Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[ BUG ] Invoke-FalconDeploy produces null-valued expression error during put step #424

Open
0xBK-tull opened this issue Sep 25, 2024 · 1 comment
Open

[ BUG ] Invoke-FalconDeploy produces null-valued expression error during put step #424

0xBK-tull opened this issue Sep 25, 2024 · 1 comment
Assignees
@bk-cs
Labels
bug Something isn't working fix available Self-applied fix available in issue

Comments

@0xBK-tull
Copy link

0xBK-tull commented Sep 25, 2024
edited by bk-cs
Loading

Describe the bug
When I go to run Invoke-FalconDeploy, about half the time I get an error message at the put stage. The error is as follows:

Set-Property : You cannot call a method on a null-valued expression.

At C:\Users\ausergoeshere\Documents\WindowsPowerShell\Modules\PSFalcon\2.2.7\public\real-time-response.ps1:627 char:15

+ Set-Property $_ batch_id $BatchId
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Set-Property], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull,Set-Property

Environment (please complete the following information):

  • OS: Windows 11 and Windows 10, various versions.
  • PowerShell: 5.1 and 7.4.5
  • PSFalcon: 2.2.7

Additional context
I had posted on reddit about this and bk-CS advised me to open this bug report. Apologies for the delay bk-CS, I got side tracked by a convention known as Fal.Con.

