[ BUG ] `Invoke-FalconDeploy` produces `null-valued expression` error during `put` step

[0xBK-tull]

Describe the bug When I go to run Invoke-FalconDeploy, about half the time I get an error message at the put stage. The error is as follows:

Set-Property : You cannot call a method on a null-valued expression.

At C:\Users\ausergoeshere\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.7\public\real-time-response.ps1:627 char:15

+ Set-Property $_ batch_id $BatchId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-Property], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull,Set-Property

Environment (please complete the following information):

• OS: Windows 11 and Windows 10, various versions.
• PowerShell: 5.1 and 7.4.5
• PSFalcon: 2.2.7

Additional context I had posted on reddit about this and bk-CS advised me to open this bug report. Apologies for the delay bk-CS, I got side tracked by a convention known as Fal.Con.

Transcript content

---

PowerShell transcript start
Start time: 20240913094405
Username: 
RunAs User: 
Configuration Name: 
Machine: (Microsoft Windows NT 10.0.22631.0)
Host Application: C:\Program Files\PowerShell\7\pwsh.dll
Process ID: 18104
PSVersion: 7.4.5
PSEdition: Core
GitCommitId: 7.4.5
OS: Microsoft Windows 10.0.22631
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\USER_NAME\Documents\PowerShell_transcript.computer.xaAchM5_.20240913094405.txt
PS C:\Users\USER_NAME\Documents\software> Invoke-FalconDeploy -File .\software_agentcompany.msi -Argument '/quiet' -GroupId GROUP_ID -QueueOffline $True
VERBOSE: 09:44:13 [Get-FalconHost] /devices/queries/devices-scroll/v1:get
VERBOSE: 09:44:13 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/devices/queries/devices-scroll/v1?limit=5000&filter=groups%3A%5B%27GROUP_ID%27%5D
VERBOSE: 09:44:13 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:44:14 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:14 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=c8f55c84-2bb3-464f-9d40-452b95c860a0, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5999
VERBOSE: 09:44:14 [Write-Result] query_time=0.129350545, pagination.total=20, pagination.offset=FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoAhYwUTBUaDE3MFJ5V0pFSy1RcWd3ZGlRAAAAAAhzOaYWb253UHZLLVZTbEtVd0k1ajBqb0Q2URZ3N0hORURKZFQ2eWJ0QUVOVDg5enJ3AAAAAAkchFQWTXdxMWlMRTRRTXVTY3hzR0FpUzlGZw==, pagination.expires_at=1726235175085528528, powered_by=device-api, trace_id=c8f55c84-2bb3-464f-9d40-452b95c860a0
VERBOSE: 09:44:14 [Get-FalconHost] /devices/entities/devices/v2:post
VERBOSE: 09:44:14 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/devices/entities/devices/v2
VERBOSE: 09:44:14 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:44:14 [ApiClient.Invoke] {"ids":["ids go here"]}
VERBOSE: 09:44:14 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:14 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=61f1483f-3c10-4fcf-9409-f0dd20f14b39, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5998
VERBOSE: 09:44:14 [Write-Result] query_time=0.163027715, powered_by=device-api, trace_id=61f1483f-3c10-4fcf-9409-f0dd20f14b39
[Invoke-FalconDeploy] Checking cloud for existing file...
VERBOSE: 09:44:14 [Get-FalconPutFile] /real-time-response/queries/put-files/v1:get
VERBOSE: 09:44:14 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/real-time-response/queries/put-files/v1?filter=name%3A%5B%27software_agentcompany.msi%27%5D
VERBOSE: 09:44:14 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:44:14 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:14 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=9bacb171-ee70-42d4-ba23-ba320a0a6c1b, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5997
VERBOSE: 09:44:14 [Write-Result] query_time=0.028381058, pagination.offset=0, pagination.limit=100, pagination.total=1, powered_by=empower-api, trace_id=9bacb171-ee70-42d4-ba23-ba320a0a6c1b
VERBOSE: 09:44:14 [Get-FalconPutFile] /real-time-response/entities/put-files/v2:get
VERBOSE: 09:44:14 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/real-time-response/entities/put-files/v2?ids=ids_go_here
VERBOSE: 09:44:14 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:44:15 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:15 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=f2b1b118-a82f-4fc7-91ec-4111de37774c, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5996
VERBOSE: 09:44:15 [Write-Result] query_time=0.030316615, powered_by=empower-api, trace_id=f2b1b118-a82f-4fc7-91ec-4111de37774c
[Invoke-FalconDeploy] Matched hash values between local and cloud files.
VERBOSE: 09:44:15 [Start-FalconSession] /real-time-response/combined/batch-init-session/v1:post
VERBOSE: 09:44:15 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-init-session/v1?timeout=60&host_timeout_duration=54s
VERBOSE: 09:44:15 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:44:15 [ApiClient.Invoke] 
{"host_ids":["host IDs go here"],"queue_offline":true}
VERBOSE: 09:45:09 [ApiClient.Invoke] 201: Created
VERBOSE: 09:45:09 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:45:10 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=6d5bfc7d-93ea-42b1-bcae-531f659d54f4, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5995
VERBOSE: 09:45:09 [Write-Result] query_time=54.001134109, powered_by=empower-api, trace_id=6d5bfc7d-93ea-42b1-bcae-531f659d54f4
WARNING: [Start-FalconSession] 50401: Exceeded maximum connect timeout: 54.00s [aid: c38df52d89fb42329e2ade8874a0cacd]
VERBOSE: 09:45:09 [Stop-RtrUpdate] Removed job: psfalcon-rtr_20240913T0937083386
VERBOSE: 09:45:09 [Start-RtrUpdate] Started job: psfalcon-rtr_20240913T0945094632
[Invoke-FalconDeploy] Initiated session with 19 host(s)...
[Invoke-FalconDeploy] Issuing 'mkdir' to 19 Windows host(s)...
VERBOSE: 09:45:10 [Invoke-FalconAdminCommand] /real-time-response/combined/batch-admin-command/v1:post
VERBOSE: 09:45:10 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-admin-command/v1?timeout=60
VERBOSE: 09:45:10 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:45:10 [ApiClient.Invoke] {"optional_hosts":["hosts here"],"base_command":"mkdir","command_string":"mkdir \\Windows\\Temp\\FalconDeploy_20240913T0944138568","batch_id":"2417d1c6-deba-4725-b3ca-98e8b4a92b30"}
VERBOSE: 09:45:12 [ApiClient.Invoke] 201: Created
VERBOSE: 09:45:12 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:45:12 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=8ea278b1-c0bf-43d4-943b-8c9e2b48c368, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5994
VERBOSE: 09:45:12 [Write-Result] query_time=1.364566246, powered_by=empower-api, trace_id=8ea278b1-c0bf-43d4-943b-8c9e2b48c368
[Invoke-FalconDeploy] Issuing 'cd' to 19 Windows host(s)...
VERBOSE: 09:45:13 [Invoke-FalconAdminCommand] /real-time-response/combined/batch-admin-command/v1:post
VERBOSE: 09:45:13 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-admin-command/v1?timeout=60
VERBOSE: 09:45:13 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:45:13 [ApiClient.Invoke] {"optional_hosts":["hosts here"],"base_command":"cd","command_string":"cd \\Windows\\Temp\\FalconDeploy_20240913T0944138568","batch_id":"2417d1c6-deba-4725-b3ca-98e8b4a92b30"}
VERBOSE: 09:45:13 [ApiClient.Invoke] 201: Created
VERBOSE: 09:45:13 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:45:14 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=23bcf81c-6fb9-4b90-a0a6-fce4cb2e3e42, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5994
VERBOSE: 09:45:13 [Write-Result] query_time=0.503824135, powered_by=empower-api, trace_id=23bcf81c-6fb9-4b90-a0a6-fce4cb2e3e42
[Invoke-FalconDeploy] Issuing 'put' to 19 Windows host(s)...
VERBOSE: 09:45:14 [Invoke-FalconAdminCommand] /real-time-response/combined/batch-admin-command/v1:post
VERBOSE: 09:45:14 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-admin-command/v1?timeout=600
VERBOSE: 09:45:15 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:45:15 [ApiClient.Invoke] {"optional_hosts":["hosts here"],"base_command":"put","command_string":"put software_agentcompany.msi","batch_id":"2417d1c6-deba-4725-b3ca-98e8b4a92b30"}
PS C:\Users\USER_NAME\Documents\software> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."
>> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."

