CrowdStrike · carlosmmatos · Dec 19, 2024 · Dec 18, 2024
diff --git a/powershell/install/falcon_windows_install.ps1 b/powershell/install/falcon_windows_install.ps1
@@ -193,13 +193,13 @@
     function Invoke-FalconAuth([hashtable] $WebRequestParams, [string] $BaseUrl, [hashtable] $Body, [string] $FalconCloud) {
         $Headers = @{'Accept' = 'application/json'; 'Content-Type' = 'application/x-www-form-urlencoded'; 'charset' = 'utf-8' }
         $Headers.Add('User-Agent', 'crowdstrike-falcon-scripts/1.7.1')
-        if ($FalconAccessToken){
+        if ($FalconAccessToken) {
             $Headers.Add('Authorization', "bearer $($FalconAccessToken)")
         }
-        else{
+        else {
             try {
                 $response = Invoke-WebRequest @WebRequestParams -Uri "$($BaseUrl)/oauth2/token" -UseBasicParsing -Method 'POST' -Headers $Headers -Body $Body
                 $content = ConvertFrom-Json -InputObject $response.Content
                Write-VerboseLog -VerboseInput $content -PreMessage 'Invoke-FalconAuth - $content:'

                if ([string]::IsNullOrEmpty($content.access_token)) {
@@ -207,9 +207,9 @@
                     throw $message
                 }
 
-                if ($GetAccessToken -eq $true){
+                if ($GetAccessToken -eq $true) {
                     Write-Output $content.access_token | out-host
-                    exit
+                    exit 0
                 }
 
                 $Headers.Add('Authorization', "bearer $($content.access_token)")
@@ -384,31 +384,35 @@
     }
 }
 process {
-    if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
-            [Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false) {
-        $message = 'Unable to proceed without administrative privileges'
-        Write-FalconLog 'CheckAdmin' $message
-        throw $message
-    }
-    elseif (Get-Service | Where-Object { $_.Name -eq 'CSFalconService' }) {
-        $message = "'CSFalconService' running. Falcon sensor is already installed."
-        Write-FalconLog 'CheckService' $message
-        exit 0
+    # TLS check should be first since it's needed for all HTTPS communication
+    if ([Net.ServicePointManager]::SecurityProtocol -notmatch 'Tls12') {
+        try {
+            [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+        }
+        catch {
+            $message = $_
+            Write-FalconLog 'TlsCheck' $message
+            throw $message
+        }
     }
-    else {
-        $credsProvided = Test-FalconCredential $FalconClientId $FalconClientSecret
-        if ([Net.ServicePointManager]::SecurityProtocol -notmatch 'Tls12') {
-            try {
-                [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
-            }
-            catch {
-                $message = $_
-                Write-FalconLog 'TlsCheck' $message
-                throw $message
-            }
+
+    if (!$GetAccessToken) {
+        if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
+                [Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false) {
+            $message = 'Unable to proceed without administrative privileges'
+            Write-FalconLog 'CheckAdmin' $message
+            throw $message
+        }
+        if (Get-Service | Where-Object { $_.Name -eq 'CSFalconService' }) {
+            $message = "'CSFalconService' running. Falcon sensor is already installed."
+            Write-FalconLog 'CheckService' $message
+            exit 0
         }
     }
 
+    # Check if credentials were provided
+    $AuthProvided = (Test-FalconCredential $FalconClientId $FalconClientSecret) -or $FalconAccessToken
+
     # Hashtable for common Invoke-WebRequest parameters
     $WebRequestParams = @{}
 
@@ -439,7 +443,7 @@
     }
 
     # Configure OAuth2 authentication
-    if ($credsProvided -or $FalconAccessToken) {
+    if ($AuthProvided) {
         $BaseUrl = Get-FalconCloud $FalconCloud
 
         $Body = @{}
@@ -589,18 +593,21 @@
                 $message = "Exit code 1244: Falcon was unable to communicate with the CrowdStrike cloud. Please check your installation token and try again."
                 Write-FalconLog 'InstallerProcess' $message
                 throw $message
-            } else {
+            }
+            else {
                 if ($process.StandardError) {
                     $errOut = $process.StandardError.ReadToEnd()
-                } else {
+                }
+                else {
                     $errOut = "No error output was provided by the process."
                 }
                 $message = "Falcon installer exited with code $($process.ExitCode). Error: $errOut"
                 Write-FalconLog 'InstallerProcess' $message
                 throw $message
             }
         }
-    } catch {
+    }
+    catch {
         Write-FalconLog 'InstallerProcess' "Caught exception: $_"
         throw $_
     }

diff --git a/powershell/install/falcon_windows_uninstall.ps1 b/powershell/install/falcon_windows_uninstall.ps1
@@ -111,8 +111,8 @@ param(
 )
 begin {
 
