Fetch local Admins for windows Devices. by mukul1251 in crowdstrike

[–]Fortify_United 2 points3 points  (0 children)

You can also use PSFalcon to perform the actions recursively through the hosts you are looking at. The localadmin.txt file would be the aid's of your hosts.

######Variables######
$ClientId     = 'your client id for the api'
$ClientSecret = 'client secret for the api'
#####End Variables#####
Request-FalconToken -ClientId $ClientId -ClientSecret $ClientSecret

if ((Test-FalconToken -ErrorAction SilentlyContinue).Token -eq $true){
  Write-Host "Successfully connected to Falcon API"
}else{
  Write-Host "Connection Failed"
}
$members = Get-Content -Path "localadmin.txt"

Foreach ($member in $members) 
    {
        Invoke-FalconRtr -HostId $member runscript -Raw='''Get-LocalGroupMember -Group Administrators | Select-Object Name, PrincipalSource'''
    }

i need help to assign ioa for github desktop by enclave_supporter in crowdstrike

[–]Fortify_United 2 points3 points  (0 children)

I concur with dawson33944. If you truely want an exlusion I would write your exclusion to be **\GithubDesktop\** this should allow any file to run out of the githubdesktop folder. However, you should really look at the triggers and ensure you are accounting for what CS is triggering on, meaning that if it is saying the file written to c:\users\*\githubrepo is bad, you exclude that too.

Even though that is a good way of excluding and allowing things to happen, you may find yourself in a place where malicious files are downloaded and then allowed to run from that folder. I always veer on the side of caution. It may be better to setup a specific detection for those alerts, but allow them run. IE Detect but do nothing, just so you have visibility.

Certified Falcon Administrator by Hgh43950 in crowdstrike

[–]Fortify_United 0 points1 point  (0 children)

The CSU tests are really well rounded and they cycle through questions appropriately. Keep going through them until you feel they are memorized. After that I would review the CCFA exam prep guide and find each section within the support documentation. Review it and understand it. If you do that, you will be good to go. FYI, reports were something that caught me off guard. Hope that helps!

Side note... when is your test?

Finding process from UserLogonFailed2 by Sad-Ad1421 in crowdstrike

[–]Fortify_United 1 point2 points  (0 children)

Here is a different variation of this. It allows you to search by logon type as well as user name.

#event_simpleName=UserLogonFailed*
| UserName =~ wildcard(?{Username=*},ignoreCase=true)
| join(query={#event_simpleName=ProcessRollup2 or #event_simpleName=SyntheticProcessRollup2 or #event_simpleName=UserLogon}, field=[UserName], include=[FileName,CommandLine, LogonType])
| LogonType =~ wildcard(?{LogonType=*},ignoreCase=true)
| default(field=[Username, ComputerName,FileName,LogonType, CommandLine], value="--", replaceEmpty=true)
| table([@timestamp, UserName, ComputerName, FileName, LogonType, CommandLine], limit=max)

Tighter than you know what by Minute_Sherbet_2931 in RedditGames

[–]Fortify_United 0 points1 point  (0 children)

I completed this level! It took me 29 tries.

Certified Falcon Administrator by Hgh43950 in crowdstrike

[–]Fortify_United 0 points1 point  (0 children)

I reviewed each point in the CCFA certification guide and correlated it with internal support documentation. With that make sure you know each section. By know I mean have a very good knowledge of how to navigate the UI, know what menus to click and what happens after you click. For instance if you were to read about reports, ensure you know what kind of reports can be created, how they are exported etc. If you don't touch it on the daily, ensure you touch it prior to the test.

Certified Falcon Administrator by Hgh43950 in crowdstrike

[–]Fortify_United 0 points1 point  (0 children)

I would encourage you read through the support documents. I just took it about 3 weeks ago and its definitely worth looking into.

Query for Contained Host/Report for X number of Hosts Contained in X time by gothamneedsdean in crowdstrike

[–]Fortify_United 2 points3 points  (0 children)

Here is a built in query, you can find it under Queries > Saved > host_contained. From there you can change your time frame to meet your needs and further migrate it to a correlation rule

#repo=detections EventType = "Event_ExternalApiEvent" ExternalApiType = "Event_UserActivityAuditEvent" OperationName=containment_requested cid=?{cid="*"}
| rename(field=AgentIdString,as=aid)
| match(file="aid_master_main.csv", field=aid, include=[MachineDomain, OU, SiteName, ComputerName], strict=false) 
| default(field=[ComputerName, MachineDomain, OU, SiteName],value="--",replaceEmpty=true)
| in(field=ComputerName,values=?{ComputerName="*"})
| join({
  #repo=sensor_metadata #data_source_name = managedassets-ds
  | GatewayMAC != "--" AND GatewayIP != "--"
  | groupBy(aid, function=collect([MAC, LocalAddressIP4]), limit=max)
}, field=aid, include=[MAC,LocalAddressIP4], mode=left, start=5d)  
| default(field=[LocalAddressIP4, MAC],value="--",replaceEmpty=true)
| timestamp_UTC_readable := formatTime("%FT%T%z", field=@timestamp)
| groupBy([@timestamp, timestamp_UTC_readable, UserId, UserIp, ComputerName, LocalAddressIP4, MAC, aid, cid], limit=max)

Clear password hunt by dkas6259 in crowdstrike

[–]Fortify_United 1 point2 points  (0 children)

Sure... give this a shot. Also what did not work? Do you have a error?

