BulkStrike
BulkStrike copied to clipboard
Published
20 hours ago •
Silv3rHorn
Silv3rHorn
BulkStrike enables the usage of CrowdStrike Real Time Response (RTR) to bulk execute commands on multiple machines.
BulkStrike
BulkStrike enables the usage of CrowdStrike Real Time Response (RTR) to bulk collect artifacts from multiple machines.
Dependencies
None if using release executable. Else, refer to requirements.txt
Usage
- From CrowdStrike Falcon web console, click on Support | API Clients and Keys
-
Add new API client and ensure at least the following API Scopes
-
Hosts -
Read -
Real time response -
ReadandWrite
-
Hosts -
- It is recommended to also have
Writescope for Real time response (admin) otherwise some RTR commands (e.g.put) will not execute - Input your Client ID and Secret via
bulk_strike configure - Request for an Authentication Token via
bulk_strike req_token - Start using BulkStrike!
- More help available via
bulk_stike -h
usage: bulk_strike.py [-h] [-c CLOUDREQID] [-d DESCRIPTION] [-f FILE] [-i ID]
[-p PERMISSION] [-q QSESSIONID] [-s HOST] [--log]
[--queue]
action
BulkStrike enables the usage of CrowdStrike Real Time Response (RTR) to bulk execute commands on multiple machines.
positional arguments:
action Req Arguments Description
configure NIL provide CrowdStrike Client ID, Secret and API server.
req_token NIL request for CrowdStrike authentication token.
get_info -s or -f [--log] get system info of provided host id or hostname.
get_logins -s or -f [--log] [--clean] get recent logins of provided host ids.
list_files NIL list basic info of all RTR response files on CrowdStrike Cloud.
get_file -i get detailed info of a RTR response file on CrowdStrike Cloud.
upload_file -f and -d upload a RTR response file to CrowdStrike Cloud.
delete_file -i delete a RTR response file from CrowdStrike Cloud.
list_scripts NIL list basic info of all RTR response files on CrowdStrike Cloud.
get_script -i get detailed info of a RTR response file on CrowdStrike Cloud.
upload_script -f and -p [-d] upload a RTR response file to CrowdStrike Cloud.
delete_script -i delete a RTR response file from CrowdStrike Cloud.
start_rtr -s or -f [--log] [--queue] initialise rtr session on specified hosts.
get_qsessions NIL get session ids of RTR sessions that had commands queued.
get_qsess_data NIL [--log] get metadata of RTR sessions that had commands queued.
del_qsession -q delete a currently queued RTR session.
del_qsess_cmd -q and -c delete a currently queued RTR session command.
optional arguments:
-h, --help show this help message and exit
-c CLOUDREQID, --cloudreqid CLOUDREQID
cloud request id of currently queued RTR session command
-d DESCRIPTION, --description DESCRIPTION
description of RTR response file or script
-f FILE, --file FILE path of file containing host ids or hostnames
-i ID, --id ID id of RTR response file or script
-p PERMISSION, --permission PERMISSION
permission of RTR response script (private, group, public)
-q QSESSIONID, --qsessionid QSESSIONID
session id of currently queued RTR session
-s HOST, --host HOST host id or hostname
--log write raw server response to tsv file in current working directory
--queue queue commands to offline hosts
--clean exclude less important details from output
Demo
Future Work
- Create parallel thread to keep RTR session alive
- Download retrieved file (via
get file) to local disk - ~~Retry the initiating/starting of RTR session to offline host until it comes online~~
Credits
Metadata
41
Stars
10
Forks
Watchers
Owner
Silv3rHorn
Metadata
BulkStrike enables the usage of CrowdStrike Real Time Response (RTR) to bulk execute commands on multiple machines.