Pass parameters to PowerShell script using real time response

[hermanmaleiane]

Hi team,
Hope you are doing well.

How can i pass a value as parameter to batch_admin_command and then receive this value on PowerShell invoked script?

I want to scan a specific path.

1. I want to create and upload the script (Start-MpScan -ScanType CustomScan -ScanPath "C:\TEST") on my crowdstrike console.
   Start-MpScan -ScanType CustomScan -ScanPath $valueToReceiveFromPython

2. Call it from python code, falcon.py and receive on PowerShel
   target_hosts = ["ID1", "ID2", "ID3"]
   response = falcon.batch_admin_command(base_command="string",
   batch_id="string",
   command_string="string",
   optional_hosts=target_hosts,
   persist_all=boolean,
   timeout=integer,
   timeout_duration="string"
   )

[jshcodes]

Hi @hermanmaleiane -

This question is similar to this one, so we can borrow his example.

In this code segment, we're calling a previously uploaded CloudFile and then passing in a CommandLine for it to handle. (You can use Body Payload abstraction instead if you prefer.)

BODY = {
    "base_command": "runscript",
    "command_string": "runscript -CloudFile=\"MyScriptName\" -CommandLine=\"\"",
    "session_id": resource['session_id']
}
command_response = falcon_RTR_Session.RTR_ExecuteActiveResponderCommand(body=BODY)
print(json.dumps(command_response, indent=4)) 

As long as you know the name of the uploaded CloudFile, you should be able to do the same with RTR on single or multiple hosts.

A couple of notes:

• You will have to somehow parse the response from the PowerShell script. Writing to a local file is common for this. Then your script can parse this newly created file, delete it and return the result back to you.
• You can also upload the CloudFile via code if you prefer.
• Running Start-MpScan is linear, so you will probably need to wait a few minutes before the process will be seen as "complete" by RTR_CheckCommandStatus operation. (You can loop for a few minutes like we show in this example.)
• Depending on the permissions, you may need to execute as an admin (not responder) using RTR_ExecuteAdminCommand.

Let us know if you run into any questions!

[jshcodes]

PEP-8 / Body payload abstraction variation of the code above

You might find this syntax a little easier to use.

response = falcon_RTR_Session.execute_active_responder_command(base_command="runscript",
                                                               command_string="runscript -CloudFile='SCRIPT_NAME' -CommandLine='COMMAND_LINE'",
                                                               session_id=resource["session_id"]
                                                               )
print(json.dumps(response, indent=4)) 

[hermanmaleiane]

Thank you so much.
It's working.
Now the challenge is to handle the response from PowerShell as you suggest.
Is there an sample where you did this. Returning response to python script?

I can only see these logs.

{ Connecting to target...connected (5666bc2a-4394-4494-9b00-947379377239)
"status_code": 201,
"headers": {
"Content-Encoding": "gzip",
"Content-Length": "263",
"Content-Type": "application/json",
"Date": "Mon, 06 Dec 2021 15:17:49 GMT",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Cs-Region": "us-1",
"X-Cs-Traceid": "bfccd956-ef41-4561-8453-0a1a74c5a16c",
"X-Ratelimit-Limit": "6000",
"X-Ratelimit-Remaining": "5991"
},
"body": {
"meta": {
"query_time": 0.892244122,
"powered_by": "empower-api",
"trace_id": "bfccd956-ef41-4561-8453-0a1a74c5a16c"
},
"resources": [
{
"session_id": "5666bc2a-4394-4494-9b00-947379377239",
"cloud_request_id": "16f57381-9186-4e3b-b558-a598cb6020df",
"queued_command_offline": false
}
],
"errors": null
}
}

[jshcodes]

Excellent!

The cloud_request_id value was returned, so we can use this in our next step; waiting for the execution result.

