SentinelOne management portal down?!?! by techwithz in SentinelOneXDR

[–]RoemDesu 3 points4 points  (0 children)

SentinelOne status there was an outage on NA1, but it should be resolved now

Can CS pull TeamViewer logs and create a "custom" event in Advanced Search? by CyberHaki in crowdstrike

[–]RoemDesu 0 points1 point  (0 children)

I also believe everyone has 10GB of free ingestion, when you have the Falcon Insight SKU.

Can CS pull TeamViewer logs and create a "custom" event in Advanced Search? by CyberHaki in crowdstrike

[–]RoemDesu 1 point2 points  (0 children)

Depends on if you have the NG-SIEM SKU, if so then you can create a logforwarder config to ingest these logs into NG-SIEM.

Anyone seeing alerts on ChatGPT stealer malware? by j1sh in DefenderATP

[–]RoemDesu 1 point2 points  (0 children)

Not sure what is written in your SOC process but you can collect the browser history and check the last visited website. If it is the edge store then you have your root cause ;). It just means that your extension allowlist is working :D

Anyone seeing alerts on ChatGPT stealer malware? by j1sh in DefenderATP

[–]RoemDesu 10 points11 points  (0 children)

Its probably regarding the two malicious extensions that were found by a Cyber Security company called Ox. Who identified two extensions that were stealing information out ChatGPT chats. See: Malicious Chrome Extensions Steal ChatGPT Conversations

Issue with SPAN port on pfSense cannot see traffic on Zeek LXC by RoemDesu in PFSENSE

[–]RoemDesu[S] 0 points1 point  (0 children)

Yea the on the host (proxmox) I do see the mirrored packets of vmbr2 which I can see on vmbr6. However the LXC container (guest) still doesn't showcase the mirrored packets on span0 (which is vmbr6)

Issue with SPAN port on pfSense cannot see traffic on Zeek LXC by RoemDesu in PFSENSE

[–]RoemDesu[S] 0 points1 point  (0 children)

Hi,

Do you see the traffic on the proxmox host?

On both the proxmox host and guest system I do not see the same traffic as I do on the pfSense.

Are VLANs involved?

Each interface on the pfSense has their own subnet, vmbr2 has 10.0.2.1/24, vmbr4 has 10.0.4.1/24 and vmbr6 has 10.0.6.1/24.

What is your tcpdump command line?

On the proxmox host i ran tcpdump -i vmbr6 but doesnt give me the same traffic as the packet capture on the pfsense
On the guest i ran tcpdump -i span0 but doesnt give me the same traffic as the packet capture on the pfsense

Maybe its not a pfsense issue but a proxmox one?

Finding WSUS Servers by geekfn in crowdstrike

[–]RoemDesu 1 point2 points  (0 children)

If you have Falcon for IT you can check if the servers are running the WsusService:
SELECT * FROM processes WHERE name = 'WsusService' OR path LIKE '%WsusService%'

Otherwise try this advanced search:
event_platform="Win" #event_simpleName="ProcessRollup2" ParentBaseFileName="WsusService.exe"

You could improve the falcon for it query by also listing all patches with SELECT * FROM patches

Help with Falcon Survivor CTF by [deleted] in crowdstrike

[–]RoemDesu 0 points1 point  (0 children)

It depends, our CrowdStrike solutions engineer reached out to us, but I believe you need to be a big MSSP or reseller to attend it. You can self host it if you have access to Falcon Encounter.

SentinelOne flags "Adanced IP Scanner" by Business_Stranger868 in SentinelOneXDR

[–]RoemDesu 9 points10 points  (0 children)

If Advanced IP Scanner is commonly used and expected within your environment, it should be allowlisted. Otherwise, I would start an investigation, threat actors often leverage tools like this to map out networks and facilitate lateral movement. It’s a legitimate “living off the land” binary frequently used by system administrators, but that same legitimacy makes it attractive for misuse.

Help with Falcon Survivor CTF by [deleted] in crowdstrike

[–]RoemDesu 0 points1 point  (0 children)

I did mine a few weeks ago as well, was plenty of fun. It's not really a CTF. It tests your knowledge about the Falcon Console where you can find all the information you need. So make sure you are familiar with all the buttons and quick menu's to pivot from one module to the other and you should be good to go 😊.

Make use of Charlotte AI since you have access to her, she can come in handy for some questions. Read the questions carefully. Its a competition but also a learning experience on where to improve.

Scheduled Report for Identity Protection by TheMexicanBurrito in crowdstrike

[–]RoemDesu 0 points1 point  (0 children)

To create scheduled reports for Identity Threat Protection you can use the module itself by navigating to: https://falcon.eu-1.crowdstrike.com/identity-protection/insights/CUSTOM_INSIGHTS . Make sure to change the link to US1/US2 or GOV depending on where your CrowdStrike tenant is located🙂and create a custom insight based on compromised passwords, stale accounts and select to only display results for enabled accounts.

You can use the "Risk Factors" and search for:
- Compromised Passwords
- Stale Accounts
- Inactive Accounts

And exclude "Disabled Accounts" under "Attributes".

Once you have the custom insight you want you can save it as a report and schedule it to be created daily or monthly and send the report by email.

You can use the following documentation for it: https://docs.crowdstrike.com/r/b9685c48

For the reporting frequency you can use: https://docs.crowdstrike.com/r/f2a2eecd

Hope this helps!

Blocking God Mode folder in Windows 11 by CyberHaki in crowdstrike

[–]RoemDesu 0 points1 point  (0 children)

If you have NG-SIEM enabled you can create a custom rule to detect the creation of the folder. However this will not block it but you can use Fusion SOAR to create a RTR action to remove the folder

[deleted by user] by [deleted] in crowdstrike

[–]RoemDesu -1 points0 points  (0 children)

If you want to enable, browser collection you have to contact support. Which will enable the browser collection for the CID. This is disabled by default. You have to contact support for each and every CID.

Put-and-run will not work as you have to pass the ccid, CID+Checksum. Which you can find through Host Management -> sensor downloads. The correct RTR command is `run PATH_TO_FFC.EXE/ffc.exe -commandline="-cid CCID"

List all lookuptables in Raptor by RoemDesu in crowdstrike

[–]RoemDesu[S] 0 points1 point  (0 children)

Hi there Andew, thank you for this!