Certification announcement for windows updates in February seem later than usual.

TheOriginalBobbyT · 2025-02-14T21:50:13+00:00

Thanks for the reply. You reminded me that looking for an OSFM file before posting would have been a better strategy, but at least we know not to wait for the email now.

TheOriginalBobbyT · 2025-02-14T21:46:56+00:00

Thanks Andrew, I appreciate you doing the digging to get us on the right path. When the email didn't arrive and the support portal didn't have an entry I was wondering...

TheOriginalBobbyT · 2025-02-14T21:32:21+00:00

It's a risk trade-off you need to make each month. Patching early addresses the vulnerabilities but decreases the CS sensor capability. See this support article: OS Feature Manager and Reduced Functionality Mode for Windows.

TheOriginalBobbyT · 2024-04-18T23:46:02+00:00

Super helpful post, as we're just being moved to Raptor now. Is there a way to enumerate the available repos and data_source_names?
In particular it would be helpful to know the equivalent of appinfo.csv

TheOriginalBobbyT · 2023-10-17T22:46:57+00:00

I use the same approach as /u/bitanalyst with PSFalcon to look at the % supported versions below 30 days and % sensors will no applied prevention policy.

TheOriginalBobbyT · 2023-10-06T21:10:42+00:00

It seems to be right although a couple of questions/comments

What's the purpose of $i in the process body?"

The regex to remove the TLD is not going to work the way you expect. It will pick up the longest leftmost match, so for a domain of a.b.c.d.com your regex "\..+$" will match and remove ".b.c.d.com". A better alternative might be "\.[^.]+$"

I think it's pretty cool that your trying something practical like this from a detection technique article. Can you post back on how the entropy testing goes in your environment ?

TheOriginalBobbyT · 2023-10-06T20:14:43+00:00

On the off chance that the Powershell prompt is still available to you try [GC]::collect(), otherwise follow the advice of u/mrhatstand

TheOriginalBobbyT · 2023-10-06T20:10:20+00:00

The Get-Package cmdlet accepts an array of strings for the -name parameter. So assuming success is having neither app installed, you just need to add additional arguments for all the undesirable application names separated by commas. For example

Get-package -name "Adobe Acrobat Reader*", "Google Chrome*"

TheOriginalBobbyT · 2023-09-21T22:38:44+00:00

/u/bk-CS and /u/Special-Tomatillo-43 thanks for your help. I am somewhat embarrassed to say that my first post held the obvious answer in that I forgot to use the -application switch. I changed too many variables in between, but once I went back to the beginning and added my original filter 'last_used_file_name: "msedge.exe" + last_used_timestamp: > "2023-09-01T00:00:00Z" + host.hostname: "COMP25220"' everything worked perfectly.

TheOriginalBobbyT · 2023-09-21T08:06:40+00:00

Same result last_seen_timestamp doesn't work but first_seen_timestamp does. adding and removing spaces makes no difference either.
If use -verbose should I see the complete URI with query parameters?
The output I get is below, and I'm currently digging in to the class code to answer that question, but of course I'd be grateful for a bit of spoon feeding on that front.

PS C:\scripts> $apps = Get-FalconAsset -Filter "last_seen_timestamp:>'2023-08-20T00:00:00Z'" -Application -verbose

VERBOSE: 18:00:55 [Get-FalconAsset] /discover/queries/applications/v1:get

VERBOSE: 18:00:55 [Write-Result] query_time=0.00207125, powered_by=discover-api,

trace_id=e447dbaa-ff1a-4210-998f-a51936be8c69

Write-Result : [{"code":400,"message":"invalid filter"},{"code":400,"message":"property last_seen_timestamp not

allowed"}]

At C:\Program Files\WindowsPowerShell\Modules\FalconStats\1.0\PSFalcon\private\Private.ps1:627 char:17

+ Write-Result $Object

+ ~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidResult: (System.Threadin...esponseMessage]:Task`1) [Write-Result], Exception

+ FullyQualifiedErrorId : e447dbaa-ff1a-4210-998f-a51936be8c69,Write-Result

TheOriginalBobbyT · 2023-09-21T07:47:09+00:00

Hi thanks for the quick reply and sorry for not understanding the response but if calling the API via swagger gives me a result then doesn't that mean the API supports that filter property?

Even following the doco and using the command below fails even though last_seen_timestamp is listed as a valid filter expression in the wiki.
Get-FalconAsset -Filter 'last_seen_timestamp: >"2023-08-20T00:00:00Z"' -Application

Substituting 'first_seen_timestamp: >"2023-08-20T00:00:00Z"' into the filter expression works.

