CrowdStrike
[ BUG ] Add-FalconSensorTag fails when no GroupingTags currently exist
Describe the bug Add-falconsensortag fails if the following registry value doesn't exist:
HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}{16e0423f-7058-48c9-a204-725362b67639}\Default\GroupingTags
To Reproduce Confirm the above registry key doesn't exist and then attempt to add sensor tags via the above function.
Expected behavior The above value is created and populated with the tags you specified.
Environment (please complete the following information):
- OS: Windows 10 (but likely the same would occur under Windows Server OS's.
- PowerShell: 5.1.19041.1320
- PSFalcon: 2.1.5
Additional context See email sent on 2/4/2022.
I tried to reproduce without any luck, unfortunately!
Ran the following command (and variations hereof) Add-FalconSensorTag -Tags ts/kra -Id <removed>
Deleted the property through UI (created below PowerShell but tamper protection was enabled and didn't like it 🤷🏻♂️
Get-ItemProperty "HKLM:\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default" -Name "GroupingTags" | Remove-Item
Verified the property was deleted with (throws error, else value is returned)
(Get-ItemProperty "HKLM:\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default" -Name "GroupingTags").GroupingTags
I'm running a newer version but by comparing releases it dosen't really seem like that part have changed.
@boltonchris do you have the error message, this should be returned to you, if I read the source correct? Also having the exact command arguments you are using would be helpful. Please remember to remove sensitive information first.
Environment:
- OS: Microsoft Windows Server 2019
- PowerShell: 5.1.17763.2268
- PSFalcon: 2.1.8
@kra-ts
The script used by Add-FalconSensorTag uses reg query and reg add instead of the PowerShell equivalent:
$Key = "HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default"
$Tags = (reg query $Key) -match "GroupingTags"
$Value = if ($Tags) {
(($Tags -split "REG_SZ")[-1].Trim().Split(",") + $args.Split(",") | Select-Object -Unique) -join ","
} else {
$args
}
[void] (reg add $Key /v GroupingTags /d $Value /f)
Write-Output "$((((reg query $Key) -match "GroupingTags") -split "REG_SZ")[-1].Trim())"
In my testing, running it without the key present gives the following errors, which line up with what @boltonchris reported:
ERROR: The system was unable to find the specified registry key or value.
ERROR: Invalid syntax.
Type "REG ADD /?" for usage.
ERROR: The system was unable to find the specified registry key or value.
You cannot call a method on a null-valued expression.
At line:9 char:17
+ ... e-Output "$((((reg query $Key) -match "GroupingTags") -split "REG_SZ" ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull
I'll need to make the same updates to the related RTR script as it likely has the same problem.
@bk-cs
Thanks! I know that, started to re-code a better solution but forgot to test if I could re-produce which I can't on my system. Then it's hard to know if my code actually fix this.
Got something like below, but haven't made the split part yet.
I haven't found anything written down on what versions of PowerShell your RTR scripts are aiming for as minimum? Maybe I'm using too new cmdlets than you expect having available.
$Key = "HKLM:\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Default"
$Name = "GroupingTags"
if(-not (Test-Path -Path $Key)){
throw "Couldn't find registry key $Key"
}
if(-not ($Tags = Get-ItemProperty -Path $Key -Name $Name -ErrorAction SilentlyContinue)) {
$Tags = Set-ItemProperty -Path $Key -Name $Name -Type "String" -Value $Null -PassThru
}
Kevin,
It appears that the above function fails if the target machine doesn’t have the following reg value present:
HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}{16e0423f-7058-48c9-a204-725362b67639}\Default\GroupingTags
To clarify, the above registry value is not present. Manually creating the registry value (even if it is empty) resolves the issue.
When the Add-FalconSensorTag function is called, it returns the following:
cid device_id tags
6f06ef01454b423597d1af628c5d4528 7d3108c1734941829c6ade7e534614db ERROR: Invalid syntax.Type "REG ADD /?" for usage.You cannot call a method on a null-valued expression.
The call line is of the form:
Add-FalconSensorTag -Ids $Hosts -Tags $Finaltag -QueueOffline $OfflineQueue
Chris
@boltonchris
I can't replicate this issue either.
- Can you upgrade from PSFalcon v2.1.5 to the most current version (v2.1.7)?
- Is it possible that your
$Finaltagvariable is empty? - Does the
HKEY_LOCAL_MACHINE\SYSTEM\CrowdStrike\{9b03c1d9-3138-44ed-9fae-d9f4c034b88d}\{16e0423f-7058-48c9-a204-725362b67639}\Defaultkey exist? - When you say "manually creating the value", what did you create?
The script for Add-FalconSensorTag adds the GroupingTags value with a /f, which causes the key to be created if it's not there. This is what you should see if you run it on a device with a non-existent GroupingTags value:
PS>Add-FalconSensorTag -Id <id> -Tags Example
cid device_id tags
--- --------- ----
b7cc87abbd344a5e8c092765dbaa605d 79e512a318104e0e8cff439555e4cb95 ,VMWare
I've already made a correction to eliminate the comma at the beginning, which was due to the non-existent GroupingTags.
I don’t believe that the $Finaltag variable is empty or the Default key doesn’t exist. I say this because of the following test/experiment:
- Run the function as I have noted previously. * Confirm that I received the error message sent previously
- On the machine returning that error, I create the GroupingTags REG_SZ value, leaving it empty.
- Re-run the same function, in the same fashion. * The GroupingTags value is populated with the list of tags provided
The value of $Finaltag is:
SensorGroupingTags/BoltonTest SensorGroupingTags/Test1_Bolton SensorGroupingTags/Test2Bolton
Which appears proper to me.
Chris
Can you retry using PSFalcon v2.1.7 and without GroupingTags existing on the target device?
Following your exact steps, I do not encounter any errors when GroupingTags does not exist, and I am not required to create it.
After upgrading to 2.1.7, the results are the same. Here is what is returned under the tags column for a machine that was failing and that I added the value and one that I didn’t add the value:
,SensorGroupingTags/BoltonTest,SensorGroupingTags/Test1_Bolton,SensorGroupingTags/Test2Bolton ERROR: Invalid syntax.Type "REG ADD /?" for usage.You cannot call a method on a null-valued expression.
Chris
I still haven't been able to reproduce this issue. I don't consider it solved and haven't been able to spend much time on it lately.
I'm going to keep this issue open and see if I can figure out where the issue is coming from.
Closing issue because v6.42 of the Falcon sensor for Windows changes the mechanism for adding sensor tags. The SensorTag commands have been disabled for sensors running this version or newer until I can figure out how to pass uninstallation tokens through Real-time Response to CsSensorSettings.exe.