This is a script to be used by CrowdStrike Falcon clients, that fetches CID or Host Group hosts, and uses the batch command and offline queuing of Real-Time Response API to centrally and conveniently push HOSTS files to Windows.
The script uses the fantastic FalconPY SDK.
- It uses native RTR commands, which will not trigger a detection/prevention in relation to sensor anti-tampering.
- Because it uses the RTR API it is run centrally through our cloud, it does NOT need to be distributed to each targeted host.
- The script uses the queuing feature of RTR, so hosts don't need to be online at the time the script is executed, they will receive the commands if they connect to our cloud within the next 7 days.
- The hosts file to push to endpoints is selectable (by hash) from the files uploaded in the "put files" section of the console.
- When using CID as scope, the script checks that the CID specified corresponds to the CID where the API client is created.
- The script checks that the file being pushed to the endpoints exists in the console.
This script relies on FalconPY SDK to work.
In the machine where you have Python installed, please use the following command to install FalconPY.
python3 -m pip install crowdstrike-falconpy
In order to run this script, you will need access to CrowdStrike API keys with the following scopes:
Service Collection | Scope |
---|---|
Hosts | READ |
Host Group | READ |
Real-Time Response | WRITE, READ |
Real-Time Response (admin) | WRITE |
Sensor Download | READ |
In addition to this you will need the endpoints to be asigned to a "Response Policy" that allows "Real Time Response", and has the "custom scripts", "put" and "run" commands enabled.
Lastly, the desired "hosts" file to push to Windows endpoints needs to be uploaded to the "Falcon Real Time Response" > "put files" section in the console.
This script accepts the following input parameters.
Parameter | Purpose | Category |
---|---|---|
--falcon_client_id |
Falcon API client ID | required |
--falcon_client_secret |
Falcon API client secret | required |
--scope |
cid or hostgroup |
required |
--scope_id |
Either the CID or the Host Group ID | required |
--base_url |
CrowdStrike base URL (only required for GovCloud, pass usgov1) | optional |
--hosts_file |
Hash (SHA256) of the "put file" to push to endpoints as "hosts" file | required |
If you want to push a hosts file:
python3 pushhosts.py --falcon_client_id FALCON_CLIENT_ID --falcon_client_secret FALCON_CLIENT_SECRET
--scope hostgroup --scope_id HOST_GROUP_ID --hosts_file FILEHASH
What the script does on every Windows endpoint part of the CID or Hostgroup scope:
- Change working directory to c:\windows\system32\drivers\etc\
- Rename 'hosts' file to 'hosts.TIMESTAMP.backup'
- Copy new 'hosts' file from Falcon platform, with the 'put' command.
- Rename new file to 'hosts' if not already named that.
- Grand Read and Execute permissions to new 'hosts' file for built-in group 'Users'.
- Flush DNS resolution cache.