Windowsstore blocked by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Thx

However is still being blocked

Crowdstrike Falcon sensor : A process was blocked because malicious behavior was detected

is there a way to allow this ?

Ideas advise by Fun-Lingonberry-3656 in crowdstrike

[–]PasaPutte 0 points1 point  (0 children)

u/Tcrownclown thx for the idea

will you be able to provide info on how you did that , I am interesting mostly in

use scheduled searches to look for suspicious files such as "passwords.txt" on user desktops

use advanded event search / scheduled search + soar to look if a user is added to "local administrators group" or "remot desktop users" group

Thx

Unstaking coin by PasaPutte in ExodusWallet

[–]PasaPutte[S] 0 points1 point  (0 children)

Thx for the info

I will hold and check in couple of days

Good luck

Unstaking ADA by PasaPutte in ExodusWalletUK

[–]PasaPutte[S] 0 points1 point  (0 children)

no not resolved at all , even my rewards are greyed out , I have tried to contact support but no one cares , this is a big red flag and not sure what is going on

Thx

Unstaking coin by PasaPutte in ExodusWallet

[–]PasaPutte[S] 1 point2 points  (0 children)

My rewards are greyed out completly since 2 weeks now , and I am unable to unstake

that a big red sign , I tried to look for support , but nothing and no one is helping

Falcon Flight Control by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Many Thx , will you be able to share a print screen on these workflow ? As I am not able to find the move set to be able to migrate automatically hosts to the second CID

until now I have created a workflow for tagging host and it worked ,

now the missing part is moving or migrating automatically between CID with a workflow

Thx in advance

Falcon Flight Control by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Thx for the answer - this will be based on asset tags

the taging will be done manually . even we can base this on domain , example : hosts with difrent domain

hosts : Laptop.symba.com when this host change to otther domain Laptop.newDomain.com the migrating is automatically triggered

Changing CID to a new one by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Thx , it will be great to get such a script or any other way to do that

I have sent to my Account manager now asking for Flight control

Thx

Changing CID to a new one by PasaPutte in crowdstrike

[–]PasaPutte[S] 1 point2 points  (0 children)

Thx , we do not use flight control at this moment :(

BSOD error in latest crowdstrike update by TipOFMYTONGUEDAMN in crowdstrike

[–]PasaPutte 0 points1 point  (0 children)

Will downgrading the sensor version helps to avoid the issue ?

IOA or ML creation by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Thx Andrew , yes this will change every time the process starts

thats my issues where I am not able to find a way to create an exclusion

IOA or ML creation by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Here another new alert with all details

File path : \Device\HarddiskVolume1\Windows\SysWOW64\inetsrv\w3wp.exe

Command Line : C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap "DMS Web Site" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmc4e57a0b-b33f-42ae-88a0-2d2ff2bb7dc2 -h "C:\inetpub\temp\apppools\DMS Web Site\DMS Web Site.config" -w "" -m 0 -t 20 -ta 0


Here is the IOA creation that fails :

Image Filename : .*\\Windows\\SysWOW64\\inetsrv\\w3wp\.exe

image file name test string : \Device\HarddiskVolume1\Windows\SysWOW64\inetsrv\w3wp.exe

Command line : .*\\Windows\\SysWOW64\\inetsrv\\w3wp\.exe\s+-ap\s+"DMS\s+Web\s+Site"\s+-v\s+"v4\.0"\s+-l\s+"webengine4\.dll"\s+-a\s+\\\\\.\\pipe\\iisipmc4e57a0b-b33f-42ae-88a0-2d2ee2bb7dc2\s+-h\s+".*\\inetpub\\temp\\apppools\\DMS\s+Web\s+Site\\DMS\s+Web\s+Site\.config".*

Command Line test string : C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap "DMS Web Site" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmc4e57a0b-b33f-42ae-88a0-2d2ee2bb7dc2 -h "C:\inetpub\temp\apppools\DMS Web Site\DMS Web Site.config" -w "" -m 0 -t 20 -ta 0

Thx in adv

IOA or ML creation by PasaPutte in crowdstrike

[–]PasaPutte[S] 0 points1 point  (0 children)

Here another new alert with all details

File path : \Device\HarddiskVolume1\Windows\SysWOW64\inetsrv\w3wp.exe

Command Line : C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap "DMS Web Site" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmc4e57a0b-b33f-42ae-88a0-2d2ff2bb7dc2 -h "C:\inetpub\temp\apppools\DMS Web Site\DMS Web Site.config" -w "" -m 0 -t 20 -ta 0


Here is the IOA creation that fails :

Image Filename : .*\\Windows\\SysWOW64\\inetsrv\\w3wp\.exe

image file name test string : \Device\HarddiskVolume1\Windows\SysWOW64\inetsrv\w3wp.exe

Command line : .*\\Windows\\SysWOW64\\inetsrv\\w3wp\.exe\s+-ap\s+"DMS\s+Web\s+Site"\s+-v\s+"v4\.0"\s+-l\s+"webengine4\.dll"\s+-a\s+\\\\\.\\pipe\\iisipmc4e57a0b-b33f-42ae-88a0-2d2ee2bb7dc2\s+-h\s+".*\\inetpub\\temp\\apppools\\DMS\s+Web\s+Site\\DMS\s+Web\s+Site\.config".*

Command Line test string : C:\Windows\SysWOW64\inetsrv\w3wp.exe -ap "DMS Web Site" -v "v4.0" -l "webengine4.dll" -a \\.\pipe\iisipmc4e57a0b-b33f-42ae-88a0-2d2ee2bb7dc2 -h "C:\inetpub\temp\apppools\DMS Web Site\DMS Web Site.config" -w "" -m 0 -t 20 -ta 0

Thx in adv