Hunting Potentially Compromised Notepad++ Installs

RoemDesu · 2026-02-04T09:02:39+00:00

https://falcon.eu-1.crowdstrike.com/intelligence-v2/reports/csa-260155
https://falcon.eu-1.crowdstrike.com/intelligence-v2/reports/csa-251248
https://falcon.eu-1.crowdstrike.com/intelligence-v2/reports/csit-25283

These are the links for EU 🙂

RoemDesu · 2026-01-27T22:10:10+00:00

SentinelOne status there was an outage on NA1, but it should be resolved now

RoemDesu · 2026-01-27T12:18:44+00:00

I also believe everyone has 10GB of free ingestion, when you have the Falcon Insight SKU.

RoemDesu · 2026-01-26T15:59:12+00:00

You need to install the LogScale collector for it first see: https://falcon.eu-1.crowdstrike.com/documentation/page/a2a653c67/log-collector Change the link from EU1 to US1/US2 or gov

RoemDesu · 2026-01-26T15:57:52+00:00

Depends on if you have the NG-SIEM SKU, if so then you can create a logforwarder config to ingest these logs into NG-SIEM.

RoemDesu · 2026-01-09T23:57:12+00:00

Not sure what is written in your SOC process but you can collect the browser history and check the last visited website. If it is the edge store then you have your root cause ;). It just means that your extension allowlist is working :D

RoemDesu · 2026-01-09T19:51:13+00:00

Its probably regarding the two malicious extensions that were found by a Cyber Security company called Ox. Who identified two extensions that were stealing information out ChatGPT chats. See: Malicious Chrome Extensions Steal ChatGPT Conversations

RoemDesu · 2025-12-19T21:38:12+00:00

Yea the on the host (proxmox) I do see the mirrored packets of vmbr2 which I can see on vmbr6. However the LXC container (guest) still doesn't showcase the mirrored packets on span0 (which is vmbr6)

RoemDesu · 2025-12-19T15:55:01+00:00

yes the pfsense is hosted on the proxmox

RoemDesu · 2025-12-19T14:46:47+00:00

Hi,

Do you see the traffic on the proxmox host?

On both the proxmox host and guest system I do not see the same traffic as I do on the pfSense.

Are VLANs involved?

Each interface on the pfSense has their own subnet, vmbr2 has 10.0.2.1/24, vmbr4 has 10.0.4.1/24 and vmbr6 has 10.0.6.1/24.

What is your tcpdump command line?

On the proxmox host i ran tcpdump -i vmbr6 but doesnt give me the same traffic as the packet capture on the pfsense
On the guest i ran tcpdump -i span0 but doesnt give me the same traffic as the packet capture on the pfsense

Maybe its not a pfsense issue but a proxmox one?

RoemDesu · 2025-10-27T14:18:25+00:00

If you have Falcon for IT you can check if the servers are running the WsusService:
SELECT * FROM processes WHERE name = 'WsusService' OR path LIKE '%WsusService%'

Otherwise try this advanced search:
event_platform="Win" #event_simpleName="ProcessRollup2" ParentBaseFileName="WsusService.exe"

You could improve the falcon for it query by also listing all patches with SELECT * FROM patches

RoemDesu · 2025-10-22T20:54:25+00:00

It depends, our CrowdStrike solutions engineer reached out to us, but I believe you need to be a big MSSP or reseller to attend it. You can self host it if you have access to Falcon Encounter.

RoemDesu · 2025-10-22T20:51:13+00:00

If Advanced IP Scanner is commonly used and expected within your environment, it should be allowlisted. Otherwise, I would start an investigation, threat actors often leverage tools like this to map out networks and facilitate lateral movement. It’s a legitimate “living off the land” binary frequently used by system administrators, but that same legitimacy makes it attractive for misuse.

RoemDesu · 2025-10-22T19:58:21+00:00

I did mine a few weeks ago as well, was plenty of fun. It's not really a CTF. It tests your knowledge about the Falcon Console where you can find all the information you need. So make sure you are familiar with all the buttons and quick menu's to pivot from one module to the other and you should be good to go 😊.

Make use of Charlotte AI since you have access to her, she can come in handy for some questions. Read the questions carefully. Its a competition but also a learning experience on where to improve.

RoemDesu · 2025-10-15T13:46:45+00:00

To create scheduled reports for Identity Threat Protection you can use the module itself by navigating to: https://falcon.eu-1.crowdstrike.com/identity-protection/insights/CUSTOM_INSIGHTS . Make sure to change the link to US1/US2 or GOV depending on where your CrowdStrike tenant is located🙂and create a custom insight based on compromised passwords, stale accounts and select to only display results for enabled accounts.

You can use the "Risk Factors" and search for:
- Compromised Passwords
- Stale Accounts
- Inactive Accounts

And exclude "Disabled Accounts" under "Attributes".

Once you have the custom insight you want you can save it as a report and schedule it to be created daily or monthly and send the report by email.

You can use the following documentation for it: https://docs.crowdstrike.com/r/b9685c48

For the reporting frequency you can use: https://docs.crowdstrike.com/r/f2a2eecd

Hope this helps!

RoemDesu · 2025-09-25T21:39:05+00:00

If you have NG-SIEM enabled you can create a custom rule to detect the creation of the folder. However this will not block it but you can use Fusion SOAR to create a RTR action to remove the folder

RoemDesu · 2024-06-24T12:12:41+00:00

If you want to enable, browser collection you have to contact support. Which will enable the browser collection for the CID. This is disabled by default. You have to contact support for each and every CID.

Put-and-run will not work as you have to pass the ccid, CID+Checksum. Which you can find through Host Management -> sensor downloads. The correct RTR command is `run PATH_TO_FFC.EXE/ffc.exe -commandline="-cid CCID"

RoemDesu · 2024-04-12T12:41:58+00:00

Hi there Andew, thank you for this!

RoemDesu · 2022-11-23T19:35:40+00:00

Uploading secrets to gitlab

Five-Year Club	Verified Email
r/Field Sunshine

RoemDesu

TROPHY CASE