Attempted same code on a Ubutu box in a python shell same results.

from falconpy.

jshcodes commented on May 30, 2024

Was able to recreate the error and in the process of researching the issue, I believe I've discovered the problem.

A couple of notes:

I have been testing from Windows, MacOS and Linux
I have been testing commands TO Windows and Linux instances
I'm using Python 3.9 and FalconPy 0.3.0
API key has RTR and RTR-Admin READ/WRITE

Since runscript allows responders to execute any script, including dynamically generated ones, you cannot execute this command using the RTR-ExecuteActiveResponderCommand operation. You will need to use the RTR-Admin API and make use of the RTR-ExecuteAdminCommand operation. This also means your API key will need WRITE to RTR-Admin.

Example

import json
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id_here,
      'client_secret': falcon_client_secret_here
   }
)


BODY = {
    'device_id': 'HOST_AID_GOES_HERE'
}

session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteAdminCommand', body=BODY)
print(json.dumps(response, indent=4))

Result

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "264",
        "Content-Type": "application/json",
        "Date": "Fri, 19 Feb 2021 02:30:31 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5995"
    },
    "body": {
        "meta": {
            "query_time": 0.068811425,
            "powered_by": "empower-api",
            "trace_id": "de27b54b-34b5-4ca7-9599-71a405eae5e2"
        },
        "resources": [
            {
                "session_id": "9fc07322-a524-4910-8885-ce97230f7065",
                "cloud_request_id": "84789879-a5c2-4113-b87b-817f82aef3f7",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

Could you test from your side and let us know the results?

from falconpy.

jshcodes commented on May 30, 2024

Not a bug, moving this over to discussions.

from falconpy.

can not execute commands on endpoint about falconpy HOT 12 CLOSED

Comments (12)

First result

Second result

Example

Result

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent