Worklet: Install CrowdStrike on Windows (API)

4 years ago
March 5, 2021
7 replies
1191 views

vienna
Novice
35 replies

Hi all, I know CrowdStrike integrates with Automox to easily install it. but here’s another way to install it via Automox.

Basically this script utilises the CrowdStrike Sensor Download API to get the 2nd latest Windows Sensor, which then pulls it to a temp directory and then runs the installer.

There’s a few things we need to do first before we get this working. You will need to log in to the CrowdStrike Portal and ‘Add new API Client’ - https://falcon.crowdstrike.com/support/api-clients-and-keys - once added, you’ll get your Client ID and Secret, keep these to hand as you will need to paste it in the Worklet section as shown below, replacing the CLIENTID and SECRETKEY with the relevant details.

Body = 'client_id=CLIENTID&client_secret=SECRETKEY'

Also, you will need to click on ‘Edit’ on your newly made API client and tick the tickbox under the ‘read’ section for Sensor Download API

You will also need to get your Customer ID (CID), which you can find here once logged in - https://falcon.crowdstrike.com/hosts/sensor-downloads. Replacing the XXX in CID= with your Customer ID number

Start-Process -FilePath $path_to_file -argumentlist "/install /quiet /norestart CID=XXXX" -Verbose

You may also want to get the latest version of the CrowdStrike agent instead of the 2nd latest, by changing the following [1] to [0] below in the script

$SensorsID = ($Sensors.resources | Where-Object {$_.os -like "Windows"})[1] | Select-Object -ExpandProperty sha256

Evaluation

if (Test-Path -Path "C:\Program Files\CrowdStrike") 

    {

    	exit 0

    } 

    else 

    { 

    	Exit 1 

    }

Remediation

$path = "C:\temp\"



if(!(Test-Path -path $path))  

{  

    New-Item -ItemType directory -Path $path -Verbose

    Write-Output "The folder path has been created successfully at $path" 

}

else 

{ 

    Write-Output "The folder $path already exists"

}



Start-Transcript -Verbose -Path "c:\temp\crowdstrike.log"

 

$Param = @{

    Uri = 'https://api.crowdstrike.com/oauth2/token'

    Method = 'post'

    Headers = @{

    accept = 'application/json'

    'content-type' = 'application/x-www-form-urlencoded'

    }

    Body = 'client_id=XXX&client_secret=XXX'

}



$Token = Invoke-RestMethod @Param



$Token.access_token 



$Param2 = @{

    Uri = ("https://api.crowdstrike.com/sensors/combined/installers/v1")

    Method = 'get'

    Headers = @{

    accept = 'application/json'

    authorization = "$($Token.token_type) $($Token.access_token)"

    }

}



$Sensors = Invoke-RestMethod @Param2

$SensorsID = ($Sensors.resources | Where-Object {$_.os -like "Windows"})[1] | Select-Object -ExpandProperty sha256 

$SensorsVersion = $Sensors.resources[1] | Select-Object -ExpandProperty version 



$Param3 = @{

    Uri = ("https://api.crowdstrike.com/sensors/entities/download-installer/v1?id=${SensorsID}")

    Method = 'get'

    Headers = @{

    accept = 'application/json'

    authorization = "$($Token.token_type) $($Token.access_token)"

    }

}



$path_to_file = ("C:\temp\WindowsSensor$SensorsVersion.exe")



Invoke-WebRequest @Param3 -OutFile $path_to_file -Verbose



Start-Process -FilePath $path_to_file -argumentlist "/install /quiet /norestart CID=XXX" -Verbose



Stop-Transcript

Enjoy!

Ronald_Freed
Novice
9 replies
3 years ago
October 19, 2021

Has anyone got this working?

vienna
Author
Novice
35 replies
3 years ago
October 19, 2021

What error are you getting?

Ronald_Freed
Novice
9 replies
3 years ago
October 19, 2021

Failed to generate access token for

That is what shows in the logs

vienna
Author
Novice
35 replies
3 years ago
October 19, 2021

Did you generate your client id and api key, and select Sensor download like in the edit api ciient screenshot above?

Ronald_Freed
Novice
9 replies
3 years ago
October 19, 2021

Thank you Vienna. I have it working now. We noticed that it grabbed version 6.22 instead of 6.28. Do you know why that is? It updated to 6.28 a few minutes after the installation completed.

vienna
Author
Novice
35 replies
3 years ago
October 19, 2021

Not sure off my head but $SensorsVersion = $Sensors.resources[1] | Select-Object -ExpandProperty version determines the version it will install. You might want to play w/ the script and see what $sensorversion returns alone

[1] at the time of writing this pulled the second latest version after [0]

victorhims
Rookie
1 reply
2 years ago
May 25, 2022

What was the fix you did to get past the “Failed to generate access token” error? Im getting the same thing and it has Sensor Download enabled.

Reply

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

Cookie settings

We use 3 different kinds of cookies. You can choose which cookies you want to accept. We need basic cookies to make this site work, therefore these are the minimum you can select. Learn more about our cookies.

Basic
Functional

Normal
Functional + analytics

Complete
Functional + analytics + social media + embedded videos

Reply

Joining BAccount with Addfessicon

Need help in Generic Inquiry with Customer fieldicon

OwnerID has changed to int in 2021. What is the best way to get the OwnerID from the current UserIDicon

Using SWITCH to use another field name if first field is null or emptyicon

How to overcome this "Response is not well-formed XML" error?icon

Sign up

Login to the community

Scanning file for viruses.

This file cannot be downloaded

Cookie policy

Cookie settings