WARNING: The PSFalcon modules are an independent project and not supported by CrowdStrike.
Requires PowerShell 5.1+
PS> Install-Module -Name PSFalconTo update to the latest version:
PS> Update-Module -Name PSFalconIf you have any issues installing using the commands above, you can download this repository
and place the files inside your PowerShell module folder under \PSFalcon, or use Import-Module
to directly import the PSFalcon manifest.
Interacting with the CrowdStrike Falcon OAuth2 APIs requires an API Client ID and Secret and a valid OAuth2 token.
If you attempt to run a PSFalcon command without a valid token, you will be forced to make a token
request. You can make a manual request using the Get-CsToken command:
PS> Get-CsToken
Client Id: <string>
Client Secret: <string>
PS> $Falcon
Name Value
---- -----
expires 1/1/2020 8:00:00 AM
token <string>
id <string>
secret System.Security.SecureString
host <string>WARNING: Using the optional -Id and -Secret parameters with Get-CsToken will result in your API
credentials being displayed in plain text. This could expose them to a third party.
Once a valid OAuth2 token is received, it is cached under $Falcon with your credentials. Your cached
token will be checked and refreshed when needed while running PSFalcon commands.
If you need to choose a different cloud or use a proxy when making requests, you will need to issue a manual
Get-CsToken command with the appropriate parameters at the beginning of your PowerShell session.
By default, token requests are sent to the US cloud. The -Cloud parameter can be used to choose a different
destination. Your choice is saved in $Falcon and all requests will be sent to the chosen cloud unless a new
Get-CsToken request is made.
If you're in an MSSP configuration, you can target specific child environments using the -CID parameter
during token requests. Your choice is saved in $Falcon and all requests will be sent to that particular
CID unless a new Get-CsToken request is made.
The -Proxy parameter can be added to a token request to define a proxy. Your choice is saved in $Falcon
and all requests will be directed to your proxy until a new Get-CsToken request is made.
To contain a host you need the Host Id for the target device(s), which you can find using Get-CsHostId and
a filtered search. With this command, you can save the results to $HostId and also output the results in
Json string format to make it easily readable:
PS> Get-CsHostId -Filter "hostname:'Example-PC'" -OutVariable HostId | ConvertTo-Json
{
"meta": {
"query_time": <int>,
"pagination": {
"offset": <int>,
"limit": <int>,
"total": <int>
},
"powered_by": <string>,
"trace_id": <string>
},
"resources": [
<string>
],
"errors": []
}Next, the Host Id can be used with the Start-CsContain command to isolate the device from its network. Because
the Host Id results are contained in the member $HostId.resources, you'll need to reference it directly. The
Responses section further explains what you can expect inside the results of a command.
You can reference the resources member for the Start-CsContain command, too. However, it only makes sense to
do so if you expect a successful result and have no need to analyze the rest of the output:
PS> (Start-CsContain -Id $HostId.resources).resources
id path
-- ----
<string> <string>Congratulations! Your network containment request has been submitted for this device. You can release the device
from containment by using Stop-CsContain:
PS> (Stop-CsContain -Id $HostId.resources).resources
id path
-- ----
<string> <string>To obtain all of the Host Ids in your environment, you can use the command Get-CsHostId. Because each
individual PSFalcon command is subject to the limits of the API it uses, you might not get all the results
with a single command. For those situations, you can add the -All flag to repeat requests automatically:
PS> $AllHostIds = (Get-CsHostId -All).resourcesOnce you have your Host Ids, you can gather the detail about each Host Id. PSFalcon will automatically break these requests up into appropriately sized groups until all results are retrieved:
