Invoke-Deploy - Change Destination about psfalcon HOT 3 CLOSED

Invoke-FalconDeploy combines the put and run Real-time Response commands. put does not provide the ability to specify a destination--it uploads the file to the current directory. If you want it to be in a different directory, you have to cd to that location first.

Invoke-FalconDeploy was created as a mechanism to deploy the Falcon Forensics executable, so I don't really have any intention of modifying it, especially because it works for most "upload and run this exe" use cases.

If you'd like to use a more complicated workflow (like using put to place the file in a specific directory), I recommend either using a combination of commands with Invoke-FalconRTR or creating a script with the necessary commands to step through each of the parts of what you're trying to do. It might look something like...

Start-FalconSession ...
Send-FalconCommand -Command cd ...
Send-FalconAdminCommand -Command put ...
Send-FalconAdminCommand -Command run ...

Then you'll have to keep track of the responses and update accordingly. You can see an example of how to do this by looking at the code within Invoke-FalconRTR (the Invoke-RTR function in Public\Scripts.ps1) or Invoke-FalconDeploy (Invoke-Deploy in the same Scripts.ps1 file) if you'd like to output the results to CSV.

from psfalcon.

Thanks for the quick response.
I was using RTR commands like the "cd ......" "put foo.bar" "run foo.bar" and noticed the code was becoming multiple lines of code that could be replaced with the single line of Invoke-Deploy.

Could I start the session - send the command to CD into my folder then Invoke-Deploy and have it run from there?

from psfalcon.

Yes. Invoke-FalconRTR is meant as a way to run a single Real-time Response command. It creates the session (or batch), sends the command and outputs the results. Although it can be used repeatedly (and the API itself will "append" commands to existing sessions), the "proper" way to do it is to run through each individual step.

You can see examples of that entire workflow on the wiki: https://github.com/CrowdStrike/psfalcon/wiki/Real-time-Response#send-real-time-response-commands-to-a-batch-of-hosts

You'll basically follow those steps, but issue multiple commands to a single (or batch) session. If it's something that will take longer than the maximum timeout of 600 seconds (which defaults to 30 seconds if you don't specify it when issuing the command), you'll also need to keep a timer going and Update-FalconSession periodically to ensure the session running on each host does not expire.

You'll also want to add logic to only continue if the previous command was successful, so you don't end up doing things like using put in the wrong directory. You can see some examples of this with Invoke-FalconDeploy where it only selects successful hosts and then specifies the OptionalHostIds field on the next command.

from psfalcon.