search

CrowdStrike / psfalcon

PowerShell for CrowdStrike's OAuth2 APIs
The Unlicense
364 stars 69 forks source link

[ BUG ] `Invoke-FalconDeploy` incorrect execution order when queued #375

Closed infosecgrab closed 1 month ago

infosecgrab commented 9 months ago

Describe the bug When using Invoke-FalconDeploy on an offline host, the cmd are queued but sometimes do not execute in correct order when host finally comes online.

To Reproduce With a offline "hostid": Invoke-FalconDeploy -Archive "Archive.zip" -Run "runfile.exe" -QueueOffline $true -HostId <hostid> If the different step command "mkdir","cd","put","runscript" are created with the same timestamp, the order of execution will be incorrect when the host comes online.

Expected behavior Each queued command for the same host should have a different timestamp in order to predict execution order

Environment (please complete the following information):

Additional context Below a curated/redacted result of Get-FalconQueue command after the host came online and cmd executed FalconQueue_20240104T1021017583.csv

Notice that the "cd" command, instead of last in order of execution should have in run in 2nd just after "mkdir" cmd image

bk-cs commented 9 months ago

Interesting report! Thank you for submitting it.

I'll talk with the RTR engineering team and see if I can uncover an effective solution.

It also looks like the Expand-Archive command is happening after the execution of runfile.exe too...

bk-cs commented 9 months ago

In testing, it appears that PSFalcon is simply too fast for the CrowdStrike APIs. ;)

I submitted a queued job using Invoke-FalconDeploy for a single device and the commands were issued within about 2 seconds. The RTR queue API doesn't have millisecond accuracy when commands are issued, so issuing commands as fast as PSFalcon does means that the queue has the potential to pass them to the target device out of order.

The only solution is to add a delay to Invoke-FalconDeploy to ensure that no two commands are given in the same second. I'll add that in for the next release.

bk-cs commented 9 months ago

I've implemented the fix for the next release.

Could you try updating public\psf-real-time-response.ps1 in your local module, test Invoke-FalconDeploy and let me know if it resolves your issue? You can update your module using the commands below.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/d824c1cb1a96a540bfad6d06af4b7652e1d1b8e5/public/psf-real-time-response.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-real-time-response.ps1)
infosecgrab commented 9 months ago

Hey Awesome thanks a lot for the feedback, i didn't expect one so quick, you rock ! I tried the fix but ended up with some (but fewer than previously) unordered execution of queued commands. I edited your fix with a 2 seconds delay and it works perfectly. if ($QueueOffline -eq $true) { Start-Sleep -Seconds 2 }

It seems a 2 seconds delay is necessary.

bk-cs commented 1 month ago

This fix is included in the 2.2.7 release.