-
Notifications
You must be signed in to change notification settings - Fork 15
Additional Shell Commands
Falcon Toolkit supports all the commands available in the Falcon Cloud, whilst also providing extra functionality that makes it more flexible as a command line application. This page documents the additional commands and options that extend beyond the Falcon documentation.
Each additional command is switch is implemented either by CrowdStrike in Falcon Toolkit, or by the underlying Cmd2 library. Where the latter provides a command, this page provides a link to the relevant Cmd2 docs.
This command lists all clouded PowerShell and shell scripts. If you would like to execute one, use runscript -CloudFile. Note that you can tab complete cloud files, so combining cloud_scripts with runscript -CloudFile <tab> can save a lot of typos.
When a file has been retrieved from one or more systems via get, it can be downloaded via the download command. This command takes three arguments:
- [optional]
-b: a batch GET ID. If you previously rangetwithin the same session, as it will default to the most recentget. - [optional]
-e: all files uploaded to RTR are compressed to a.7zfile and encrypted with the passwordinfected. This switch will automatically extract files downloaded from this container and delete the archived version. - [mandatory] A folder to extract to. You can use tab to auto-complete this.
The get command in Falcon Toolkit is akin to the one in the Falcon UI, but it supports a batch. This means that if some file named C:\test.txt exists 15 of the 50 systems you are connected to, and you run get C:\test.txt at the prompt, those 15 systems will upload the file to the Cloud. Grab the 15 files using the download command.
This command takes one parameter, -b, which corresponds to a batch GET ID. If you ran a get command in the current session, -b is not needed as it will default to the most recently run get. The output will be all systems that have succeeded in uploading the requested file to the Cloud.
The get_status command notably updates some state internally within the RTRPrompt object, which can be accessed in the Python bridge. This can be useful for use cases such as requesting a file from a thousand systems, then going round in a loop until at least 90% of systems have responded before downloading the outputs to a folder.
This command will list all PUT files stored in the Cloud. You can then use put to download one of those files to all connected systems. Note that put supports tab completion, so put_files combined with put can save a lot of typos.
Inherited from Cmd2
Relevant Cmd2 Documentation: https://cmd2.readthedocs.io/en/latest/features/scripting.html#python-scripts
Cmd2 provides a Python bridge, which allows you to execute arbitrary Python code within the context of the Falcon Toolkit application. This can enable use cases that automate RTR with control flow, automated decision making, loops, and more. Python scripts can access the RTRPrompt object (stored in falcon_toolkit/shell/prompt.py) via self (e.g., self.device_ids will fetch the list of AIDs associated with the shell session). RTR Commands can be executed using the rtr function. Remember to escape properly, as in this example:
rtr("runscript -Raw \"Get-ChildItem\"")Inherited from Cmd2
Relevant Cmd2 Documentation: https://cmd2.readthedocs.io/en/latest/features/scripting.html#running-command-scripts
Not to be confused with runscript, run_script allows you to execute a list of RTR shell commands sequentially. This effectively allows you to automate the toolkit by 'playing back' a list of commands.
The runscript command in Falcon Toolkit in -Raw, -CloudFile and -HostPath modes work identically to in the Cloud, with the exception that triple backticks are not needed (the Toolkit adds these in for you). However, Falcon Toolkit augments this command with a fourth switch: -WorkstationPath. This will take the path to a script on your system (.ps1, .sh, etc.) and execute it on all connected systems via -Raw. This means you do not need to copy and paste a long script into the shell, or upload to the Cloud before executing.