Invoke-Deploy - Change Destination

[lcfut]

I am using the Invoke-Deploy command to send my executable to select endpoints.
How can I change the destination location where the executable lands and runs from?

[bk-cs]

Invoke-FalconDeploy combines the put and run Real-time Response commands. put does not provide the ability to specify a destination--it uploads the file to the current directory. If you want it to be in a different directory, you have to cd to that location first.

Invoke-FalconDeploy was created as a mechanism to deploy the Falcon Forensics executable, so I don't really have any intention of modifying it, especially because it works for most "upload and run this exe" use cases.

If you'd like to use a more complicated workflow (like using put to place the file in a specific directory), I recommend either using a combination of commands with Invoke-FalconRTR or creating a script with the necessary commands to step through each of the parts of what you're trying to do. It might look something like...

Start-FalconSession ...
Send-FalconCommand -Command cd ...
Send-FalconAdminCommand -Command put ...
Send-FalconAdminCommand -Command run ...

Then you'll have to keep track of the responses and update accordingly. You can see an example of how to do this by looking at the code within Invoke-FalconRTR (the Invoke-RTR function in Public\Scripts.ps1) or Invoke-FalconDeploy (Invoke-Deploy in the same Scripts.ps1 file) if you'd like to output the results to CSV.

[lcfut]

Thanks for the quick response.
I was using RTR commands like the "cd ......" "put foo.bar" "run foo.bar" and noticed the code was becoming multiple lines of code that could be replaced with the single line of Invoke-Deploy.

Could I start the session - send the command to CD into my folder then Invoke-Deploy and have it run from there?

[bk-cs]

Yes. Invoke-FalconRTR is meant as a way to run a single Real-time Response command. It creates the session (or batch), sends the command and outputs the results. Although it can be used repeatedly (and the API itself will "append" commands to existing sessions), the "proper" way to do it is to run through each individual step.

You can see examples of that entire workflow on the wiki: https://github.com/CrowdStrike/psfalcon/wiki/Real-time-Response#send-real-time-response-commands-to-a-batch-of-hosts

You'll basically follow those steps, but issue multiple commands to a single (or batch) session. If it's something that will take longer than the maximum timeout of 600 seconds (which defaults to 30 seconds if you don't specify it when issuing the command), you'll also need to keep a timer going and Update-FalconSession periodically to ensure the session running on each host does not expire.

You'll also want to add logic to only continue if the previous command was successful, so you don't end up doing things like using put in the wrong directory. You can see some examples of this with Invoke-FalconDeploy where it only selects successful hosts and then specifies the OptionalHostIds field on the next command.

[oracle701]

Hello,
I have a similar need to have Invoke-falcondeploy PUT the file into a specific location, unless there is another option.
What I need is a command to run an exe with a couple arguments. RUN doesn't seem to have that option and 'runscript' seems to stop the exe after a couple of seconds.

Is there another way?

[oracle701]

With that I get an error. Have not found a solution yet.
"40012: Max args is 0. 1 were provided"

[bk-cs]

Does this work?

$DRIVE = 'C:\my\folder'
$Raw = 'powershell.exe -c "&{ Start-Process -FilePath `"D:\TEST\ftkimager\ftkimager.exe`" -ArgumentList `"{0}`",`"D:\Test01`",`"--e01`",`"--compress 5`"}"' -f $DRIVE
$Raw = '```' + $Raw + '```'
Invoke-FalconRTR -Command runscript -Argument $Raw -HostId $AID

You could also create a script and provide $DRIVE when launching it:

example.ps1

param([Parameter(Mandatory=$true,Position=1)][string]$Variable)
powershell.exe -c "&{ Start-Process -FilePath 'D:\TEST\ftkimager\ftkimager.exe' -ArgumentList '$Variable','D:\Test01','--e01','--compress 5' }"

$DRIVE = 'C:\my\folder'
Invoke-FalconRtr runscript '-CloudFile="example.ps1"' "-CommandLine='$DRIVE'" -HostId $AID

[oracle701]

First one does not. I am still working on the script test for the 2nd one though, busy week.

[oracle701]

Success!
I kept playing around with your example of:

$Raw = "powershell.exe -c `"&{ Start-Process -FilePath 'D:\TEST\ftkimager\ftkimager.exe' -ArgumentList '$DRIVE','D:\Test01','--e01','--compress 5'}`""
$Raw = '```' + $Raw + '```'
Invoke-FalconRTR -Command runscript -Argument $Raw -HostId $AID

I finally go it to work with a variable by adding -Raw= to the beginning of it. So now I have:

$Raw = "powershell.exe -c `"&{ Start-Process -FilePath 'D:\TEST\ftkimager\ftkimager.exe' -ArgumentList '$DRIVE','D:\Test01','--e01','--compress 5'}`""
$Raw = '-Raw=' + '```' + $Raw + '```'
Invoke-FalconRTR -Command runscript -Argument $Raw -HostId $AID -Timeout 600

Thanx!

[bk-cs]

Sorry, that was a total typo on my part! Nice job.