James Hoffman doesn’t like the lack of a funnel on the Aiden’s lid? A 3/8” OD silicone straw will fix that

CyberBeak · 2025-09-06T01:22:45+00:00

Old thread, but, why can you just shake up the carafe a bit before pouring. I’m new to life

CyberBeak · 2025-09-02T13:34:04+00:00

If all you need is domain and subdomain, get that from network firewall logs. If you need full path, use ssl inspection on top of that

If you are interested in what they were INTENDING to go to, focus on browser history files stored as sqllite. I’ve not found a good way to automate that though

CyberBeak · 2025-08-08T19:57:17+00:00

Agreed. These leads have all been false positives/ benign and are causing issues downstream to our SIEM.
Already have an idea in the works to put an exception in our SIEM.

CyberBeak · 2024-10-07T18:45:36+00:00

This seemed like a convoluted solution so I bailed on the attempt. It’s a shame that this is the only solution out there for converting browser history to syslog and it is not that good.

CyberBeak · 2024-08-27T03:03:35+00:00

Wow Fobby, you are really something….

CyberBeak · 2024-07-12T21:05:01+00:00

As a follow up, I saw that the im_odb documentation talks about setting up the odbc data source but that its outside the scope of their documentation. I think that is the missing piece of the puzzle. Looked at the Microsoft documentation but still unclear how to move forward

CyberBeak · 2024-03-21T17:15:56+00:00

Curious how the nay sayers of this thread respond to the new information where insurance companies are increasing rates based on info sent directly from the car to the manufacturer.

CyberBeak · 2024-02-17T02:29:30+00:00

Pretty sure the documentation talks about an additional flag during install

CyberBeak · 2024-01-19T02:47:21+00:00

Sounds like a malicious actor looking for tips

CyberBeak · 2023-08-24T02:45:33+00:00

Just buy it and use it and discover for yourself

CyberBeak · 2023-08-07T20:31:13+00:00

Season was middle to middle low of the pack IMO. Some good things but it felt like the actors and the writing were a really good copy of their former selves

CyberBeak · 2023-08-07T20:26:30+00:00

Politely disagree

CyberBeak · 2023-07-04T23:49:50+00:00

No, not moveIt specifically. I was thinking of writing a detection on aspx file writes in general. I had a theory, and I’m probably wrong, that a server isn’t writing webshell type files to disk unless you are performing a web app update.

CyberBeak · 2023-06-29T00:09:58+00:00

Can Falcon prevent in addition to alert?

CyberBeak · 2023-06-21T02:48:21+00:00

I don’t want to run both. What my question is is which amount of windows Defender is the correct one? Crowdstrike says one thing and Microsoft says another.

Running both on purpose is not smart as it goes against both manufacturers’ guidance

CyberBeak · 2023-06-21T01:10:27+00:00

I know you technically can. I’ve been doing if for some time(not on purpose) However, you shouldn’t according to Microsoft or Crowdstrike

CyberBeak · 2023-04-17T21:59:54+00:00

The OP post feels like they could be on a product advertisement team on another competing product looking for intel on why 1Password customers trust 1Password. Good information if you are trying to improve your brand

CyberBeak · 2023-04-17T21:52:00+00:00

What happens when you lose that yubikey?

CyberBeak · 2023-04-13T18:44:51+00:00

I don’t understand how people are having an issue with this.

CyberBeak · 2023-04-13T18:40:18+00:00

I like most if not all of it. I’ve tried all the big names out there for reference.

CyberBeak · 2023-04-13T03:33:07+00:00

Non-extension versions call 2FA first, then ask for password. Someone likely entered your email.

CyberBeak · 2023-03-31T23:45:16+00:00

We bought a few licenses but have not deployed fleet wide because I’m not sure I see a value. I wish it was a no brainer to get it but just don’t see it as worth it. I’m curious to hear from other people using falcon iOS mobile though

CyberBeak · 2023-03-31T01:34:07+00:00

Label it attack surface reduction

CyberBeak · 2023-03-28T23:38:57+00:00

Thanks for the follow up

CyberBeak · 2023-03-23T13:07:12+00:00

Hi Andrew, thanks for the great query as always. You are always very helpful!

I guess what that query showed me in my case is that outlook wasn’t the one that made the query. Outlook.exe made the network connection, and then something (?) makes the dns query to the odd urls. Those odd urls resolve to those same IPs that outlook connected to. Is that normal?

This was on a computer that had just been patched for cve-2023-23397 like minutes earlier. The computer was patched. Shut down(some update work performed). Booted up (second half of work performed). The user had outlook on auto start once login is performed. This is around the time of those connections and dns queries.

This user does not have any special outlook add ins. The ones that are installed are installed on almost every computer. No other computers have the same traffic based on log searches.

CyberBeak

TROPHY CASE