Check out the following code (taken from here):

def execute_command(passed_payload: str, hdr: str, cmd: str):
    """
    Executes a RTR Admin command, waits for it to complete,
    and then returns the result
    """
    passed_payload["command_string"] = cmd
    req = falcon_rtra.execute_admin_command(                        # Call the command
        passed_payload                                              # Execute the command
        )
    if req["status_code"] != 201:                                   # Confirm execution success
        raise SystemExit(                                           # There is no retry, crash out
            "%80s" % f"{' ' * 80}\nUnable to execute command: "
            f"[{req['body']['errors'][0]['code']}] "
            f"{req['body']['errors'][0]['message']}"
            )
    request_id = req["body"]["resources"][0]["cloud_request_id"]    # Retrieve the cloud_request_id
    completed = False                                               # Boolean to track our command status
    inform(f"  Waiting on {hdr} to finish executing")
    while not completed:                                            # Keep requesting status until the command is completed
        inform(
            f"  Waiting on {hdr} to finish executing...{get_indicator()}"
            )
        requested = falcon_rtra.check_admin_command_status(         # Retrieve the results command
            cloud_request_id=request_id,                            # Passing in the cloud_request_id
            sequence_id=0                                           # Results are chunked, but we just need the first result
            )
        completed = requested["body"]["resources"][0]["complete"]   # Check to see if our command has finished executing

    inform(
        f"  Waiting on {hdr} to finish executing...done!"           # Inform the user of success
        )
    time.sleep(.1)
    return requested                                                # Return our result

The loop runs until the value of "complete" is returned back as a True, at which point we can parse the value of the requested dictionary for the result.

[jshcodes]

Just realized the command example above is using check_admin_command_status. Depending on the API calls you're using in your script, you may want to use the check_command_status method instead.

[hermanmaleiane]

Awesome,
Much appreciated.
When i print the response form execute command i got the results.

Thank you sir.

[hermanmaleiane]

Hi @jshcodes !!
Hope you are doing well.
I have one more question regarding the scan.

I'm using this code to invoke the script and handle the time and if it's completed.

`
req = falcon_rtr.RTR_ExecuteActiveResponderCommand(base_command="runscript",
command_string="runscript -CloudFile='rtr-remote-malware-remediation' ",
session_id=session_id)

request_id = req["body"]["resources"][0]["cloud_request_id"]    # Retrieve the cloud_request_id 
completed = False                                               # Boolean to track our command status
inform(f"  Waiting on {hdr} to finish executing")
while not completed:        
    
    inform(
        f"  Waiting on {hdr} to finish executing...{get_indicator()}"         # Keep requesting status until the command is completed
        )                                    
    
    requested = falcon_rtra.check_admin_command_status (               # Retrieve the results command
        cloud_request_id=request_id,                            # Passing in the cloud_request_id
        sequence_id=0                                           # Results are chunked, but we just need the first result
        )
    completed = requested["body"]["resources"][0]["complete"]   # Check to see if our command has finished executing

inform(
    f"  Waiting on {hdr} to finish executing...done!"           # Inform the user of success
    )
time.sleep(2500)
return requested`

The thing is, i am not able to see in the response when it completed and the result of the scan because it takes too much time.
Is there any function that i can use to check output based on cloud_request_id ?. So that i can go to the logs and be sure that scan is finished.

The other problem is that when i perform the scan using PowerShell directly on my machine it doesn't display nothing, maybe this behavior is because i don't have threats.

[jshcodes]

Is there any function that i can use to check output based on cloud_request_id ?. So that i can go to the logs and be sure that scan is finished.

You should be able to do that, it would be the same request. (eg. You wouldn't need to find a log file, you could just request the result from the API later if you prefer.)

You can also use a loop (like shown above) to wait for the result. To your point, this may take up to 10 - 15 minutes depending on the scan. (Although usually it is much faster.)

The other problem is that when i perform the scan using PowerShell directly on my machine it doesn't display nothing, maybe this behavior is because i don't have threats.