Transcript content

PowerShell transcript start
Start time: 20240913094405
Username: 
RunAs User: 
Configuration Name: 
Machine: (Microsoft Windows NT 10.0.22631.0)
Host Application: C:\Program Files\PowerShell\7\pwsh.dll
Process ID: 18104
PSVersion: 7.4.5
PSEdition: Core
GitCommitId: 7.4.5
OS: Microsoft Windows 10.0.22631
Platform: Win32NT
PSCompatibleVersions: 1.0, 2.0, 3.0, 4.0, 5.0, 5.1, 6.0, 7.0
PSRemotingProtocolVersion: 2.3
SerializationVersion: 1.1.0.1
WSManStackVersion: 3.0
**********************
Transcript started, output file is C:\Users\USER_NAME\Documents\PowerShell_transcript.computer.xaAchM5_.20240913094405.txt
PS C:\Users\USER_NAME\Documents\software> Invoke-FalconDeploy -File .\software_agentcompany.msi -Argument '/quiet' -GroupId GROUP_ID -QueueOffline $True
VERBOSE: 09:44:13 [Get-FalconHost] /devices/queries/devices-scroll/v1:get
VERBOSE: 09:44:13 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/devices/queries/devices-scroll/v1?limit=5000&filter=groups%3A%5B%27GROUP_ID%27%5D
VERBOSE: 09:44:13 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:44:14 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:14 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=c8f55c84-2bb3-464f-9d40-452b95c860a0, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5999
VERBOSE: 09:44:14 [Write-Result] query_time=0.129350545, pagination.total=20, pagination.offset=FGluY2x1ZGVfY29udGV4dF91dWlkDnF1ZXJ5VGhlbkZldGNoAhYwUTBUaDE3MFJ5V0pFSy1RcWd3ZGlRAAAAAAhzOaYWb253UHZLLVZTbEtVd0k1ajBqb0Q2URZ3N0hORURKZFQ2eWJ0QUVOVDg5enJ3AAAAAAkchFQWTXdxMWlMRTRRTXVTY3hzR0FpUzlGZw==, pagination.expires_at=1726235175085528528, powered_by=device-api, trace_id=c8f55c84-2bb3-464f-9d40-452b95c860a0
VERBOSE: 09:44:14 [Get-FalconHost] /devices/entities/devices/v2:post
VERBOSE: 09:44:14 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/devices/entities/devices/v2
VERBOSE: 09:44:14 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:44:14 [ApiClient.Invoke] {"ids":["ids go here"]}
VERBOSE: 09:44:14 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:14 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=61f1483f-3c10-4fcf-9409-f0dd20f14b39, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5998
VERBOSE: 09:44:14 [Write-Result] query_time=0.163027715, powered_by=device-api, trace_id=61f1483f-3c10-4fcf-9409-f0dd20f14b39
[Invoke-FalconDeploy] Checking cloud for existing file...
VERBOSE: 09:44:14 [Get-FalconPutFile] /real-time-response/queries/put-files/v1:get
VERBOSE: 09:44:14 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/real-time-response/queries/put-files/v1?filter=name%3A%5B%27software_agentcompany.msi%27%5D
VERBOSE: 09:44:14 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:44:14 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:14 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=9bacb171-ee70-42d4-ba23-ba320a0a6c1b, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5997
VERBOSE: 09:44:14 [Write-Result] query_time=0.028381058, pagination.offset=0, pagination.limit=100, pagination.total=1, powered_by=empower-api, trace_id=9bacb171-ee70-42d4-ba23-ba320a0a6c1b
VERBOSE: 09:44:14 [Get-FalconPutFile] /real-time-response/entities/put-files/v2:get
VERBOSE: 09:44:14 [ApiClient.Invoke] GET https://api.us-2.crowdstrike.com/real-time-response/entities/put-files/v2?ids=ids_go_here
VERBOSE: 09:44:14 [ApiClient.Invoke] Accept=application/json
VERBOSE: 09:44:15 [ApiClient.Invoke] 200: OK
VERBOSE: 09:44:15 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:44:15 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=f2b1b118-a82f-4fc7-91ec-4111de37774c, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5996
VERBOSE: 09:44:15 [Write-Result] query_time=0.030316615, powered_by=empower-api, trace_id=f2b1b118-a82f-4fc7-91ec-4111de37774c
[Invoke-FalconDeploy] Matched hash values between local and cloud files.
VERBOSE: 09:44:15 [Start-FalconSession] /real-time-response/combined/batch-init-session/v1:post
VERBOSE: 09:44:15 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-init-session/v1?timeout=60&host_timeout_duration=54s
VERBOSE: 09:44:15 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:44:15 [ApiClient.Invoke] 
{"host_ids":["host IDs go here"],"queue_offline":true}
VERBOSE: 09:45:09 [ApiClient.Invoke] 201: Created
VERBOSE: 09:45:09 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:45:10 GMT, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=6d5bfc7d-93ea-42b1-bcae-531f659d54f4, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5995
VERBOSE: 09:45:09 [Write-Result] query_time=54.001134109, powered_by=empower-api, trace_id=6d5bfc7d-93ea-42b1-bcae-531f659d54f4
WARNING: [Start-FalconSession] 50401: Exceeded maximum connect timeout: 54.00s [aid: c38df52d89fb42329e2ade8874a0cacd]
VERBOSE: 09:45:09 [Stop-RtrUpdate] Removed job: psfalcon-rtr_20240913T0937083386
VERBOSE: 09:45:09 [Start-RtrUpdate] Started job: psfalcon-rtr_20240913T0945094632
[Invoke-FalconDeploy] Initiated session with 19 host(s)...
[Invoke-FalconDeploy] Issuing 'mkdir' to 19 Windows host(s)...
VERBOSE: 09:45:10 [Invoke-FalconAdminCommand] /real-time-response/combined/batch-admin-command/v1:post
VERBOSE: 09:45:10 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-admin-command/v1?timeout=60
VERBOSE: 09:45:10 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:45:10 [ApiClient.Invoke] {"optional_hosts":["hosts here"],"base_command":"mkdir","command_string":"mkdir \\Windows\\Temp\\FalconDeploy_20240913T0944138568","batch_id":"2417d1c6-deba-4725-b3ca-98e8b4a92b30"}
VERBOSE: 09:45:12 [ApiClient.Invoke] 201: Created
VERBOSE: 09:45:12 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:45:12 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=8ea278b1-c0bf-43d4-943b-8c9e2b48c368, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5994
VERBOSE: 09:45:12 [Write-Result] query_time=1.364566246, powered_by=empower-api, trace_id=8ea278b1-c0bf-43d4-943b-8c9e2b48c368
[Invoke-FalconDeploy] Issuing 'cd' to 19 Windows host(s)...
VERBOSE: 09:45:13 [Invoke-FalconAdminCommand] /real-time-response/combined/batch-admin-command/v1:post
VERBOSE: 09:45:13 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-admin-command/v1?timeout=60
VERBOSE: 09:45:13 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:45:13 [ApiClient.Invoke] {"optional_hosts":["hosts here"],"base_command":"cd","command_string":"cd \\Windows\\Temp\\FalconDeploy_20240913T0944138568","batch_id":"2417d1c6-deba-4725-b3ca-98e8b4a92b30"}
VERBOSE: 09:45:13 [ApiClient.Invoke] 201: Created
VERBOSE: 09:45:13 [ApiClient.Invoke] Server=nginx, Date=Fri, 13 Sep 2024 13:45:14 GMT, Transfer-Encoding=chunked, Connection=keep-alive, Strict-Transport-Security=max-age=31536000; includeSubDomains, max-age=31536000; includeSubDomains, X-Cs-Region=us-2, X-Cs-Traceid=23bcf81c-6fb9-4b90-a0a6-fce4cb2e3e42, X-Ratelimit-Limit=6000, X-Ratelimit-Remaining=5994
VERBOSE: 09:45:13 [Write-Result] query_time=0.503824135, powered_by=empower-api, trace_id=23bcf81c-6fb9-4b90-a0a6-fce4cb2e3e42
[Invoke-FalconDeploy] Issuing 'put' to 19 Windows host(s)...
VERBOSE: 09:45:14 [Invoke-FalconAdminCommand] /real-time-response/combined/batch-admin-command/v1:post
VERBOSE: 09:45:14 [ApiClient.Invoke] POST https://api.us-2.crowdstrike.com/real-time-response/combined/batch-admin-command/v1?timeout=600
VERBOSE: 09:45:15 [ApiClient.Invoke] Accept=application/json, ContentType=application/json
VERBOSE: 09:45:15 [ApiClient.Invoke] {"optional_hosts":["hosts here"],"base_command":"put","command_string":"put software_agentcompany.msi","batch_id":"2417d1c6-deba-4725-b3ca-98e8b4a92b30"}
PS C:\Users\USER_NAME\Documents\software> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."
>> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."

