search

pony

CrowdStrike FalconPy CrowdStrike FalconPy CrowdStrike Subredditarrow-up-right

hashtag
My Little RTR

hashtag
Using Real Time Response to retrieve basic system information

This example leverages an open-source project that retrieves system information to pull details for a specific host attached to your CID. In order to retrieve system information detail (and draw ponies), this example installs git (when not present) and then clones the ASCII-Ponyarrow-up-right repo. Once successfully cloned, the executable systempony is executed with its output being saved to a local file. Finally, the contents of this output file are retrieved and all artifacts are removed from the target system. The pony that is displayed is selected at random (the example can be configured to display a specific pony if desired).

This example requires FalconPy v0.6.0+

hashtag
Example output

                                                .....-----...
                                         __  .-`             `.
                                        /  \`             .:'--:.
                                       ( /  \               `-.__..-;
                                       | |   `-..__  .,            -
                                       ( '.  \ ____`\ )`-._     _-`
                                       '\   __/   __\' / `:``''`
                                       .|\_  (   / .-| |'.|           User     : root
                                       |' / ,'\ ( (WW| \W)j           Hostname : sample-host.us-west-1.compute.internal
                                      .|  |    \_\_`/   ``-.          IP       :
            .--''''````-.             |'  l            \__/           Distro   :
           /             `.           |    `.  -,______.-'            Kernel   : 4.14.232-177.418.amzn2.x86_64 x86_64
          /                `.________.|      `.   /                   Uptime   : 48 days, 2:50
         (         ,.--''>-',:       |'        | (                    Load     : 0.00, 0.00, 0.00
         |        |     /   (_)     .|        ,'),-``''-.             Shell    : /bin/bash
         |       .'    | ,;         |'       / ,'        `.           Packages :
        .|       |.    | (_)  ;,    '.      (.(            :          RAM      : 237M / 1.9G
        |'       '|    |     (_)      `'---'`  `.       `:`;          CPU      : Intel(R) Xeon(R) CPU E5-2676 v3 @ 2.40GHz
        |         '.  / \        /           `:. ;        ':          Swap     : 0B / 0B
        |.          `.   |      /-,_______\   ' `     .-;  |          Disk     : 1.8G / 13G
        '|            \_/      /     |    |\   `----'`.' .'
         |             )      /     |     | `--,    \`''`
         '.           /      |      |     |   /      )
           `--_____--'|      |      |      | (       |
      `:._.`       '. |      |      |      |  \      |
       '        .-.  )|       \     |       \  `.___/
        `---;    ) )'  \_______)     \_______)
          .:___-'

hashtag
Procedure

  1. The AID for the provided hostname is retrieved.

    • If not found, the routine will stop at this point.

  2. A Real Time Response session is initialized between your host and the target host.

    • If a session cannot be instantiated, the routine will stop processing.

  3. Three scripts are uploaded to CrowdStrike cloud for execution:

    • install-pony - Installs git and clones the ASCII-Pony repo.

    • create-pony - Executes the systempony command and saves the output to a file in /root.

    • cleanup-pony - Removes the results of the systempony command and removes the cloned ASCII-Pony repo.

  4. The install-pony command is executed and the repo is cloned.

  5. The create-pony command is executed and the system information output file is generated.

  6. A stand-alone command, retrieve-pony is executed.

    Command contents

    • The results of this command are temporarily stored in memory.

  7. The cleanup-pony command is executed, all artifacts are removed from the target system.

If any of these commands fail on execution, the procedure will be halted.

  1. All three uploaded 'pony' scripts are removed from CrowdStrike cloud.

  2. The Real Time Response session is closed and deleted.

  3. The results of our systempony command are displayed.

hashtag
Running the program

In order to run this demonstration, you will need a partial hostname for the target system and access to CrowdStrike API keys with the following scopes:

Service Collection
Scope

Hosts

READ

Real Time Response

READ, WRITE

Real Time Response Admin

READ, WRITE

hashtag
Execution syntax

The following command should execute the demonstration in your environment.

A small command-line syntax help utility is available using the -h flag.

hashtag
Example source code

The source code for this example can be found herearrow-up-right.

hashtag
The open-source system information project - ASCII-Pony

The ASCII-Ponyarrow-up-right repo was developed by Mattia "Glax" Basagliaarrow-up-right, and has been around for many years. It is a fun (and useful) project @jshcodesarrow-up-right has used in several places over time. Glax is best Dragon!

Previouspid-dumpNextsample_uploads

Last updated

Was this helpful?