Invoke FalconDeploy
Deploy and run an executable using Real-time Response
'Put' files will be checked for identical file names, and if any are found, the Sha256 hash values will be compared between your local and cloud files. If they are different, a prompt will appear asking which file to use.
After ensuring that the 'Put' file is available, a Real-time Response session will be started for the designated host(s) (or members of the Host Group), 'mkdir' will create a folder ('FalconDeploy_') within the appropriate temporary folder (\Windows\Temp or /tmp), 'cd' will navigate to the new folder, and the target file or archive will be 'put' into that folder. If the target is an archive, it will be extracted, and the designated 'Run' file will be executed. If the target is a file, it will be 'run'.
Details of each step will be output to a CSV file in your current directory.
Requires 'Hosts: Read', 'Real time response (admin): Write'.
| Name | Type | Description | Min | Max | Allowed | Pipeline | PipelineByName |
|---|---|---|---|---|---|---|---|
| File | String | Name of a 'CloudFile' or path to a local executable to upload | |||||
| Archive | String | Name of a 'CloudFile' or path to a local archive (zip, tar, tar.gz, tgz) to upload | |||||
| Run | String | Name of the file to run once extracted from the target archive | |||||
| Argument | String | Arguments to include when running the target executable | |||||
| Timeout | Int32 | Length of time to wait for a result, in seconds [default: 60] | 30 |
600 |
|||
| QueueOffline | Boolean | Add non-responsive Hosts to the offline queue | |||||
| Include | String[] | Include additional properties |
agent_versioncidexternal_ipfirst_seenhostnamelast_seenlocal_ipmac_addressos_buildos_versionplatform_nameproduct_typeproduct_type_descserial_numbersystem_manufacturersystem_product_nametags
|
||||
| BypassExecPolicy | Switch | Bypass the PowerShell Execution Policy on target Windows hosts | |||||
| GroupId | String | Host group identifier | |||||
| HostId | String[] | Host identifier | X | X |
Invoke-FalconDeploy [-File] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-QueueOffline] <Boolean>] [[-Include] <String[]>] [[-BypassExecPolicy]] -HostId <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]Invoke-FalconDeploy [-File] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-QueueOffline] <Boolean>] [[-Include] <String[]>] [[-BypassExecPolicy]] -GroupId <String> [-WhatIf] [-Confirm] [<CommonParameters>]Invoke-FalconDeploy -Archive <String> [-Run] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-QueueOffline] <Boolean>] [[-Include] <String[]>] [[-BypassExecPolicy]] -GroupId <String> [-WhatIf] [-Confirm] [<CommonParameters>]Invoke-FalconDeploy -Archive <String> [-Run] <String> [[-Argument] <String>] [[-Timeout] <Int32>] [[-QueueOffline] <Boolean>] [[-Include] <String[]>] [[-BypassExecPolicy]] -HostId <String[]> [-WhatIf] [-Confirm] [<CommonParameters>]Invoke-FalconDeploy was developed to support mass-deployment of Falcon Forensics, but has since been expanded to support additional file types. It is designed to upload a file to your 'Put Files' library, create a session with target hosts, push the file to those hosts, then execute it (after expanding archives, when appropriate) and output the results to CSV.
The File and Run parameters accept exectuables or scripts (.ps1, .sh, .zsh) while Archive accepts .zip, .tar, tar.gz or .tgz.
Files to be delivered to the host will be stored in the appropriate temporary directory (C:\Windows\Temp or /tmp) under a unique folder each time the command is run (FalconDeploy_<FileDateTime>).
NOTE: Because Real-time Response does not interact with logged in users, the executable must be able to be run silently and without user interaction.
Invoke-FalconDeploy -File .\File.exe -HostId <id>, <id> [-QueueOffline]Invoke-FalconDeploy -File ./npp.8.2.1.Installer.x64.exe -Argument '/S' -GroupId <group_id>Archive: ./npp_installer.zip
Length Date Time Name
--------- ---------- ----- ----
4399816 04-20-2022 09:51 npp.8.2.1.Installer.x64.exe
173 03-28-2022 12:35 some_other_file.csv
--------- -------
4399989 2 files
Invoke-FalconDeploy -Archive npp_installer.zip -Run 'npp.8.2.1.Installer.x64.exe' -Argument '/S' -HostId <id>Results will be output to FalconDeploy_<FileDateTime>.csv within your local directory.
2024-12-19: PSFalcon v2.2.8
