Created
August 14, 2025 15:53
-
-
Save ScottMonolith/b57316985d0e962facc9c9c871675a1a to your computer and use it in GitHub Desktop.
CrowdStrike PoSH Setup
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| First, create an OAuth2 token (the PSFalcon client creds are saved in Secret Server): | |
| https://www.crowdstrike.com/blog/tech-center/get-access-falcon-apis/ | |
| Not sure what scopes are required but I added: | |
| Hosts - read/write | |
| Host Groups - read/write | |
| Real time response (admin) - write | |
| Real time response - read/write | |
| Next, upload your script to 'Custom Scripts' section of response scripts and files - https://falcon.crowdstrike.com/real-time-response/scripts/custom-scripts | |
| Then I utilized this cmdlet - https://github.com/CrowdStrike/psfalcon/wiki/Authentication#request-authorization-token-and-run-a-command | |
| I tried to pass multiple hostIDs in one Invoke-FalconRTR cmdlet, and while it would appear to work (no errors) I would not see the results on the hosts themselves. I ended up doing a ForEach loop. | |
| $HostList = Get-FalconHost -Filter "product_type_desc:'Workstation'+platform_name:'Windows'" -All -Detailed | |
| foreach ($1Host in $HostList) { | |
| Invoke-FalconRTR runscript "-cloudfile='Hybrid AAD Join'" -HostId $1Host.device_id -QueueOffline $True | |
| } | |
| These pages helped | |
| https://github.com/CrowdStrike/psfalcon/wiki | |
| https://www.reddit.com/r/crowdstrike/comments/z9os85/how_to_run_custom_powershell_scripts_on_endpoints/ | |
| https://www.reddit.com/r/crowdstrike/comments/11k3g45/running_rtr_script_on_multiple_hosts_with_psfalcon/ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment