This is a script to be used by CrowdStrike Falcon clients, that fetches CID or Host Group hosts, and uses the batch command and offline queuing of Real-Time Response API to centrally and conveniently push HOSTS files to Windows.

The script uses the fantastic FalconPY SDK.

• It uses native RTR commands, which will not trigger a detection/prevention in relation to sensor anti-tampering.
• Because it uses the RTR API it is run centrally through our cloud, it does NOT need to be distributed to each targeted host.
• The script uses the queuing feature of RTR, so hosts don't need to be online at the time the script is executed, they will receive the commands if they connect to our cloud within the next 7 days.
• The hosts file to push to endpoints is selectable (by hash) from the files uploaded in the "put files" section of the console.
• When using CID as scope, the script checks that the CID specified corresponds to the CID where the API client is created.
• The script checks that the file being pushed to the endpoints exists in the console.

‼️WARNING‼️ This script has the potential to disrupt network connections from the endpoint. It is recommended users test with a limited Host Group first to troubleshoot any issues.

‼️WARNING‼️ This script is still undergoing testing. Please see warning above. Your mileage may vary. You're on your own, etc.

This script relies on FalconPY SDK to work.

In the machine where you have Python installed, please use the following command to install FalconPY.

python3 -m pip install crowdstrike-falconpy

In order to run this script, you will need access to CrowdStrike API keys with the following scopes:

In addition to this you will need the endpoints to be asigned to a "Response Policy" that allows "Real Time Response", and has the "custom scripts", "put" and "run" commands enabled.

Lastly, the desired "hosts" file to push to Windows endpoints needs to be uploaded to the "Falcon Real Time Response" > "put files" section in the console.

‼️WARNING‼️ When uploading the file, please use filenames WITHOUT SPACES.

‼️WARNING‼️ For this step, remember that the user uploading the file needs to have the "Real Time Responder - Administrator" role. The "Falcon Administrator" role does not include this role by default.

This script accepts the following input parameters.

If you want to push a hosts file:

python3 pushhosts.py --falcon_client_id FALCON_CLIENT_ID --falcon_client_secret FALCON_CLIENT_SECRET 
                        --scope hostgroup --scope_id HOST_GROUP_ID --hosts_file FILEHASH

What the script does on every Windows endpoint part of the CID or Hostgroup scope:

• Change working directory to c:\windows\system32\drivers\etc\
• Rename 'hosts' file to 'hosts.TIMESTAMP.backup'
• Copy new 'hosts' file from Falcon platform, with the 'put' command.
• Rename new file to 'hosts' if not already named that.
• Grand Read and Execute permissions to new 'hosts' file for built-in group 'Users'.
• Flush DNS resolution cache.