PS C:\Users\USER_NAME\Documents\software> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."
>> TerminatingError(Set-Property): "You cannot call a method on a null-valued expression."
You cannot call a method on a null-valued expression.
Exception: C:\Users\USER_NAME\Documents\PowerShell\Modules\PSFalcon\2.2.7\public\real-time-response.ps1:627
Line |
 627 |                Set-Property $_ batch_id $BatchId
     |                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     | You cannot call a method on a null-valued expression.

**********************
PowerShell transcript end
End time: 20240913094925
**********************
@0xBK-tull 0xBK-tull added the bug Something isn't working label Sep 25, 2024
@bk-cs bk-cs changed the title [ BUG ] Error when using Invoke-FalconDeploy - Null Value [ BUG ] Invoke-FalconDeploy produces null-valued expression error during put step Sep 25, 2024
bk-cs added a commit that referenced this issue Oct 11, 2024
@bk-cs
Issue #424
202892a 
Increased `[System.Net.Http.HttpClient]` default timeout to 5 minutes from 1 minute to allow for the `put` command step to complete during `Invoke-FalconDeploy`.

Updated `Invoke-FalconAdminCommand`, `Invoke-FalconCommand`, and `Invoke-FalconResponderCommand` to only attempt to append `batch_id` to results that have a `session_id`. This should suppress `You cannot call a method on a null-valued expression` errors when trying to append `batch_id` (`Set-Property $_ batch_id $BatchId`).

Decreased default `Timeout` when using `runscript` for single host sessions by 5 seconds to help provide enough time for results to return.

Added some minor formatting changes for performance (using `Where()` instead of `Where-Object`).
@bk-cs
Copy link
Collaborator

bk-cs commented Oct 11, 2024
edited
Loading

I think I've narrowed this issue down to a couple of things:

  • Default timeout for requests was 1 minute using the underlying HttpClient in PSFalcon. I think the put commands were not waiting long enough for completion.
  • Invoke-FalconAdminCommand, Invoke-FalconCommand and Invoke-FalconResponderCommand were attempting to append batch_id to a timed out request (thus leading to the null-valued expression error).

I've updated class\Class.ps1, public\real-time-response.ps1 and public\psf-real-time-response.ps1 after some testing with Invoke-FalconDeploy using large files (~650MB). Can you try updating your local module with these changes and let me know if it eliminates your error?

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/202892ae12b200c18662f20c8655af69a05c7da8/class/Class.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath class) Class.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/202892ae12b200c18662f20c8655af69a05c7da8/public/psf-real-time-response.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-real-time-response.ps1)
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/202892ae12b200c18662f20c8655af69a05c7da8/public/real-time-response.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) real-time-response.ps1)

Please ensure that you close and re-open PowerShell and re-import PSFalcon before testing. The Class.ps1 changes will definitely not work without fully restarting PowerShell.

@bk-cs bk-cs added the fix available Self-applied fix available in issue label Oct 15, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bk-cs bk-cs

Labels
bug Something isn't working fix available Self-applied fix available in issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bk-cs @0xBK-tull