[ BUG ] Add-SensorTag and Remove-SensorTag dont append/remove tags even through reboot

[Trueblood506]

Describe the bug
I am able to "add" a sensortag when host is empty "no tags"; however, trying to append an additional tag or remove a tag, does not work. There is no error, and return results indicate that it was successful however UI does not show changes nor does the registry indicate a change occurred.

Environment (please complete the following information):
Windows

Additional context
Noticed that also RTR sessions seem to "spin" for awhile also. Doesnt appear to be associated as I did manually kill session and attempt several reboots.

[bk-cs]

From testing, it looks the command syntax (below) that PSFalcon uses to set the sensor tags no longer works with CsSensorSettings.exe.

echo "token" | & "C:\Program Files\CrowdStrike\CsSensorSettings.exe" set --grouping-tags "tag1,tag2"

If you input the token manually when prompted it properly applies the tags, but it doesn't work with echo. My hope is that this was unintended. The behavior will either need to be changed, or the script used by PSFalcon will need to be changed to properly provide the token.

[g1t-out]

This might be the same issue that I'm having with this command. It does not seem to work for me. The system does not output an error, however, if I run "start-transcript" before I try the commands, the transcript picks up the following errors:

"TerminatingError(ConvertFrom-Json): "Invalid JSON primitive: Maintenance."

and

"TerminatingError(ConvertFrom-Json): "Invalid JSON primitive: OIT."

I'm not sure what "Maintenance" is from but I know OIT is a tag on one of the systems I was attempting to run this command on.

Some clarification: I only see the above errors after an Add-FalconSensorTag with the -QueueOffline $false set. If -QueueOffline is set to $true, I don't see any errors, it just doesn't ever seem to work at least on hosts that already have a tag. I've not tried this command on hosts that don't already have at least one tag.

[bk-cs]

This might be the same issue that I'm having with this command. It does not seem to work for me. The system does not output an error, however, if I run "start-transcript" before I try the commands, the transcript picks up the following errors:

"TerminatingError(ConvertFrom-Json): "Invalid JSON primitive: Maintenance."

and

"TerminatingError(ConvertFrom-Json): "Invalid JSON primitive: OIT."

I'm not sure what "Maintenance" is from but I know OIT is a tag on one of the systems I was attempting to run this command on.

Some clarification: I only see the above errors after an Add-FalconSensorTag with the -QueueOffline $false set. If -QueueOffline is set to $true, I don't see any errors, it just doesn't ever seem to work at least on hosts that already have a tag. I've not tried this command on hosts that don't already have at least one tag.

Thank you!

I think this may have helped me narrow down an issue with the scripts PSFalcon uses to add tags. In one of my tests, CsSensorSettings.exe was generating an error about invalid characters. I think I was able to get away without using some quotes before and now the executable doesn't like it. 😆

I'm working on an updated version of Add-FalconSensorTag (and the other SensorTag commands, along with accompanying scripts) that should hopefully resolve this.

[bk-cs]

I have re-written the Add-FalconSensorTag and Remove-FalconSensorTag commands and seem to have resolved this issue. The fix for these commands will be included in the next release. If you'd like to update your local module before release, you can replace public\psf-sensors.ps1 using the steps outlined below.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/1fa521bf21c8bb75ea5a85d56e3a35d686a271d2/public/psf-sensors.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-sensors.ps1)

Once you have replaced the file, restart PowerShell and re-import PSFalcon before testing.