can not execute commands on endpoint

[mwilco03]

Describe the bug
unable to execute command
syntax error using command_string param
RTR-ExecuteActiveResponderCommand

To Reproduce

from falconpy import api_complete as FalconSDK falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id_here,
      'client_secret': falcon_client_secret_here
   }
)
BODY = {
    'device_id': <device_id>
}
try:
    falcon.authenticate()
except:
    print("failed to authenticate")
session = falcon.command(action='RTR-InitSession',body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]
Body = {
    "base_command": "runscript",
    "command_string": "runscript 'gci /'",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=Body) 
print(json.dumps(response, indent=4)) 

produces a 400 error either for flag, or unrecognized command.

Expected behavior
Expectation would be command gets executed and 200 status code comes back

Environment (please complete the following information):

• OS: windows
• Python: 3.9

Additional context
open case with CS

[mwilco03]

I noticed that the endpoint that is being called on the console is different than the one used in Falconpy.

The console uses "falcon.crowdstrike.com/api2/remote-response/entities/command/v1"
Falconpy uses "api.crowdstrike.com/real-time-response/entities/active-responder-command/v1"
I have tried the following values in addition.
"command_string": "runscript -Raw=gci /" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw, value: gci /'}]" "command_string": "runscript -Raw=ls /" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw, value: ls /'}]" "command_string": "runscript -Raw gci /" 400 [{'code': 40014, 'message': 'Unrecognized flag found: Raw'},

[jshcodes]

Hello!

• The console UX API is not the same API, so the endpoints won't line up. FalconPy does not currently support the UX API.
• I mocked together a quick test case, and am getting 201s when I make these calls. I'm not sure if this matches your environment / use case though.
  • NOTE: My test key had RTR and RTR-Admin READ/WRITE.

import json
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id_here,
      'client_secret': falcon_client_secret_here
   }
)

BODY = {
    'device_id': 'DEVICE_ID_GOES_HERE'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4)) 

BODY = {
    "base_command": "runscript",
    "command_string": "ls",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))

First result

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "262",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 17:24:15 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5997"
    },
    "body": {
        "meta": {
            "query_time": 0.136629922,
            "powered_by": "empower-api",
            "trace_id": "45efe752-912d-40af-b790-ee8daca60067"
        },
        "resources": [
            {
                "session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
                "cloud_request_id": "f34b2cbc-eeb7-40f6-8d96-fbf47ff6d30b",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

Second result

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "263",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 17:24:15 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5996"
    },
    "body": {
        "meta": {
            "query_time": 0.059785859,
            "powered_by": "empower-api",
            "trace_id": "c058de02-cd8f-4c8c-b82b-50a9dd388e6d"
        },
        "resources": [
            {
                "session_id": "c83248ae-b2f0-4299-bbce-c63854ffbb64",
                "cloud_request_id": "be3faa14-d219-47f0-b05c-342cd6c7c889",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

Can you provide us a sample of the code you are trying to execute? (Don't forget to sanitize keys / IDs from your post.) 😄

[mwilco03]

import json
from falconpy import api_complete as FalconSDK

falcon_client_id="<fortesting>"
falcon_client_secret="<fortesting>"

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id,
      'client_secret': falcon_client_secret
   }
)

try:
    falcon.authenticate()
except:
    print("failed to authenticate")


BODY = {
    'device_id': '<Device_id>'
}
session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))

BODY = {
    "base_command": "runscript",
    "command_string": "ls",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteActiveResponderCommand', body=BODY)
print(json.dumps(response, indent=4))

[mwilco03]

with a response of

{
    "status_code": 400,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "213",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 20:26:10 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5998"
    },
    "body": {
        "meta": {
            "query_time": 0.007503424,
            "powered_by": "empower-api",
            "trace_id": "e0dddb05-f3a9-4e8b-bd54-6dc2a43de6d0"
        },
        "resources": [],
        "errors": [
            {
                "code": 40014,
                "message": "Unrecognized flag found: Raw, value: gci /"
            }
        ]
    }
}

[mwilco03]

second one

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "263",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 20:42:26 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5997"
    },
    "body": {
        "meta": {
            "query_time": 0.077975362,
            "powered_by": "empower-api",
            "trace_id": "87a3bac9-94bc-42e5-bcdf-e43fc934f48b"
        },
        "resources": [
            {
                "session_id": "581e002d-6129-48d8-b924-cb0635f595e5",
                "cloud_request_id": "6aa2407a-262d-4dd5-890c-c97004ceb92c",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