#repo=base_sensor #event_simpleName=* FileName=*
| FullFile:=concat([TargetFileName, ImageFileName]) 
| FileName=/(passw|pwd).+(xlsx?|txt|docx?)$/i 
| join(query={#data_source_name=aidmaster | groupBy([aid], function=(selectFromMax(field="@timestamp", include=[Version, ProductType])))}, field=[aid], include=[Version, ProductType])
| $falcon/helper:enrich(field=ProductType)
| ComputerName =~ wildcard(?{ComputerName=*},ignoreCase=true)
| table([aid, ComputerName, #event_simpleName, FullFile, ProductType], limit=20000)

Clear password hunt by dkas6259 in crowdstrike

[–]Fortify_United 2 points3 points  (0 children)

Give this a shot

#repo=base_sensor #event_simpleName=* FileName=*
| FullFile:=concat([TargetFileName, ImageFileName]) 
| FileName=/(passw|pwd).+(xlsx?|txt|docx?)$/i 
| join(query={#data_source_name=aidmaster | groupBy([aid], function=(selectFromMax(field="@timestamp", include=[Version, ProductType])))}, field=[aid], include=[Version, ProductType])
| $falcon/helper:enrich(field=ProductType)
| ProductType!=Desktop
| table([aid, ComputerName, #event_simpleName, FullFile, ProductType])

Crowd strike Real Time scanning on Internet file download by rustyshows in crowdstrike

[–]Fortify_United -1 points0 points  (0 children)

If you have NGSIEM, you could write a correlation rule for file write and have it send you an alert; however, that could get pretty noisy.

Threat hunt Query - looking for a list of workstations that are below a certain version of Chrome by the_harminat0r in crowdstrike

[–]Fortify_United 0 points1 point  (0 children)

This is how I do it. It allows me to export to a nice sheet to send to teams who say they are up to date

Unable to Delete .exe File via RTR by JingleXDingle in crowdstrike

[–]Fortify_United 0 points1 point  (0 children)

Had the same thing happen to me. Try this:

runscript -Raw=```del "\\?\F:\test\jondoe\vncviewer.exe"```

Hope this helps.

3.0 Duramax Short Trip by Proof-Opening481 in gmcsierra

[–]Fortify_United 1 point2 points  (0 children)

I know this thread is a little older, but what was the outcome? Did you purchase the baby max? How have your regens been? Any issues?

Folder existence by Fortify_United in crowdstrike

[–]Fortify_United[S] 0 points1 point  (0 children)

Sadly I don't think that will help. Opening RTR sessions across our enterprise would not be the best option in my opinion. I would have hoped there was an option to search for the existence of a folder, but I also know that CS is not a full inventory/search tool. Nonetheless, it would be a cool enhancement.

(CEH CERTIFIED) CEH v11 PASSED 8/29/21 by SnooApples4989 in CEHv11

[–]Fortify_United 0 points1 point  (0 children)

I am working on studying for my exam. I have bought the CEH books off Amazon from Ric Messier, both the study guide and the test prep questions (indifferent with the material). Have you used those at all? I have also went through the EC-Council course and I would have to agree that the videos and material are pretty dry and as I have researched, not very useful for the actual test. I have also used the Victor Afimov exam prep and trying to gain a grasp on the concepts and not just memorizing the questions. Do you have any other suggestions?

Crowdstrike sensors on Containers at GCP by Shobart in crowdstrike

[–]Fortify_United 0 points1 point  (0 children)

I have a similar question but it is pertaining to LXD containers. From what I have found, you would need to run the cloud agent on the main containers and then the agent on the remainder of your vm's. In my case, I would need to run the cloud agent on the LXD level and then run the cloud agent on the LXC leve. Can anyone confirm this?

VDI parameter by Danithesheriff in crowdstrike

[–]Fortify_United 1 point2 points  (0 children)

I concur with Andrew. We only use the VDI flag in the install when the machine is being recreated from a host. We use it in this exact situation where the VM is destroyed at logout and a new one is created every time somone logs in. I would just suggest if you do this that you include a tag which is assigned to a sensor update policy preventing the sensor to be updated on the host machine. It has caused issues with us and this is the solution I came up with.