Are you referring to MpScan? My understanding is that doesn't return an output, you have to retrieve the results using Get-MpComputerStatus.

[hermanmaleiane]

Hi @jshcodes!!
Thanks so much for your time.
I will use Get-MpComputerStatus command.

I was forgetting to test the command line option as you explained on your first reply.
The code

command="Get-MpThreat -ThreatID 2147750106"
req = falcon_rtr.RTR_ExecuteActiveResponderCommand(base_command="runscript",
command_string= f" -CommandLine='{command}'",
session_id=session_id
)

status_cod:400
error message: Unable to execute command: [40006] Command is not valid

With runscript -CloudFile, using the script deployed on crowdstrike console works fine.

[jshcodes]

If you're just wanting the values within Resources, I believe you can do something like the following. (This is more of a PowerShell question, so we might need to poke @bk-cs. I tested using the Get-MpThreatCatalog command and expanded CimInstanceProperties since I didn't have an active threat on my current test box.)

rtradmin.execute_admin_command(base_command="runscript",
                               command_string=f"runscript -Raw=```Get-MpThreat -ThreatId {THREAT_ID} | select -ExpandProperty Resources```",
                               session_id=session_id
                               )

[hermanmaleiane]

Thanks again.

Need one python advice if I'm not disturbing you.
You already helped a lot.
I'm not parsing correctly one of the responses using the above command with **Get-MpThreatDetection | select ***

I have problems if i have more than one response.

The response
@{ActionSuccess=True; AdditionalActionsBitMask=0; AMProductVersion=4.18.2110.6; CleaningActionID=2; CurrentThreatExecutionStatusID=0; DetectionID={69FCB542-3575-43EE-AEEC-2525E592B4FD}; DetectionSourceTypeID=2; DomainUser=NT AUTHORITY\LOCAL SERVICE; InitialDetectionTime=08/12/2021 12:04:32; LastThreatStatusChangeTime=08/12/2021 12:05:21; ProcessName=Unknown; RemediationTime=08/12/2021 12:05:21; Resources=System.Collections.ArrayList; ThreatID=2147768041; ThreatStatusErrorCode=0; ThreatStatusID=3; CimClass=ROOT/Microsoft/Windows/Defender:MSFT_MpThreatDetection; CimInstanceProperties=System.Collections.ArrayList; CimSystemProperties=Microsoft.Management.Infrastructure.CimSystemProperties; PSComputerName=localhost; RunspaceId=4b4489d6-1d3f-4155-b7ee-4f607520dc19; PSShowComputerName=False}
@{ActionSuccess=True; AdditionalActionsBitMask=0; AMProductVersion=4.18.2110.6; CleaningActionID=2; CurrentThreatExecutionStatusID=0; DetectionID={734823B0-7372-4075-839C-938A0013257D}; DetectionSourceTypeID=2; DomainUser=NT AUTHORITY\LOCAL SERVICE; InitialDetectionTime=08/12/2021 10:45:35; LastThreatStatusChangeTime=08/12/2021 10:46:27; ProcessName=Unknown; RemediationTime=08/12/2021 10:46:27; Resources=System.Collections.ArrayList; ThreatID=2147750106; ThreatStatusErrorCode=0; ThreatStatusID=3; CimClass=ROOT/Microsoft/Windows/Defender:MSFT_MpThreatDetection; CimInstanceProperties=System.Collections.ArrayList; CimSystemProperties=Microsoft.Management.Infrastructure.CimSystemProperties; PSComputerName=localhost; RunspaceId=4b4489d6-1d3f-4155-b7ee-4f607520dc19; PSShowComputerName=False}

Then i try to convert to a valid json using this scripts

stdout = response["body"]["resources"][0]["stdout"]
output= stdout[1:]
formated= output.replace('@', ',')
valuejson = '[' + re.sub(r'\b','"',formated).replace(';',',').replace('=',':') + ']'
#data = json.loads(valuejson) # this function raises a bug

