search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
353 stars 66 forks source link

Get-FalconHostGroup returns Invalid JSON primitive error #281

Closed infosec-stevecotton closed 1 year ago

infosec-stevecotton commented 1 year ago

Describe the bug When attempting to retrieve Host group ID via Get-FalconHostGroup an Invoke-Falcon : Invalid JSON primitive error is returned.

To Reproduce Get a token using Request-FalconToken Confirm Test-FalconToken returns True Get-FalconHostGroup -Filter "name:hostgroupname" returns error

Expected behavior GroupID for hostgroup would be returned. Was working 2 weeks ago (last time script run).

Environment:

Additional context Other cmdlets appear to work. Get-FalconHost for example works without issue.

Transcript content

Windows PowerShell transcript start Start time: 20230209115102 Username: DOMAIN\USERNAME RunAs User: DOMAIN\USERNAME Configuration Name: Machine: HOSTNAME (Microsoft Windows NT 10.0.19045.0) Host Application: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -ExecutionPolicy Bypass -Command Import-Module 'c:\Users\USERNAME.vscode\extensions\ms-vscode.powershell-2022.12.1\modules\PowerShellEditorServices\PowerShellEditorServices.psd1'; Start-EditorServices -HostName 'Visual Studio Code Host' -HostProfileId 'Microsoft.VSCode' -HostVersion '2022.12.1' -AdditionalModules @('PowerShellEditorServices.VSCode') -BundledModulesPath 'c:\Users\USERNAME.vscode\extensions\ms-vscode.powershell-2022.12.1\modules' -EnableConsoleRepl -StartupBanner "PowerShell Extension v2022.12.1 Copyright (c) Microsoft Corporation.

https://aka.ms/vscode-powershell Type 'help' to get help. " -LogLevel 'Normal' -LogPath 'c:\Users\USERNAME\AppData\Roaming\Code\User\globalStorage\ms-vscode.powershell\logs\1675941284-771a8371-75a1-4a0e-8257-49ad133e83811675941283177\EditorServices.log' -SessionDetailsPath 'c:\Users\USERNAME\AppData\Roaming\Code\User\globalStorage\ms-vscode.powershell\sessions\PSES-VSCode-20564-172036.json' -FeatureFlags @() Process ID: 3020 PSVersion: 5.1.19041.2364 PSEdition: Desktop PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1.19041.2364 BuildVersion: 10.0.19041.2364 CLRVersion: 4.0.30319.42000 WSManStackVersion: 3.0 PSRemotingProtocolVersion: 2.3 SerializationVersion: 1.1.0.1

Transcript started, output file is C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\PowerShell_transcript.HOSTNAME.7PHcY9OS.20230209115102.txt ]633;E;Start-Transcript]633;D;0]633;A]633;P;Cwd=C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAINPS C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAIN> ]633;B PS>CommandInvocation(Get-Command): "Get-Command"

ParameterBinding(Get-Command): name="ListImported"; value="True" ParameterBinding(Get-Command): name="CommandType"; value="Alias"