PS> $AllHostInfo = (Get-CsHostInfo $AllHostIds).resourcesHowever, if you're dealing with large amounts of devices, this could take a bit of time. It might make sense to take a shortcut and import a CSV from your Host Management page:
PS> $HostsCsv = Import-Csv .\164322_hosts_2020-01-01T08_00_00Z.csvNow you've got similar data to $AllHostInfo stored in $HostsCsv, and you can reference each column from the
CSV directly:
PS> $HostsCsv.'Host ID'
<array>
PS> $HostsCsv | Select-Object 'Host ID', Hostname, 'Last Seen', 'Status'
Host ID Hostname Last Seen Status
------- -------- --------- ------
<array> <array> <array> <array>Similar to using Network Containment, with Real-time Response, you'll start with one or more Host Ids:
PS> $HostId = (Get-CsHostId -Filter "hostname:'Example-PC'").resourcesWhether you're dealing with one device, or a group of devices, you need to initiate a Real-time Response
batch session to begin sending commands. Again, you can use ConvertTo-Json to make to results easy to read:
PS> Start-RtrBatch -Id $HostId -OutVariable Batch | ConvertTo-Json
{
"meta": {
"query_time": <int>,
"powered_by": <string>,
"trace_id": <string>
},
"batch_id": <string>,
"resources": {
<string>: {
"session_id": <string>,
"task_id": <string>,
"complete": <boolean>,
"stdout": <string>,
"stderr": "",
"base_command": <string>,
"aid": <string>,
"errors": "",
"query_time": <int>
}
},
"errors": []
}Using your newly generated Batch Id, you now have the ability to send commands to the devices contained in the batch. Using Real-time Response, you can...
Put a file from the cloud:
PS> Send-RtrCommand -Id $Batch.batch_id -Command put -String Example.exeRun a script from the cloud:
PS> Send-RtrCommand -Id $Batch.batch_id -Command runscript -String "-CloudFile='Example'"Or run a custom PowerShell script or command on the fly:
PS> $Script = "Get-LocalGroupMember -Group 'Administrators'"
PS> $String = '-Raw=```' + $Script + '```'
PS> Send-RtrCommand -ID $Batch.batch_id -Command runscript -String $StringTo display a list of the commands available with PSFalcon:
PS> Get-Command -Module PSFalconYou can also use Get-Help for information about each individual command:
PS> Get-Help -Name <string> -DetailedAdditionally, each API includes a README file with references and generic examples:
CrowdStrike Falcon Detections API
CrowdStrike CrowdScore Incident API
CrowdStrike Falcon Discover for AWS API
CrowdStrike Falcon Host Group API
CrowdStrike Falcon Sensor Download API
CrowdStrike Falcon Device Control Policy API
CrowdStrike Falcon Firewall Management Policy API
CrowdStrike Falcon Prevention Policy API
CrowdStrike Falcon Sensor Update Policy API
CrowdStrike Falcon Real-time Response API
CrowdStrike Falcon X Sandbox API
CrowdStrike Threat Intelligence API
CrowdStrike Falcon User Management API
PowerShell objects are generated in response to PSFalcon commands:
PS> Get-CsHostId
meta resources
---- ---------
@{query_time=<int>; pagination=; powered_by=<string>; trace_id=<string>} @{...}The members of the response object can be referenced to retrieve specific data. $PSObject.meta
contains information about the request itself:
PS> $HostIds = Get-CsHostId
PS> $HostIds.meta
query_time pagination powered_by trace_id
---------- ---------- ---------- --------
<int> @{offset=<int>; limit=<int>; total=<int>} <string> <string>Results of a successful request are typically contained within $PSObject.resources but some request
types fall under fields like $PSObject.combined, $PSObject.batch_id, or even $PSObject.meta.quota.
You can return the results themselves by calling $PSObject.resources or related member:
PS> $HostIds.resources
<array>$PSObject.errors is populated when a request was received by the server and an error was returned:
PS> $HostIds.errors
code message
---- -------
<int> <string>By default, PSFalcon checks the response header for the X-RateLimit-RetryAfter field and sleeps for the
appropriate amount of time.
Adding the -Debug flag to any command will output to json for troubleshooting purposes.