PS C:\Users\USER_NAME\Documents\software> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."
>> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."
You cannot call a method on a null-valued expression.
Exception: C:\Users\USER_NAME\Documents\PowerShell\Modules\PSFalcon\2.2.7\public\real-time-response.ps1:627
Line |
 627 |                Set-Property $_ batch_id $BatchId
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.

**********************
PowerShell transcript end
End time: 20240913094925
**********************

[bk-cs]

I think I've narrowed this issue down to a couple of things:

• Default timeout for requests was 1 minute using the underlying HttpClient in PSFalcon. I think the put commands were not waiting long enough for completion.
• Invoke-FalconAdminCommand, Invoke-FalconCommand and Invoke-FalconResponderCommand were attempting to append batch_id to a timed out request (thus leading to the null-valued expression error).

I've updated class\Class.ps1, public\real-time-response.ps1 and public\psf-real-time-response.ps1 after some testing with Invoke-FalconDeploy using large files (~650MB). Can you try updating your local module with these changes and let me know if it eliminates your error?

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/202892ae12b200c18662f20c8655af69a05c7da8/class/Class.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath class) Class.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/202892ae12b200c18662f20c8655af69a05c7da8/public/psf-real-time-response.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-real-time-response.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/202892ae12b200c18662f20c8655af69a05c7da8/public/real-time-response.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) real-time-response.ps1)

Please ensure that you close and re-open PowerShell and re-import PSFalcon before testing. The Class.ps1 changes will definitely not work without fully restarting PowerShell.