CommandType Name Version Source

Alias % -> ForEach-Object Alias ? -> Where-Object Alias ac -> Add-Content Alias asnp -> Add-PSSnapin Alias cat -> Get-Content Alias cd -> Set-Location Alias CFS -> ConvertFrom-String 3.1.0.0 Microsoft.PowerShell.Utility Alias chdir -> Set-Location Alias clc -> Clear-Content Alias clear -> Clear-Host Alias clhy -> Clear-History Alias cli -> Clear-Item Alias clp -> Clear-ItemProperty Alias cls -> Clear-Host Alias clv -> Clear-Variable Alias cnsn -> Connect-PSSession Alias compare -> Compare-Object Alias copy -> Copy-Item Alias cp -> Copy-Item Alias cpi -> Copy-Item Alias cpp -> Copy-ItemProperty Alias curl -> Invoke-WebRequest Alias cvpa -> Convert-Path Alias dbp -> Disable-PSBreakpoint Alias del -> Remove-Item Alias diff -> Compare-Object Alias dir -> Get-ChildItem Alias dnsn -> Disconnect-PSSession Alias ebp -> Enable-PSBreakpoint Alias echo -> Write-Output Alias epal -> Export-Alias Alias epcsv -> Export-Csv Alias epsn -> Export-PSSession Alias erase -> Remove-Item Alias etsn -> Enter-PSSession Alias exsn -> Exit-PSSession Alias fc -> Format-Custom Alias fhx -> Format-Hex 3.1.0.0 Microsoft.PowerShell.Utility Alias fl -> Format-List Alias foreach -> ForEach-Object Alias ft -> Format-Table Alias fw -> Format-Wide Alias gal -> Get-Alias Alias gbp -> Get-PSBreakpoint Alias gc -> Get-Content Alias gcb -> Get-Clipboard 3.1.0.0 Microsoft.PowerShell.Management Alias gci -> Get-ChildItem Alias gcm -> Get-Command Alias gcs -> Get-PSCallStack Alias gdr -> Get-PSDrive Alias ghy -> Get-History Alias gi -> Get-Item Alias gin -> Get-ComputerInfo 3.1.0.0 Microsoft.PowerShell.Management Alias gjb -> Get-Job Alias gl -> Get-Location Alias gm -> Get-Member Alias gmo -> Get-Module Alias gp -> Get-ItemProperty Alias gps -> Get-Process Alias gpv -> Get-ItemPropertyValue Alias group -> Group-Object Alias gsn -> Get-PSSession Alias gsnp -> Get-PSSnapin Alias gsv -> Get-Service Alias gtz -> Get-TimeZone 3.1.0.0 Microsoft.PowerShell.Management Alias gu -> Get-Unique Alias gv -> Get-Variable Alias gwmi -> Get-WmiObject Alias h -> Get-History Alias history -> Get-History Alias icm -> Invoke-Command Alias iex -> Invoke-Expression Alias ihy -> Invoke-History Alias ii -> Invoke-Item Alias ipal -> Import-Alias Alias ipcsv -> Import-Csv Alias ipmo -> Import-Module Alias ipsn -> Import-PSSession Alias irm -> Invoke-RestMethod Alias ise -> powershell_ise.exe Alias iwmi -> Invoke-WmiMethod Alias iwr -> Invoke-WebRequest Alias kill -> Stop-Process Alias lp -> Out-Printer Alias ls -> Get-ChildItem Alias man -> help Alias md -> mkdir Alias measure -> Measure-Object Alias mi -> Move-Item Alias mount -> New-PSDrive Alias move -> Move-Item Alias mp -> Move-ItemProperty Alias mv -> Move-Item Alias nal -> New-Alias Alias ndr -> New-PSDrive Alias ni -> New-Item Alias nmo -> New-Module Alias npssc -> New-PSSessionConfigurationFile Alias nsn -> New-PSSession Alias nv -> New-Variable Alias ogv -> Out-GridView Alias oh -> Out-Host Alias popd -> Pop-Location Alias ps -> Get-Process Alias psedit -> Open-EditorFile 0.2.0 PowerShellEditorServices.Commands Alias pushd -> Push-Location Alias pwd -> Get-Location Alias r -> Invoke-History Alias rbp -> Remove-PSBreakpoint Alias rcjb -> Receive-Job Alias rcsn -> Receive-PSSession Alias rd -> Remove-Item Alias rdr -> Remove-PSDrive Alias ren -> Rename-Item Alias ri -> Remove-Item Alias rjb -> Remove-Job Alias rm -> Remove-Item Alias rmdir -> Remove-Item Alias rmo -> Remove-Module Alias rni -> Rename-Item Alias rnp -> Rename-ItemProperty Alias rp -> Remove-ItemProperty Alias rsn -> Remove-PSSession Alias rsnp -> Remove-PSSnapin Alias rujb -> Resume-Job Alias rv -> Remove-Variable Alias rvpa -> Resolve-Path Alias rwmi -> Remove-WmiObject Alias sajb -> Start-Job Alias sal -> Set-Alias Alias saps -> Start-Process Alias sasv -> Start-Service Alias sbp -> Set-PSBreakpoint Alias sc -> Set-Content Alias scb -> Set-Clipboard 3.1.0.0 Microsoft.PowerShell.Management Alias select -> Select-Object Alias set -> Set-Variable Alias shcm -> Show-Command Alias si -> Set-Item Alias sl -> Set-Location Alias sleep -> Start-Sleep Alias sls -> Select-String Alias sort -> Sort-Object Alias sp -> Set-ItemProperty Alias spjb -> Stop-Job Alias spps -> Stop-Process Alias spsv -> Stop-Service Alias start -> Start-Process Alias stz -> Set-TimeZone 3.1.0.0 Microsoft.PowerShell.Management Alias sujb -> Suspend-Job Alias sv -> Set-Variable Alias swmi -> Set-WmiInstance Alias tee -> Tee-Object Alias trcm -> Trace-Command Alias type -> Get-Content Alias wget -> Invoke-WebRequest Alias where -> Where-Object Alias wjb -> Wait-Job Alias write -> Write-Output