The result

[{"ActionSuccess":"True", "AdditionalActionsBitMask":"0", "AMProductVersion":"4"."18"."2110"."6", "CleaningActionID":"2", "CurrentThreatExecutionStatusID":"0", "DetectionID":{"69FCB542"-"3575"-"43EE"-"AEEC"-"2525E592B4FD"}, "DetectionSourceTypeID":"2", "DomainUser":"NT" "AUTHORITY""LOCAL" "SERVICE", "InitialDetectionTime":"08"/"12"/"2021" "12":"04":"32", "LastThreatStatusChangeTime":"08"/"12"/"2021" "12":"05":"21", "ProcessName":"Unknown", "RemediationTime":"08"/"12"/"2021" "12":"05":"21", "Resources":"System"."Collections"."ArrayList", "ThreatID":"2147768041", "ThreatStatusErrorCode":"0", "ThreatStatusID":"3", "CimClass":"ROOT"/"Microsoft"/"Windows"/"Defender":"MSFT_MpThreatDetection", "CimInstanceProperties":"System"."Collections"."ArrayList", "CimSystemProperties":"Microsoft"."Management"."Infrastructure"."CimSystemProperties", "PSComputerName":"localhost", "RunspaceId":"4b4489d6"-"1d3f"-"4155"-"b7ee"-"4f607520dc19", "PSShowComputerName":"False"}
,{"ActionSuccess":"True", "AdditionalActionsBitMask":"0", "AMProductVersion":"4"."18"."2110"."6", "CleaningActionID":"2", "CurrentThreatExecutionStatusID":"0", "DetectionID":{"734823B0"-"7372"-"4075"-"839C"-"938A0013257D"}, "DetectionSourceTypeID":"2", "DomainUser":"NT" "AUTHORITY""LOCAL" "SERVICE", "InitialDetectionTime":"08"/"12"/"2021" "10":"45":"35", "LastThreatStatusChangeTime":"08"/"12"/"2021" "10":"46":"27", "ProcessName":"Unknown", "RemediationTime":"08"/"12"/"2021" "10":"46":"27", "Resources":"System"."Collections"."ArrayList", "ThreatID":"2147750106", "ThreatStatusErrorCode":"0", "ThreatStatusID":"3", "CimClass":"ROOT"/"Microsoft"/"Windows"/"Defender":"MSFT_MpThreatDetection", "CimInstanceProperties":"System"."Collections"."ArrayList", "CimSystemProperties":"Microsoft"."Management"."Infrastructure"."CimSystemProperties", "PSComputerName":"localhost", "RunspaceId":"4b4489d6"-"1d3f"-"4155"-"b7ee"-"4f607520dc19", "PSShowComputerName":"False"}
]

the problem is with values with special characters for example:
"RemediationTime":"08"/"12"/"2021", "RunspaceId":"4b4489d6"-"1d3f"-"4155"-"b7ee"-"4f607520dc19" and "AMProductVersion":"4"."18"."2110"."6".

The error

data = json.loads(valuejson)

File "C:\Users\Herman.Maleiane\lib\json\decoder.py", line 355, in raw_decode
obj, end = self.scan_once(s, idx)
json.decoder.JSONDecodeError: Expecting ',' delimiter: line 1 column 81 (char 80)

[jshcodes]

I think you might be making it harder than it needs to be formatting the string. If you convert your PowerShell command to the following, do you get output you can parse?

rtradmin.execute_admin_command(base_command="runscript",
                               command_string=f"runscript -Raw=```Get-MpThreat -ThreatId {THREAT_ID} | select -Property * | ConvertTo-Json```",
                               session_id=session_id
                               )

[hermanmaleiane]

Sure @jshcodes !!!
You are correct, i tested and it works.
You just saved my day.
Thanks again.

[jshcodes]

W00t! Happy to help. 😄