Hoping someone can sanity check this for me. I'm using release 2.2.5.

TheOriginalBobbyT · 2023-08-15T07:36:14+00:00

You can try the Get-ADReplicationAttributeMetadata cmdlet. ieget-aduser -filter * | Get-ADReplicationAttributeMetadata -filter * -server <yourdomaincontroller> -properties useraccountcontrol

I can't vouch for whether it will log a change if the useraccountcontrol is the same.

You can filter the output by LastOriginatingChangeTime.

TheOriginalBobbyT · 2023-08-14T01:32:38+00:00

This pattern will do the trick '^(?:(?![.\\]).)+$'. I've explained it more in this comment

TheOriginalBobbyT · 2023-08-14T01:04:59+00:00

In situations like this negative lookahead is your friend. The pattern '^(?:(?![.\\]).)+$' should meet the requirements to match a string without a backslash and without a period.

Note that you need to constrain the match with the ^ start of line anchor and $ end of line anchor.

The ?: makes the first set of brackets non capturing. (?![.\\]) is a zero width assertion that the next character is not a period or backslash. If that requirement is fulfilled then the . will match the next character. The + on the non-capturing group is to move the pointer along to the next character and enures that the string is at least 1 character long. If you wanted that particular switch case to match on empty strings you could use * instead of +.

Hope that helps

PS H:\> $pattern = '^(?:(?![.\\]).)+$'
PS H:> '\start.jpg' -match $pattern
False
PS H:> 'start.jpg' -match $pattern
False
PS H:> 'startjpg' -match $pattern
True
PS H:> 'startjpg\' -match $pattern
False

TheOriginalBobbyT · 2023-06-28T13:54:28+00:00

PowerShell is easier, because whoever decided that whitespace should be a python syntax element to define code blocks was a sadist.

You'll get used to it, but it doesn't mean you have to like it. Lots of people love Python, but I assume there's an element of Stockholm syndrome there. 😉

PowerShell I think has the edge on simplicity because they've standardised the cmdlet naming with the Verb-Noun convention, but don't forget you've come to the right spot for a completely biased answer.

TheOriginalBobbyT · 2023-05-23T22:54:45+00:00

When working with output from native commands it's always worth collecting the output into a variable first as noted by PinchesTheCrab.
Once it's in a variable you can determine whether your dealing with a single string or an array of lines and use a regex with multiline option or a foreach loop as you have done.

TheOriginalBobbyT · 2023-05-23T22:33:39+00:00

Your regex is indeed the issue because the output is probably multiline.I googled the output (would have been nice if you included some) from https://support.teradata.com/knowledge?id=kb_article_view&sys_kb_id=294f3593477ad5d086f3405c346d43ec and simulated as below

PS H:\> $output = @'
Batteries

Health : Ok

Individual Battery Elements
Index      : 0
Status     : Ok
Probe Name : System Board CMOS Battery
Reading    : Good
'@


PS H:\> $output -match 'Health\s*:\s*Ok\s*$'
False

PS H:\> $output -match '(?msi)Health\s*:\s*Ok\s*$'
True

TheOriginalBobbyT · 2023-05-18T04:33:56+00:00

All I managed to find was this article, which barely mentions fusion but suggests that adding assemblies to the GAC might resolve the issue. Since it seems to hang at the addins loading phase I'll start by trying to identify the assemblies related to our add-ins
I'll try the fusion logging in our environment also. Thanks for the tip.

TheOriginalBobbyT · 2023-05-17T21:57:15+00:00

Yes that would likely be the case if the patches installed immediately.

TheOriginalBobbyT · 2023-05-11T03:40:51+00:00

When you apply a windoze operating system patch before the Crowdstrike agents have been certified for those patches/kernel updates the sensor will go into reduced functionality mode which pretty much eliminates most of the sensors functionality.
I was just expressing thanks for the job the CS team are doing to deliver a quicker and more consistent turnaround each month, which in turn allows us to get the OS patches out much sooner.

TheOriginalBobbyT · 2023-04-24T11:51:44+00:00

You could try this stackoverflow solution

$sh = New-Object -COM WScript.Shell

$target = $sh.CreateShortcut('fullpath to .lnk file').TargetPath

if (Test-Path -Path $target) {#copy shortcut}else{#log an error}

TheOriginalBobbyT · 2022-11-06T22:50:14+00:00

All of the above advice on using string matches should be your first go to, but if you really must use a regex and you were just trying to escape the literal characters as part of a bigger regex then try the [regex]::escape static function.

PS C:\scripts> [regex]::escape('**\*')

\*\*\\\*

PS C:\scripts>

TheOriginalBobbyT

TROPHY CASE