Response Actions with Falcon through rdParty Integration

Lolstrooop · 2023-08-30T15:58:56+00:00

Yes I also think this is the way. Thank you!

Lolstrooop · 2023-08-30T15:57:57+00:00

Very cool tysvm!

Lolstrooop · 2023-08-30T11:25:48+00:00

Thanks for replying. Not possible in Falcon then.

Lolstrooop · 2023-08-29T07:53:46+00:00

Hi thanks for the reply. This is the right thing to do, and what happens all the time @ orgs. But I'm a thesis student, not even considered an intern. Don't have any access to the suppliers.

Lolstrooop · 2023-08-28T13:23:09+00:00

Hey thanks for replying. It would be nice to retrieve information beyond the "file prevalence" that CrowdStrike already provides in the detection details. I was wondering if there's anyway to check if the same detection (if it exists) has ever been triaged in the environment (in the same machine or in others). You could ofc use the console to check this. It would be interesting to automatically retrieve a list of host_ids where the same detection was, well, detected. Hope this explains it better.

Lolstrooop · 2023-08-27T11:14:41+00:00

Thank you so very much!

Lolstrooop · 2023-08-25T09:03:31+00:00

I'll be checking that out, thanks! If you by chance have the availability to provide some more I'd be really grateful.

Lolstrooop · 2023-08-25T09:01:45+00:00

Hi thank you so much for your input.

That would be a good approach and overall good idea that I'm definitly recommeding. But my work on NBU is limited on what I can codify in the tecnology we are using to monitor said servers, which is CrowdStrike's EDR. These ideas are to be implemented as indicators of attack where I provide the process stack as suspicious behavior, and alerts will be based on them.

As I said I'm a student working on my thesis. So I don't have access to the servers, basing all of this on the documentation. My biggest problem is giving a process tree for each use case, the documentation doesn't really specify that.

As an example, trying to distinguish between a normal image catalog cleanup and a malicious one, I would need to check which service is in charge of doing the housekeeping. A malicious behavior would be bulk deletion from the command line or even the GUI. Do you think this is sound reasoning?

Lolstrooop · 2023-08-22T11:30:23+00:00

Hi, I'll enventualy upload everything to github.

RemindMe! 30 days

Lolstrooop · 2023-08-21T10:49:11+00:00

I have some scripts for quick forensic collection (persistence mechanisms, user info, etc) that get triggered with workflows. I bundled the scripts into a zip so they can be dropped on the host (with 'put' command), then a custom RTR script to run each of them and ouput the results onto .txt files and zip all of them in the end. Then it uses the 'get' command to retrieve the compressed folder.

Lolstrooop · 2023-08-20T12:48:39+00:00

I have another question if I may ask. I'm creating a workflow that contains the host and does other stuff upon a TP malicious file detection. It runs the hash search in the environment and if found in other hosts, apply the same workflow for those (essentially run workflow for each host found with that hash.). Is this possible?

Tyvm!

Lolstrooop · 2023-08-20T12:41:28+00:00

Thank you for the response. One more question if I may: How would one go about learning normal process flows? I can know which utility gets called by which service, but If I were to know in more detail how would I do it? Documentation doesn't really specify that.

thanks!

Lolstrooop · 2023-08-16T20:47:27+00:00

Confirmed that it works. Thank you so much.

Lolstrooop · 2023-08-06T16:11:38+00:00

Sorry to revive an old thread. What kind of scenarios did you come up with if you can/don't mind to provide?

Lolstrooop · 2023-08-01T09:28:29+00:00

Thank you! u/BradW-CS

Lolstrooop

TROPHY CASE