]633;E]633;D]633;A]633;P;Cwd=C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAINPS C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAIN> ]633;B PS>Get-FalconHostGroup -Filter "name:GRPNAME" VERBOSE: [ApiClient.Invoke] GET https://api.crowdstrike.com/devices/queries/host-groups/v1?filter=name:GRPNAME VERBOSE: [ApiClient.Invoke] Accept=application/json VERBOSE: [ApiClient.Invoke] 400: BadRequest VERBOSE: [ApiClient.Invoke] Connection=keep-alive, Strict-Transport-Security=max-age=15724800; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-1, X-Cs-Traceid=cba51856-f580-4678-b331-3c07d8ba56a2, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5999, Date=Thu, 09 Feb 2023 11:51:11 GMT, Server=nginx PS>TerminatingError(ConvertFrom-Json): "Invalid JSON primitive: ." Invoke-Falcon : Invalid JSON primitive: . At C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.4\Public\devices.ps1:361 char:13

]633;E;Get-FalconHostGroup -Filter "name:GRPNAME"]633;D;0]633;A]633;P;Cwd=C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAINPS C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAIN> ]633;B PS>CommandInvocation(Get-Command): "Get-Command"

ParameterBinding(Get-Command): name="ListImported"; value="True" ParameterBinding(Get-Command): name="CommandType"; value="Alias"

