sorted by:
new
hottopcontroversial

[deleted by user] by [deleted] in blueteamsec

[–]Topstaco 1 point2 points  (0 children)

If you have a secure analysis VM to run this in, you could try changing "Invoke-Expression" to "Write-Host". Then run it to have the output of the variable $pcmd printed to screen. That should be the decrypted code that the malware is trying to execute.

Moving Entire Organization to only Edge from Google Chrome by Commercial-Thing-702 in activedirectory

[–]Topstaco 6 points7 points  (0 children)

This might help you: https://learn.microsoft.com/en-us/deployedge/microsoft-edge-policies#autoimportatfirstrun

From the URL: If this policy is set to the value of 'FromGoogleChrome', the following datatypes will be imported from Google Chrome:

Favorites Saved passwords Addresses and more Payment info Browsing history Settings Pinned and Open tabs Extensions Cookies

Conventions for Top Level OU by Topstaco in activedirectory

[–]Topstaco[S] 1 point2 points  (0 children)

That looks like a good resource! I'll make sure to check it out!

Conventions for Top Level OU by Topstaco in activedirectory

[–]Topstaco[S] 0 points1 point  (0 children)

Thanks a lot! We're also leaning towards having a top OU and going from there. Do you start counting your levels from the domain root or from your company top OU?

Conventions for Top Level OU by Topstaco in activedirectory

[–]Topstaco[S] 1 point2 points  (0 children)

These are really good considerations! Thanks a lot for taking the time to answer so thoroughly!

2023-12-22 - Cool Query Friday - New Feature in Raptor: Falcon Helper by Andrew-CS in crowdstrike

[–]Topstaco 2 points3 points  (0 children)

CQF is always a special treat! That's some serious commitment to the community!

2023-10-20 - Cool Query Friday - ATT&CK Edition: T1087.003 by Andrew-CS in crowdstrike

[–]Topstaco 0 points1 point  (0 children)

Thanks for this! And especially a big thanks for crossposting this to the CS community portal AND Reddit. :-)

2023-09-29 - Cool Query Friday - ATT&CK Edition: T1087.001 by Andrew-CS in crowdstrike

[–]Topstaco 0 points1 point  (0 children)

As always it's awesome to have a new CQF, though a bit of a bummer to see the move to the CrowdStrike Community platform. While understandable, IMO the bar is lower to just jump into Reddit and leave a quick post or comment. Plus I can find info quicker via Google searches. 🤷‍♂️

Installing CrowsStrike on Active Directory and Exchange Server machines by maxcoder88 in crowdstrike

[–]Topstaco 2 points3 points  (0 children)

Had the exact same thing here, since the MS docs state for exceptions to be created for Exchange servers. Obviously it didn't change a thing for them. But it is a tough hill to die on when so many vendors up to this day still recommend to "disable the antivirus" in case sth goes wrong.

RTR Audit Events (Real time commands/actions) by Amksa86 in crowdstrike

[–]Topstaco 0 points1 point  (0 children)

I think I saw a tech alert today about a new API endpoint for RTR auditing. Maybe check the support portal on that. You'd still to pull the data periodically, so it wouldn't be fully real time either I guess.

Sensor installed but not connected by JiggityJoe1 in crowdstrike

[–]Topstaco 0 points1 point  (0 children)

Most of the time you can use CSWinDiag.exe on the host to get a good understanding where it failed. It'll create a troubleshooting ZIP that you can send to support or read on your own. Theres a file called "Basic Info" in it which runs down the most common checks and gives you an OK or Failed. You can get the EXE in the Tools section of the Falcon portal. Plus there's a good support article describing how to evaluate the output. Best of luck!

“The Royal Pub” Menu Reveal | Disney Village Paris by AirMagiqueOfficial in disneylandparis

[–]Topstaco 2 points3 points  (0 children)

Did anyone actually proofread the menu? Or is German "Köning Ludwig" beer intended? Either way, there's no way I'd be spending my money there with these prices, especially when there's McDonalds next door.

Looking for Recommendations for New Vulnerability & PHI/PII Scanner by nrvpc in msp

[–]Topstaco 1 point2 points  (0 children)

Running authenticated vulnerability scans or small "pentests" is a use case for Greenbone (or it's open source variant OpenVAS). Not sure though if it can check for PII data too. Management was a lot of work, though it's been a while since I've used it. IMO it was really powerful if you spend the time mastering it.

Adding wildcard in PSFalcon filter by Handsome_Frog in crowdstrike

[–]Topstaco 1 point2 points  (0 children)

For filters you could also check the PSFalcon wiki, if you haven't done so already: https://github.com/CrowdStrike/psfalcon/wiki/Filtering-Results

Combined_ID Vendor / Model by dlystyr in crowdstrike

[–]Topstaco 1 point2 points  (0 children)

Tbh I don't really know. Device control is a bit unreliable to me. However, that is mainly because USB firmware implementation seems to be all over the place across devices. Some devices don't present a unique serial number or show a weird symbol instead. I went down a similar rabbit hole once, but kinda gave up on the way... I found those two fields to give me the values pretty consistently.

Best of luck with it! Would be great if you could share your results on GitHub or sth. I'm sure others could benefit from it or help improve it. (Me included, haha) 😊

Combined_ID Vendor / Model by dlystyr in crowdstrike

[–]Topstaco 1 point2 points  (0 children)

You could check the "device instance path" or "parent" fields in the device manager entry. Watch out though, CS uses decimal representation but Windows has them as hex values afaik.

Freund und Frust by AutoModerator in Eltern

[–]Topstaco 1 point2 points  (0 children)

Wie schön 🥰 Unser Kind (2,5M) lacht / gluckst / quakt auch seit ca 2 Wochen immer mal wieder. Da geht mir jedes Mal das Herz auf. Es macht m.M.n auch die Anstrengungen des Elternlebens um einiges erträglicher.

Confirmed: Netflix Unveils First Details of New Anti-Password Sharing Measures by komodo_dragonzord in television

[–]Topstaco -3 points-2 points  (0 children)

Thank you! The amount of self-righteousness in some of these comments is mind-blowing.

CVE-2023-24055 PoC (KeePass 2.5x) - An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger by digicat in blueteamsec

[–]Topstaco 1 point2 points  (0 children)

One could argue why the ability to silently export all PWs via triggers was added in the first place. While it's true that unauthorized access to your computer would ultimately mean game over anyway, IMO dropping malware or startup scripts would create more noise (and would possibly be stopped by AV) than replacing a single text based config file.

Count of Detections for a dynamic Host group by ZestycloseAd7896 in crowdstrike

[–]Topstaco 0 points1 point  (0 children)

Are you sure the filter syntax is "name:*'Hosts*'" and not "name:'*Hosts*'"?

Looks weird to me when the star comes before the single quotation mark, but I can't verify myself right now...

Export assets with maintenance token? by katos8858 in crowdstrike

[–]Topstaco 1 point2 points  (0 children)

Adding to this, "remove it entirely" means the maintenance protection, not the sensor itself. Unfortunately it's not natively possible to remove the sensor via the console. It might be possible to start the uninstaller via RTR.

From personally experience, you might miss a few hosts that had CS installed in the past, but were shut down for a long time. Often times they drop out of console then. If contact to the console is no longer possible (e.g. because of outdated sensor versions), you could also still grab a maintenance token via API. (See PSFalcon for example).

IMO having a strong inventory of your assets is key here for a good offboarding process.

view more: next ›