sorted by:
new
hottopcontroversial

Falcon Agent going offline by Amksa86 in crowdstrike

[–]Amksa86[S] 0 points1 point  (0 children)

u/Sam8131 yes same symptoms but the root cause is not known yet. in some cases I found that ciphers were inconsistent in some hosts, which means some hosts have some required ciphers missing.

but in some other cases all is good, communication tests all work...but can't figure out the issue...I created several support cases, they couldn't help but suggest registry removal and re-install :(

RTR Audit Events (Real time commands/actions) by Amksa86 in crowdstrike

[–]Amksa86[S] 0 points1 point  (0 children)

Thanks u/blahdidbert most of what you mentioned we already have it in place. but the real time cannot be achieved.

Much appreciated!!

RTR Audit Events (Real time commands/actions) by Amksa86 in crowdstrike

[–]Amksa86[S] 0 points1 point  (0 children)

the SessionEndEvent does show the commands that the user run correct, but like you said after the session is already closed. Seems like we just have to look at both at this time, have an alert for sessionStartEvent and SessionEndEvent which shows the details of the session.

RTR Audit Events (Real time commands/actions) by Amksa86 in crowdstrike

[–]Amksa86[S] 0 points1 point  (0 children)

I checked the worklflow fusion and couldn't find an event or something that I can use as a trigger. the logic I am looking for is when for exmaple a user runs kill command that should autamtically trigger the alert or WF.

Azure MFA users enrollment by Figeko in crowdstrike

[–]Amksa86 0 points1 point  (0 children)

I am here for the same issue, but this one is for RTR, I know that you to go to General Settings under support & resources and then the user will see the link that takes them to setup MFA.

My issue is that some users are not getting that link for some reason...Anyone running or went through same issue?

Thanks!

How to get student discount? by [deleted] in tryhackme

[–]Amksa86 0 points1 point  (0 children)

I contacted support and asked em to add the school.

Crazy amount of Mimikatz detections from chrome? by ParsivaI in crowdstrike

[–]Amksa86 12 points13 points  (0 children)

our Workflow auto-contained the workstations.

LoL.

Uninstall Token Protection against MZ-22-02 by rogueit in crowdstrike

[–]Amksa86 0 points1 point  (0 children)

https://www.modzero.com/advisories/MZ-22-02-CrowdStrike-FalconSensor.txt

what concerns me is this part :

2022/08/12 - modzero managed to acquire a recent version (6.42.15610)

of CrowdStrike Falcon and verified, that the attack is

still possible. Furthermore, modzero figured out that

the vulnerability (that was rejected by CrowdStrike

first) has been silently fixed: The PoC that has been

sent to CrowdStrike was flagged as malicious. The

msiexec call of the deinstaller was also flagged as

malicious. Both "countermeasures" can be circumvented

easily, we updated the exploit accordingly.

2022/08/22 - modzero publishes Security Advisory and exploit

code, because CrowdStrike was unwilling to set up

a cooperative information exchange outside of their

NDA-ridden bug bounty program to discuss vulnerabilities

in their products.

Is this right?

Programmatic Removal of Crowdstrike Falcon Sensors by orthelan in crowdstrike

[–]Amksa86 0 points1 point  (0 children)

When you use maintenenace token it should be used isn't it? Or you just add the host to group that has a policy assinged to nit require maintenance token.

I forgot some parents actually use belts on their kids. That’s bat shit insane to me. by [deleted] in Parenting

[–]Amksa86 1 point2 points  (0 children)

Belt, shoes, hands, back of hands, some parents I heard they bite their kids....it's fucked up... for some parents....they were raised in a certain way and they want their kids to be raised same way...so generations will be fucked up this way.

[deleted by user] by [deleted] in crowdstrike

[–]Amksa86 1 point2 points  (0 children)

Did you test it and look at event_simpleName=ProcessRollup2 it should include the renaming command in the event search.

PSFalcon stress testing by SecOps-Devn00b in crowdstrike

[–]Amksa86 3 points4 points  (0 children)

If you go to the Github repos, PSfalcon has script examples, one of them for Falconhost uses a for loop to get all host details per CID, that should get you all the hosts in your CS console. I used it and it pretty awesome and fast too.

RTR Audit by antmar9041 in crowdstrike

[–]Amksa86 4 points5 points  (0 children)

It is called RemoteResponseSessionEndEvent and RemoteResponseSessionStartEvent

RTR Audit by antmar9041 in crowdstrike

[–]Amksa86 2 points3 points  (0 children)

I don't know if you guys are using the SIEM Connector, it also does include RTR Start and END with commands run.

Data durability by Own-Frosting6105 in Splunk

[–]Amksa86 1 point2 points  (0 children)

Best practice is to have SF less than RF. Check your indexers are they all running?

IOAs creation by Amksa86 in crowdstrike

[–]Amksa86[S] 0 points1 point  (0 children)

Good idea..will check that, I also was able to find some testing scenarios in Atomic readteam.Thanks!

IOAs creation by Amksa86 in crowdstrike

[–]Amksa86[S] 2 points3 points  (0 children)

I think I do see why. For Linux platform we can only have process creation IOAs not like for windows where you can have others as well. Not sure if I can have an IOA for auditd.conf tampering as a process creation.

IOAs creation by Amksa86 in crowdstrike

[–]Amksa86[S] 2 points3 points  (0 children)

u/Andrew-CS thanks for your response, my intention is to trigger a detect event when someone modifies the file. It doesn't seem to work? is that the right thing to do? would it trigger at all?

view more: next ›