-    if ($FalconAccessToken){
-        if ($FalconCloud -eq "autodiscover"){
+    if ($FalconAccessToken) {
+        if ($FalconCloud -eq "autodiscover") {
             $Message = 'Unable to auto discover Falcon region using access token, please provide FalconCloud'
             throw $Message
         }
@@ -178,10 +178,10 @@ begin {
     function Invoke-FalconAuth([hashtable] $WebRequestParams, [string] $BaseUrl, [hashtable] $Body, [string] $FalconCloud) {
         $Headers = @{'Accept' = 'application/json'; 'Content-Type' = 'application/x-www-form-urlencoded'; 'charset' = 'utf-8' }
         $Headers.Add('User-Agent', 'crowdstrike-falcon-scripts/1.7.1')
-        if ($FalconAccessToken){
+        if ($FalconAccessToken) {
             $Headers.Add('Authorization', "bearer $($FalconAccessToken)")
         }
-        else{
+        else {
             try {
                 $response = Invoke-WebRequest @WebRequestParams -Uri "$($BaseUrl)/oauth2/token" -UseBasicParsing -Method 'POST' -Headers $Headers -Body $Body
                 $content = ConvertFrom-Json -InputObject $response.Content
@@ -192,7 +192,7 @@ begin {
                     throw $Message
                 }
 
-                if ($GetAccessToken -eq $true){
+                if ($GetAccessToken -eq $true) {
                     Write-Output $content.access_token | out-host
                     exit
                 }
@@ -366,17 +366,86 @@ begin {
     }
 }
 process {
-    if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
-            [Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false) {
-        $Message = 'Unable to proceed without administrative privileges'
-        throw $Message
+    if (!$GetAccessToken) {
+        if (([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole(
+                [Security.Principal.WindowsBuiltInRole]::Administrator) -eq $false) {
+            $Message = 'Unable to proceed without administrative privileges'
+            throw $Message
+        }
+
+        $AgentService = Get-Service -Name CSAgent -ErrorAction SilentlyContinue
+        if (!$AgentService) {
+            $Message = "'CSFalconService' service not found, already uninstalled"
+            Write-FalconLog 'CheckService' $Message
+            break
+        }
     }
+    # Check if credentials were provided
+    $AuthProvided = (Test-FalconCredential $FalconClientId $FalconClientSecret) -or $FalconAccessToken
 
-    $AgentService = Get-Service -Name CSAgent -ErrorAction SilentlyContinue
-    if (!$AgentService) {
-        $Message = "'CSFalconService' service not found, already uninstalled"
-        Write-FalconLog 'CheckService' $Message
-        break
+    if ($AuthProvided) {
+        # TLS check should be first since it's needed for all HTTPS communication
+        if ([Net.ServicePointManager]::SecurityProtocol -notmatch 'Tls12') {
+            try {
+                [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
+            }
+            catch {
+                $message = $_
+                Write-FalconLog 'TlsCheck' $message
+                throw $message
+            }
+        }
+
+        # Hashtable for common Invoke-WebRequest parameters
+        $WebRequestParams = @{}
+
+        # Configure proxy based on arguments
+        $proxy = ""
+        if ($ProxyHost) {
+            Write-Output "Proxy settings detected in arguments, using proxy settings to communicate with the CrowdStrike api"
+
+            if ($ProxyHost) {
+                $proxy_host = $ProxyHost.Replace("http://", "").Replace("https://", "")
+                Write-FalconLog -Source "Proxy" -Message "Proxy host ${proxy_host} found in arguments" -stdout $true
+            }
+
+            if ($ProxyPort) {
+                Write-FalconLog -Source "Proxy" -Message "Proxy port ${ProxyPort} found in arguments" -stdout $true
+                $proxy = "http://${proxy_host}:${ProxyPort}"
+            }
+            else {
+                $proxy = "http://${proxy_host}"
+            }
+
+            $proxy = $proxy.Replace("'", "").Replace("`"", "")
+            Write-FalconLog -Source "Proxy" -Message "Using proxy ${proxy} to communicate with the CrowdStrike Apis" -stdout $true
+        }
+
+        if ($proxy) {
+            $WebRequestParams.Add('Proxy', $proxy)
+        }
+
+        $BaseUrl = Get-FalconCloud $FalconCloud
+
+        $Body = @{}
+        $Body['client_id'] = $FalconClientId
+        $Body['client_secret'] = $FalconClientSecret
+
+        if ($MemberCid) {
+            $Body['member_cid'] = $MemberCid
+        }
+
+        $BaseUrl, $Headers = Invoke-FalconAuth -WebRequestParams $WebRequestParams -BaseUrl $BaseUrl -Body $Body -FalconCloud $FalconCloud
+        $Headers['Content-Type'] = 'application/json'
+        $WebRequestParams.Add('Headers', $Headers)
+    }
+    elseif ($RemoveHost) {
+        $Message = 'Unable to remove host without credentials, please provide FalconClientId and FalconClientSecret or FalconAccessToken'
+        throw $Message
+    }
+    elseif ($GetAccessToken) {
+        $Message = 'Unable to get access token without credentials, please provide FalconClientId and FalconClientSecret'
+        throw $Message
     }
 
