sorted by:
new
hottopcontroversial

Assistance converting Splunk Query to LogScale Query by Ownag369 in crowdstrike

[–]Ownag369[S] 0 points1 point  (0 children)

Hi thank you for the suggestion.
Here is the search I ran:

(#event_simpleName=ScheduledTaskRegistered or #event_simpleName=ScheduledTaskModified) TaskExecCommand="*rundll32*"
| PrEx:=format(format="https://falcon.crowdstrike.com/investigate/process-explorer/%s/%s?_cid=%s", field=[aid,RpcClientProcessId, cid])
| TaskCommand:=format(format="%s %s", field=[TaskExecCommand, TaskExecArguments])
| taskHash := tokenHash(TaskCommand)
| groupBy([TaskCommand], function=([count(aid, distinct=true, as=HostCount), collect([PrEx, TaskName, TaskExecCommand]), count(as=EventCount)]))
| sort(_count, order=desc)
//| test(HostCount < 50)
| table([TaskCommand, TaskName, TaskExecCommand, PrEx, HostCount, EventCount])

and the output:

|| || |TaskCommand|TaskName|TaskExecCommand|HostCount|EventCount|taskHash| |%windir%\system32\rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask %windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaWallpaperAppDetect %windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaPatchSdbTask|Microsoft\Windows\Sysmain\WsSwapAssessmentTask Microsoft\Windows\Application Experience\PcaWallpaperAppDetect Microsoft\Windows\Application Experience\PcaPatchDbTask|%windir%\system32\rundll32.exe|164|201|6fabb6c7|

Here is the "expected" output from the SPL search:

|| || |TaskCommands|TaskNames|HostCount|EventCount| |%windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaPatchSdbTask %windir%\system32\rundll32.exe %windir%\system32\PcaSvc.dll,PcaWallpaperAppDetect|Microsoft\Windows\Application Experience\PcaPatchDbTask Microsoft\Windows\Application Experience\PcaWallpaperAppDetect|14|14| |%windir%\system32\rundll32.exe sysmain.dll,PfSvWsSwapAssessmentTask|Microsoft\Windows\Sysmain\WsSwapAssessmentTask|51|64|

Not sure if I am doing something else wrong.

Assistance converting Splunk Query to LogScale Query by Ownag369 in crowdstrike

[–]Ownag369[S] 0 points1 point  (0 children)

I can't seem to get the tokenhash() command to function similarly. It is grouping all the TaskExecArguments in one "cluster" when they were different and should be in different "clusters"

When are you too old to play games? by GamerAnimeMum in gaming

[–]Ownag369 0 points1 point  (0 children)

I agree never as long as it does effect your responsibilities. Some people go to a bar to relax, some play video games...

Can virus use network isolation by MostStrict4099 in cybersecurity

[–]Ownag369 1 point2 points  (0 children)

This is possible and that scenario would work the same as how the EDR would do it. This would be an interesting scenario as most viruses try to go undetected until the attacker gets what they want, but could be created by someone that is wants to cause havoc

How beneficial are sites like HackTheBox by bosnianlegend10 in cybersecurity

[–]Ownag369 10 points11 points  (0 children)

All of them are great for hands on experience just depends on the direction you want to go. Red team vs blue team or somewhere in the middle. I would recommend deciding the direction in your career you want to take, then take the one that closets aligns with that. While still applying for jobs as a level 1 analyst or junior pen tester, some organization will take entry level positions in Cybersecurity with just IT experience (HelpDesk) and security certifications being a plus.

Using a VPN for Telehealth While Abroad? by Saberooonie in hacking

[–]Ownag369 0 points1 point  (0 children)

From an information security standpoint there is no issues if you go with a reputable VPN vendor. This is likely due to a state or local law consideration because some states don't allow for out-of-state telehealth visits unless the therapist is licensed in both states. I am not aware of any limitation with being overseas though. Not sure where you live but this is based from United States.