-
Describe the bug To Reproduce
produces a 400 error either for flag, or unrecognized command. Expected behavior Environment (please complete the following information):
Additional context |
Beta Was this translation helpful? Give feedback.
Replies: 11 comments 1 reply
-
I noticed that the endpoint that is being called on the console is different than the one used in Falconpy. The console uses "falcon.crowdstrike.com/api2/remote-response/entities/command/v1" |
Beta Was this translation helpful? Give feedback.
-
Hello!
import json
from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id_here,
'client_secret': falcon_client_secret_here
}
)
BODY = {
'device_id': 'DEVICE_ID_GOES_HERE'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]
BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))
BODY = {
"base_command": "runscript",
"command_string": "ls",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4)) First result{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "262",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 17:24:15 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.136629922,
"powered_by": "empower-api",
"trace_id": "45efe752-912d-40af-b790-ee8daca60067"
},
"resources": [
{
"session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
"cloud_request_id": "f34b2cbc-eeb7-40f6-8d96-fbf47ff6d30b",
"queued_command_offline": false
}
],
"errors": null
}
} Second result{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "263",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 17:24:15 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5996"
},
"body": {
"meta": {
"query_time": 0.059785859,
"powered_by": "empower-api",
"trace_id": "c058de02-cd8f-4c8c-b82b-50a9dd388e6d"
},
"resources": [
{
"session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
"cloud_request_id": "be3faa14-d219-47f0-b05c-342cd6c7c889",
"queued_command_offline": false
}
],
"errors": null
}
} Can you provide us a sample of the code you are trying to execute? (Don't forget to sanitize keys / IDs from your post.) 😄 |
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
with a response of
|
Beta Was this translation helpful? Give feedback.
-
second one
|
Beta Was this translation helpful? Give feedback.
-
That's really strange, when I run the code above, this is the response I'm receiving: {
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "264",
"Content-Type": "application/json",
"Date": "Mon, 15 Feb 2021 20:36:57 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5997"
},
"body": {
"meta": {
"query_time": 0.067345881,
"powered_by": "empower-api",
"trace_id": "e72bb697-f9ae-4f1d-85b7-04c2b33bfb91"
},
"resources": [
{
"session_id": "f14d86b1-f082-4150-a3c6-7d9af020c8e6",
"cloud_request_id": "fc7b7c3a-0b19-492e-91bb-af13ad9435f8",
"queued_command_offline": false
}
],
"errors": null
}
} I only have RTR Read/Write and RTR-Admin Read enabled on the API key at the moment. A few more questions:
|
Beta Was this translation helpful? Give feedback.
-
|
Beta Was this translation helpful? Give feedback.
-
Just re-confirmed; command_string has to make use of the triple-backticks and should include the equals. BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
} |
Beta Was this translation helpful? Give feedback.
-
Correct code is exactly the same. |
Beta Was this translation helpful? Give feedback.
-
Attempted same code on a Ubutu box in a python shell same results. |
Beta Was this translation helpful? Give feedback.
-
Was able to recreate the error and in the process of researching the issue, I believe I've discovered the problem. A couple of notes:
Since runscript allows responders to execute any script, including dynamically generated ones, you cannot execute this command using the RTR-ExecuteActiveResponderCommand operation. You will need to use the RTR-Admin API and make use of the RTR-ExecuteAdminCommand operation. This also means your API key will need WRITE to RTR-Admin. Exampleimport json
from falconpy import api_complete as FalconSDK
falcon = FalconSDK.APIHarness(creds={
'client_id': falcon_client_id_here,
'client_secret': falcon_client_secret_here
}
)
BODY = {
'device_id': 'HOST_AID_GOES_HERE'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]
BODY = {
"base_command": "runscript",
"command_string": "runscript -Raw=```gci /```",
"session_id": sessionid
}
response = falcon.command('RTR-ExecuteAdminCommand', body=BODY)
print(json.dumps(response, indent=4)) Result{
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "264",
"Content-Type": "application/json",
"Date": "Fri, 19 Feb 2021 02:30:31 GMT",
"X-Cs-Region": "us-1",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5995"
},
"body": {
"meta": {
"query_time": 0.068811425,
"powered_by": "empower-api",
"trace_id": "de27b54b-34b5-4ca7-9599-71a405eae5e2"
},
"resources": [
{
"session_id": "9fc07322-a524-4910-8885-ce97230f7065",
"cloud_request_id": "84789879-a5c2-4113-b87b-817f82aef3f7",
"queued_command_offline": false
}
],
"errors": null
}
} Could you test from your side and let us know the results? |
Beta Was this translation helpful? Give feedback.
Was able to recreate the error and in the process of researching the issue, I believe I've discovered the problem.
A couple of notes:
Since runscript allows responders to execute any script, including dynamically generated ones, you cannot execute this command using the RTR-ExecuteActiveResponderCommand operation. You will need to use the RTR-Admin API and make use of the RTR-ExecuteAdminCommand operation. This also means your API key will need WRITE to RTR-Admin.
Example