CommandType Name Version Source

Alias % -> ForEach-Object Alias ? -> Where-Object Alias ac -> Add-Content Alias asnp -> Add-PSSnapin Alias cat -> Get-Content Alias cd -> Set-Location Alias CFS -> ConvertFrom-String 3.1.0.0 Microsoft.PowerShell.Utility Alias chdir -> Set-Location Alias clc -> Clear-Content Alias clear -> Clear-Host Alias clhy -> Clear-History Alias cli -> Clear-Item Alias clp -> Clear-ItemProperty Alias cls -> Clear-Host Alias clv -> Clear-Variable Alias cnsn -> Connect-PSSession Alias compare -> Compare-Object Alias copy -> Copy-Item Alias cp -> Copy-Item Alias cpi -> Copy-Item Alias cpp -> Copy-ItemProperty Alias curl -> Invoke-WebRequest Alias cvpa -> Convert-Path Alias dbp -> Disable-PSBreakpoint Alias del -> Remove-Item Alias diff -> Compare-Object Alias dir -> Get-ChildItem Alias dnsn -> Disconnect-PSSession Alias ebp -> Enable-PSBreakpoint Alias echo -> Write-Output Alias epal -> Export-Alias Alias epcsv -> Export-Csv Alias epsn -> Export-PSSession Alias erase -> Remove-Item Alias etsn -> Enter-PSSession Alias exsn -> Exit-PSSession Alias fc -> Format-Custom Alias fhx -> Format-Hex 3.1.0.0 Microsoft.PowerShell.Utility Alias fl -> Format-List Alias foreach -> ForEach-Object Alias ft -> Format-Table Alias fw -> Format-Wide Alias gal -> Get-Alias Alias gbp -> Get-PSBreakpoint Alias gc -> Get-Content Alias gcb -> Get-Clipboard 3.1.0.0 Microsoft.PowerShell.Management Alias gci -> Get-ChildItem Alias gcm -> Get-Command Alias gcs -> Get-PSCallStack Alias gdr -> Get-PSDrive Alias ghy -> Get-History Alias gi -> Get-Item Alias gin -> Get-ComputerInfo 3.1.0.0 Microsoft.PowerShell.Management Alias gjb -> Get-Job Alias gl -> Get-Location Alias gm -> Get-Member Alias gmo -> Get-Module Alias gp -> Get-ItemProperty Alias gps -> Get-Process Alias gpv -> Get-ItemPropertyValue Alias group -> Group-Object Alias gsn -> Get-PSSession Alias gsnp -> Get-PSSnapin Alias gsv -> Get-Service Alias gtz -> Get-TimeZone 3.1.0.0 Microsoft.PowerShell.Management Alias gu -> Get-Unique Alias gv -> Get-Variable Alias gwmi -> Get-WmiObject Alias h -> Get-History Alias history -> Get-History Alias icm -> Invoke-Command Alias iex -> Invoke-Expression Alias ihy -> Invoke-History Alias ii -> Invoke-Item Alias ipal -> Import-Alias Alias ipcsv -> Import-Csv Alias ipmo -> Import-Module Alias ipsn -> Import-PSSession Alias irm -> Invoke-RestMethod Alias ise -> powershell_ise.exe Alias iwmi -> Invoke-WmiMethod Alias iwr -> Invoke-WebRequest Alias kill -> Stop-Process Alias lp -> Out-Printer Alias ls -> Get-ChildItem Alias man -> help Alias md -> mkdir Alias measure -> Measure-Object Alias mi -> Move-Item Alias mount -> New-PSDrive Alias move -> Move-Item Alias mp -> Move-ItemProperty Alias mv -> Move-Item Alias nal -> New-Alias Alias ndr -> New-PSDrive Alias ni -> New-Item Alias nmo -> New-Module Alias npssc -> New-PSSessionConfigurationFile Alias nsn -> New-PSSession Alias nv -> New-Variable Alias ogv -> Out-GridView Alias oh -> Out-Host Alias popd -> Pop-Location Alias ps -> Get-Process Alias psedit -> Open-EditorFile 0.2.0 PowerShellEditorServices.Commands Alias pushd -> Push-Location Alias pwd -> Get-Location Alias r -> Invoke-History Alias rbp -> Remove-PSBreakpoint Alias rcjb -> Receive-Job Alias rcsn -> Receive-PSSession Alias rd -> Remove-Item Alias rdr -> Remove-PSDrive Alias ren -> Rename-Item Alias ri -> Remove-Item Alias rjb -> Remove-Job Alias rm -> Remove-Item Alias rmdir -> Remove-Item Alias rmo -> Remove-Module Alias rni -> Rename-Item Alias rnp -> Rename-ItemProperty Alias rp -> Remove-ItemProperty Alias rsn -> Remove-PSSession Alias rsnp -> Remove-PSSnapin Alias rujb -> Resume-Job Alias rv -> Remove-Variable Alias rvpa -> Resolve-Path Alias rwmi -> Remove-WmiObject Alias sajb -> Start-Job Alias sal -> Set-Alias Alias saps -> Start-Process Alias sasv -> Start-Service Alias sbp -> Set-PSBreakpoint Alias sc -> Set-Content Alias scb -> Set-Clipboard 3.1.0.0 Microsoft.PowerShell.Management Alias select -> Select-Object Alias set -> Set-Variable Alias shcm -> Show-Command Alias si -> Set-Item Alias sl -> Set-Location Alias sleep -> Start-Sleep Alias sls -> Select-String Alias sort -> Sort-Object Alias sp -> Set-ItemProperty Alias spjb -> Stop-Job Alias spps -> Stop-Process Alias spsv -> Stop-Service Alias start -> Start-Process Alias stz -> Set-TimeZone 3.1.0.0 Microsoft.PowerShell.Management Alias sujb -> Suspend-Job Alias sv -> Set-Variable Alias swmi -> Set-WmiInstance Alias tee -> Tee-Object Alias trcm -> Trace-Command Alias type -> Get-Content Alias wget -> Invoke-WebRequest Alias where -> Where-Object Alias wjb -> Wait-Job Alias write -> Write-Output

]633;E]633;D]633;A]633;P;Cwd=C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAINPS C:\Users\USERNAME\OneDrive - DOMAIN.co.uk\Documents\GitHub\DOMAIN> ]633;B PS>Stop-Transcript

Windows PowerShell transcript end End time: 20230209115117

infosec-stevecotton commented 1 year ago

Its not DNS There's no way its DNS It was DNS

bk-cs commented 1 year ago

It was an API issue that affected all SDKs... might as well have been DNS.