[ BUG ] Invoke-FalconDeploy incorrect execution order when queued

[infosecgrab]

Describe the bug
When using Invoke-FalconDeploy on an offline host, the cmd are queued but sometimes do not execute in correct order when host finally comes online.

To Reproduce
With a offline "hostid":
Invoke-FalconDeploy -Archive "Archive.zip" -Run "runfile.exe" -QueueOffline $true -HostId <hostid>
If the different step command "mkdir","cd","put","runscript" are created with the same timestamp, the order of execution will be incorrect when the host comes online.

Expected behavior
Each queued command for the same host should have a different timestamp in order to predict execution order

Environment (please complete the following information):

• OS: Windows 10
• PowerShell: 5.1
• PSFalcon: 2.2.6

Additional context
Below a curated/redacted result of Get-FalconQueue command after the host came online and cmd executed
FalconQueue_20240104T1021017583.csv

Notice that the "cd" command, instead of last in order of execution should have in run in 2nd just after "mkdir" cmd

[bk-cs]

Interesting report! Thank you for submitting it.

I'll talk with the RTR engineering team and see if I can uncover an effective solution.

It also looks like the Expand-Archive command is happening after the execution of runfile.exe too...

[bk-cs]

In testing, it appears that PSFalcon is simply too fast for the CrowdStrike APIs. ;)

I submitted a queued job using Invoke-FalconDeploy for a single device and the commands were issued within about 2 seconds. The RTR queue API doesn't have millisecond accuracy when commands are issued, so issuing commands as fast as PSFalcon does means that the queue has the potential to pass them to the target device out of order.

The only solution is to add a delay to Invoke-FalconDeploy to ensure that no two commands are given in the same second. I'll add that in for the next release.

[bk-cs]

I've implemented the fix for the next release.

Could you try updating public\psf-real-time-response.ps1 in your local module, test Invoke-FalconDeploy and let me know if it resolves your issue? You can update your module using the commands below.

Import-Module -Name PSFalcon
$ModulePath = (Show-FalconModule).ModulePath
(Invoke-WebRequest -Uri https://raw.githubusercontent.com/CrowdStrike/psfalcon/d824c1cb1a96a540bfad6d06af4b7652e1d1b8e5/public/psf-real-time-response.ps1 -UseBasicParsing).Content > (Join-Path (Join-Path $ModulePath public) psf-real-time-response.ps1)

[infosecgrab]

Hey Awesome thanks a lot for the feedback, i didn't expect one so quick, you rock !
I tried the fix but ended up with some (but fewer than previously) unordered execution of queued commands.
I edited your fix with a 2 seconds delay and it works perfectly.
if ($QueueOffline -eq $true) { Start-Sleep -Seconds 2 }

It seems a 2 seconds delay is necessary.