Problem: Persistent "Command is not valid" Error with runscript -CloudFile via FalconPy Admin API in GovCloud

[oasec1]

Goal:Execute a custom script stored in the CrowdStrike "Response Scripts and Files" library on a remote host using FalconPy within a GovCloud environment (api.laggar.gcw.crowdstrike.com).Environment:Platform: CrowdStrike GovCloud (api.laggar.gcw.crowdstrike.com)Tool: Python script using falconpy SDK (latest version assumed)Target Host OS: Windows 11API Permissions: Confirmed API Client ID/Secret has Real Time Response (Admin): Write scope.Issue:When attempting to execute a Cloud Script using the RealTimeResponseAdmin.execute_admin_command method with base_command='runscript', the API consistently returns an HTTP 400 Bad Request error with the following details:{
"errors": [
{
"code": 40006,
"message": "Command is not valid"
}
],
// ... meta fields ...
}
This occurs before the command appears to be queued or sent to the host.Code Snippet (Relevant Execution Logic - based on v0.1.14):The core execution happens in a function that initializes an RTR session and then calls a helper function (run_rtr_command) to submit the command.# From execute_script_via_rtr function (simplified)
def execute_script_via_rtr(host_aid, client_id, client_secret, base_url, rtr_admin_handler,
cloud_script_name, script_params, target_hostname="N/A"):
# ... (Session initialization logic) ...
try:
# ... (Session started successfully) ...

    # --- STEP 1: Runscript using -CloudFile ---
    # Tried various formats here, including:
    # command_string_for_run = f"-CloudFile='{cloud_script_name}'"
    # command_string_for_run = f'-CloudFile="{cloud_script_name}"'
    command_string_for_run = f"-CloudFile={cloud_script_name}" # Current attempt (no quotes)

    if script_params:
        command_string_for_run += f" {script_params}"

    print(f"\nExecuting script via runscript {command_string_for_run} on {target_hostname}...");
    logger.info(f"Executing runscript with command_string: {command_string_for_run}")

    # Call helper function, passing the admin handler
    run_stdout, run_stderr, run_errors, cloud_request_id_run = run_rtr_command(
        rtr_handler=rtr_session_handler, # Standard handler for status checks
        session_id=session_id,
        command_string=command_string_for_run,
        base_command="runscript", # Specify base command
        rtr_admin_handler=rtr_admin_handler # Pass the admin handler
        )

    # ... (Check results, attempt 'get' output file, close session) ...
# ... (Error handling and session closing) ...
# return execution_result

The helper function run_rtr_command correctly identifies the runscript base command and uses the admin handler:# From run_rtr_command function (simplified)
def run_rtr_command(rtr_handler, session_id, command_string, base_command="", rtr_admin_handler=None):
# ...
is_runscript_command = (base_command.strip().lower() == "runscript")
# ...
try:
if is_runscript_command:
# Use Admin endpoint specifically for 'runscript'
operation_desc = f"RTR Admin Command 'runscript {command_string}' Submit"
if not rtr_admin_handler: # Check admin handler exists
# ... (handle error) ...
debug_print(f"Executing via SDK Admin: Command='runscript {command_string}'")
# *** This is the call that fails with 400 / 40006 ***
cmd_result = rtr_admin_handler.execute_admin_command(
session_id=session_id,
base_command='runscript',
command_string=command_string,
persist=False
)
status_check_method = rtr_handler.check_command_status # Status uses standard handler
# ... (elif for Active Responder commands like 'get') ...
# ... (else for Standard commands like 'ls' via standard endpoint) ...

    # ... (Polling logic if command submission succeeds) ...
# ... (Error handling) ...
# return stdout, stderr, cmd_errors, cloud_request_id

Troubleshooting Steps Taken:Verified Script: Confirmed the target Cloud Script (e.g., tracert_script, Get-ExternalIP) exists in the "Response Scripts and Files" library, is enabled, and is marked compatible with Windows.Verified Permissions: Confirmed the API Client ID has Real Time Response (Admin): Write scope assigned.Tested Different Scripts: The error occurs with multiple different scripts, including simple ones like Get-ExternalIP.Tested Script Name Formatting:Tried -CloudFile='ScriptName' (single quotes) -> Error 40006Tried -CloudFile="ScriptName" (double quotes) -> Error 40006Tried -CloudFile=ScriptName (no quotes) -> Error 40006Tried passing only the script name as command_string -> Error 40007 (Command not found)Tested Admin Endpoint: Executing a simple command like ls C:\ via the admin endpoint (execute_admin_command with base_command='ls') also failed with Command not found (Error 40007), suggesting the admin endpoint is likely specific to admin verbs like runscript. Running ls C:\ via the standard endpoint works fine.Tested Spaces in Name: Renamed a script to remove spaces (e.g., tracert_script) and tested again -> Same Error 40006.Question:Has anyone encountered this specific HTTP 400 / Error 40006: Command is not valid when using runscript -CloudFile= via the RealTimeResponseAdmin.execute_admin_command method in FalconPy, particularly within the GovCloud environment?Is there a known syntax nuance, limitation, or potential bug related to this specific command and endpoint combination in GovCloud that we might be missing? Any suggestions for alternative approaches or further debugging steps would be greatly appreciated.(Optional: Include one of the Trace IDs from the logs here)

[oasec1]

One more thing that wasnt mentioned, I've searched for more details but have not been successful. As an option to the above, I'd like to "stream" a local powershell script, from my workstation to the RTR'd device. NOTE: this is a powershell script that has not been uploaded in the session to either Tools or Scripts. While polling the script for completion, write the output to a directory on the RTR'd device. Once the output has been written, download it directly from the RTR'd host to the local device.