[jshcodes]

That's really strange, when I run the code above, this is the response I'm receiving:

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "264",
        "Content-Type": "application/json",
        "Date": "Mon, 15 Feb 2021 20:36:57 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5997"
    },
    "body": {
        "meta": {
            "query_time": 0.067345881,
            "powered_by": "empower-api",
            "trace_id": "e72bb697-f9ae-4f1d-85b7-04c2b33bfb91"
        },
        "resources": [
            {
                "session_id": "f14d86b1-f082-4150-a3c6-7d9af020c8e6",
                "cloud_request_id": "fc7b7c3a-0b19-492e-91bb-af13ad9435f8",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

I only have RTR Read/Write and RTR-Admin Read enabled on the API key at the moment.

A few more questions:

• Does this happen with all devices you try to start a session with?
• Does this happen if you just call ls instead of the the raw call to GCI?
  • Looks like ls does work.
• Anything else you can think of that might be impacting?
  • Are you executing from a console prompt or via an IDE like VSCode?
  • Any proxies involved ?
• What version of FalconPy? (Updated package, v.0.3.0 released today.)

[mwilco03]

• Tried a secondary API key with only those perms
• Tried a different device
• Installed latest
• Executing from a interactive python shell
• Am using a proxy
  -"command_string": "runscript -Raw=```gci /```"

• Changing gci to ls gets "Unrecognized flag" (still)
• ls will work because it's a built in command for the shell
• ls is baked into the shell used more for a test of functionality

[jshcodes]

Just re-confirmed; command_string has to make use of the triple-backticks and should include the equals.

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}

[mwilco03]

Correct code is exactly the same.
Curious if you are attempting from a windows, mac, or nix env?

[mwilco03]

Attempted same code on a Ubutu box in a python shell same results.

[jshcodes]

Was able to recreate the error and in the process of researching the issue, I believe I've discovered the problem.

A couple of notes:

• I have been testing from Windows, MacOS and Linux
• I have been testing commands TO Windows and Linux instances
• I'm using Python 3.9 and FalconPy 0.3.0
• API key has RTR and RTR-Admin READ/WRITE

Since runscript allows responders to execute any script, including dynamically generated ones, you cannot execute this command using the RTR-ExecuteActiveResponderCommand operation. You will need to use the RTR-Admin API and make use of the RTR-ExecuteAdminCommand operation. This also means your API key will need WRITE to RTR-Admin.

Example

import json
from falconpy import api_complete as FalconSDK

falcon = FalconSDK.APIHarness(creds={
      'client_id': falcon_client_id_here,
      'client_secret': falcon_client_secret_here
   }
)


BODY = {
    'device_id': 'HOST_AID_GOES_HERE'
}

session = falcon.command(action='RTR-InitSession', body=BODY)
sessionid = session["body"]["resources"][0]["session_id"]

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -Raw=```gci /```",
    "session_id": sessionid
}
response = falcon.command('RTR-ExecuteAdminCommand', body=BODY)
print(json.dumps(response, indent=4)) 

Result

{
    "status_code": 201,
    "headers": {
        "Content-Encoding": "gzip",
        "Content-Length": "264",
        "Content-Type": "application/json",
        "Date": "Fri, 19 Feb 2021 02:30:31 GMT",
        "X-Cs-Region": "us-1",
        "X-Ratelimit-Limit": "6000",
        "X-Ratelimit-Remaining": "5995"
    },
    "body": {
        "meta": {
            "query_time": 0.068811425,
            "powered_by": "empower-api",
            "trace_id": "de27b54b-34b5-4ca7-9599-71a405eae5e2"
        },
        "resources": [
            {
                "session_id": "9fc07322-a524-4910-8885-ce97230f7065",
                "cloud_request_id": "84789879-a5c2-4113-b87b-817f82aef3f7",
                "queued_command_offline": false
            }
        ],
        "errors": null
    }
}

Could you test from your side and let us know the results?

[EdgeSync]

Almost 2 years later, and I was facing the exact same problem as @mwilco03 (but with a different command).

thanks @jshcodes - was able to get it working with your example :)