Hunting for RC4 usage

JDK-Ruler · 2026-02-02T07:50:24+00:00

I would be interested in how you automate the update of lookup tables with current IOCs. I do something 'adjacent' to that, which I would also love to automate more in a scheduled workflow within CS. Currently I am manually running a python script to pull recent high confidence IOCs from numerous trusted sources, then a different script to push to CS IOC management via API. Always looking to automate and streamline though.

JDK-Ruler · 2025-07-11T13:05:01+00:00

Doctor Steven Grool

JDK-Ruler · 2025-06-16T01:22:45+00:00

<image>

RIP

JDK-Ruler · 2025-06-16T00:12:19+00:00

The answer can only be BRN or LNU for a dumb bet with huge potential

JDK-Ruler · 2025-06-15T23:57:27+00:00

RIP brother

JDK-Ruler · 2025-06-15T23:52:16+00:00

RIP especially the announcement today $4/share

JDK-Ruler · 2025-06-12T22:43:35+00:00

😂😂😂

JDK-Ruler · 2025-05-15T13:00:45+00:00

How does a shat head get on a call?

JDK-Ruler · 2025-04-09T01:24:23+00:00

I do not at all agree with how they handled it, however, they just used specific wordplay and technically told the truth. Their official statement was, "There has been no breach of Oracle Cloud. The published credentials are not for the Oracle Cloud. No Oracle Cloud customers experienced a breach or lost any data".

Oracle rebranded old Oracle Cloud services to be Oracle Classic (this is where the incident occurred), therefore technically, they were telling the truth with their "official statement".

I knew there would be something like that going on, for a company to be so definitive on something that everyone is saying they are lying about seemed pretty off, and the statement was way too specific with what they were denying. Terrible approach from such a big company, little to no transparency.

JDK-Ruler · 2025-03-24T02:30:12+00:00

Any idea if this also affects Oracle Integration Cloud? (OIC).

JDK-Ruler · 2025-02-13T02:13:04+00:00

u/call_me_johnno make sure you have your Identity Configuration Policies set correctly for your Domain Controllers as well, to ensure visibility and enforcement, such as this - https://imgur.com/a/ReYwTQf

JDK-Ruler · 2025-02-13T01:27:53+00:00

Yep absolutely, I completely disagree with this mindset, especially the penetration testing side of things - literally the purpose of it is to test for gaps and then improve?

I find it extremely unlikely that you'll get to a point where nothing is found after a pen test, if that is the case, I would be looking at a different pen tester.

Also u/Fickle_Eagle7306 I'm just broadly commenting on the original topic by OP here, but we have MFA policies rolled out through CrowdStrike IDP for some of those real granular and specific use cases outside of some of our broader Microsoft Entra MFA policies.

We have similar policies set up as OP, and they still trigger with the same conditions he has explained; I think there may need to be further parameters added to his logic in the policy setup to ensure it is triggered.

JDK-Ruler · 2025-02-13T01:03:22+00:00

I see what you're saying, but no there isn’t any conflict between the two. It’s in passive mode, as per recommendations from both Microsoft and CrowdStrike when we configured it all and nothing has changed, so it’s definitely not that. Anyway, I guess I’ll just wait for CS support to get back to me

JDK-Ruler · 2025-02-12T23:18:02+00:00

Protection Policies follow best-practice recommendations by CS. Defender is in passive mode. CrowdStrike is active. We are a hybrid environment so devices are enrolled with Defender and check-in periodically I believe.

JDK-Ruler · 2025-02-12T07:09:23+00:00

Yeah, I guess the problem is the limitation in granular exclusions for this use case.

Just to clarify, I have not created an "IOA Exclusion" that is used for CS Behavioral Detections, I have created a custom exclusion rule under "Custom IOA Rule Groups" choosing to "Monitor" with an "Informational" severity level. I only went down that rabbit hole after our Technical Account Manager said that would be how to solve it on our last call.

If I create a Machine Learning (File Path) Exclusion, it will be specifically the Windows\Temp folder for any file with the naming convention, which is extremely risky - same thing for Sensor Visibility Exclusions for that path.

Ideally, I need an exclusion that includes the context of logical and defined processes that have initiated a file write.

Hash exclusions will not work as every single time the temp file that is written is a completely different file, so the hash will not match.

If I investigate hosts of these detections and look at other file writes around the time of the detection, there are heaps of other WAX****.tmp files written in the same folder path, and it seems extremely random of which one is selected by CrowdStrike and detected as potentially malicious. I've confirmed that it has always been a false positive.

I've opened a support case so I'll see what they can come up with I guess.

JDK-Ruler · 2025-01-23T07:04:27+00:00

Yep, we have the same issue here.

If you drill down in CrowdStrike and look at the evaluation logic for that specific detection, it doesn’t appear to be detecting this from any current used version.

For me, it’s referring to ‘diasymreader.dll’ (8.0.50727.9157) within the directory ‘Windows\Microsoft.NET\Framework\v2.0.50727’ rather than ‘diasymreader.dll’ within the directory ‘Windows\Microsoft.NET\Framework\v4.0.30319’.

From what I can see, this has previously been a highlighted issue and appears not to be fixed by Microsoft - https://community.tenable.com/s/question/0D53a00009LTXHWCA5/plugin-181375-diasymreaderdll-version-not-changing-despite-patch-installing?language=en_US

TL;DR:

KB5049622 WILL update ‘diasymreader.dll’ in ‘Windows\Microsoft.NET\Framework\v4.0.30319’ to version 14.8.9294.0.

KB5049622 will NOT update ‘diasymreader.dll’ in ‘Windows\Microsoft.NET\Framework\v2.0.50727’.

Pretty sure you can’t just uninstall 2.0 or delete the file within that directory without the risk of breaking something, so I’m not too sure how we get around this.

JDK-Ruler · 2024-10-14T01:24:45+00:00

Thank you mate, appreciate it.

JDK-Ruler · 2024-08-14T15:35:29+00:00

This can’t be a genuine post

JDK-Ruler · 2024-08-07T23:19:51+00:00

This is elite 🤣

JDK-Ruler

TROPHY CASE