     $UninstallerPath = $null
@@ -387,7 +456,8 @@ process {
 
             if (Test-Path -Path $UninstallerPathDir) {
                 $UninstallerPath = Get-ChildItem -Path $UninstallerPathDir -Recurse | Where-Object { $_.Name -match $UninstallerName } | ForEach-Object { $_.FullName } | Sort-Object -Descending | Select-Object -First 1
-            } else {
+            }
+            else {
                 $UninstallerPath = $null
             }
         }
@@ -403,16 +473,8 @@ process {
         throw $Message
     }
 
-    # Verify creds are provided if using the API
-    $credsProvided = Test-FalconCredential $FalconClientId $FalconClientSecret
-    if (!$credsProvided -and !$FalconAccessToken) {
-        if ($RemoveHost) {
-            $Message = 'Unable to remove host without credentials, please provide FalconClientId and FalconClientSecret or FalconAccessToken'
-            throw $Message
-        }
-    }
-    else {
-        # Grab AID before uninstalling
+    # Grab AID before uninstalling. Only relevant if $RemoveHost or if $AuthProvided and !$MaintenanceToken
+    if ($RemoveHost -or ($AuthProvided -and !$MaintenanceToken)) {
         Write-FalconLog 'GetAID' 'Getting AID before uninstalling'
         $aid = Get-AID
         if (!$aid) {
@@ -424,51 +486,6 @@ process {
         Write-FalconLog 'GetAID' $Message
     }
 
-    # Hashtable for common Invoke-WebRequest parameters
-    $WebRequestParams = @{}
-
-    # Configure proxy based on arguments
-    $proxy = ""
-    if ($ProxyHost) {
-        Write-Output "Proxy settings detected in arguments, using proxy settings to communicate with the CrowdStrike api"
-
-        if ($ProxyHost) {
-            $proxy_host = $ProxyHost.Replace("http://", "").Replace("https://", "")
-            Write-FalconLog -Source "Proxy" -Message "Proxy host ${proxy_host} found in arguments" -stdout $true
-        }
-
-        if ($ProxyPort) {
-            Write-FalconLog -Source "Proxy" -Message "Proxy port ${ProxyPort} found in arguments" -stdout $true
-            $proxy = "http://${proxy_host}:${ProxyPort}"
-        }
-        else {
-            $proxy = "http://${proxy_host}"
-        }
-
-        $proxy = $proxy.Replace("'", "").Replace("`"", "")
-        Write-FalconLog -Source "Proxy" -Message "Using proxy ${proxy} to communicate with the CrowdStrike Apis" -stdout $true
-    }
-
-    if ($proxy) {
-        $WebRequestParams.Add('Proxy', $proxy)
-    }
-
-    if ($credsProvided -or $FalconAccessToken) {
-        $BaseUrl = Get-FalconCloud $FalconCloud
-
-        $Body = @{}
-        $Body['client_id'] = $FalconClientId
-        $Body['client_secret'] = $FalconClientSecret
-
-        if ($MemberCid) {
-            $Body['member_cid'] = $MemberCid
-        }
-
-        $BaseUrl, $Headers = Invoke-FalconAuth -WebRequestParams $WebRequestParams -BaseUrl $BaseUrl -Body $Body -FalconCloud $FalconCloud
-        $Headers['Content-Type'] = 'application/json'
-        $WebRequestParams.Add('Headers', $Headers)
-    }
-
     if ($RemoveHost) {
         # Remove host from CrowdStrike Falcon
         Write-FalconLog 'RemoveHost' 'Removing host from Falcon console'