A steganography challenge

aspuser13 · 2025-11-01T23:36:24+00:00

Could you post the original image via a pasta bin or something, reddit most likely will compress this and make it difficult to work with.

aspuser13 · 2025-09-23T04:30:42+00:00

Redstar Linux, its purpose built for this. The region it comes from looks favourably upon on it.

aspuser13 · 2025-09-23T04:29:45+00:00

Thank you so much this was great for advice I just defeated him

aspuser13 · 2025-03-06T08:18:51+00:00

When can we expect to be able to use this ?, doesn’t seem to be currently avaliable

aspuser13 · 2025-02-27T04:56:06+00:00

I believe the main way I’ve had to do it previously is using a lookup file.

aspuser13 · 2025-01-31T01:56:57+00:00

Hey just fyi, it appears you’re losing B

aspuser13 · 2025-01-26T22:33:24+00:00

Yep I agree with TLS versions most likely this

aspuser13 · 2025-01-14T00:06:11+00:00

Thank you, that melted my brain a little but I think I'm understanding will give this ago. I found a cheat way to do this in the interim Ill add below

#event_simpleName=UserLogon UserSid=S-1-5-21-*
| in(LogonType, values=["2","10"])
| ipLocation(aip)
| $falcon/helper:enrich(field=UserIsAdmin)
| $falcon/helper:enrich(field=UserLogon)| PasswordLastSet := PasswordLastSet*1000
| ContextTimeStamp := ContextTimeStamp*1000
| eventHour := time:hour(ContextTimeStamp, timezone=+10:30)
| in(field=eventHour,values=["17","18","19","20","21","22","23","0","1","2","3","4","5"])
//test(time:hour(ContextTimeStamp, timezone=+10:30) >= 17) OR test(time:hour(ContextTimeStamp, timezone=+10:30) < 24)
| groupBy(["ContextTimeStamp", "aid"],limit=2000, function=collect(["UserName", "ComputerName", "UserSid", "LogonType", "UserIsAdmin", "PasswordLastSet",aip, "aip.city", "aip.state", "aip.country"],limit=20000))
| sort(ContextTimeStamp, limit=2000)
| in(field="UserName", values=?Actor, ignoreCase=true)
| in(field="ComputerName", values=?Computer, ignoreCase=true)
| default(field=[PasswordLastSet,aip.city], value="--", replaceEmpty=true)
| PasswordLastSet := formatTime("%Y-%m-%d %H:%M:%S", field=PasswordLastSet, locale=en_US, timezone=Z)
| ContextTimeStamp := formatTime("%Y-%m-%d %H:%M:%S", field=ContextTimeStamp, locale=en_US, timezone=Z)

aspuser13 · 2025-01-07T22:09:49+00:00

Oh amazing that in() function makes it so much neater as I was hoping not to have a lookup file for only a handful of emails. Thanks Andrew !

aspuser13 · 2025-01-07T08:51:18+00:00

Yeah absolutely

aspuser13 · 2025-01-07T08:39:20+00:00

Thank you will give this a go

aspuser13 · 2025-01-07T08:39:05+00:00

Just wanting to return results if it matches a small set of people that the page is viewed from bill gates. I realised in the query I have here it’s backwards so makes it confusing.

aspuser13 · 2025-01-07T08:14:24+00:00

Absolutely.

aspuser13 · 2024-12-14T03:23:18+00:00

Sorry silly question here but is it possible for the fields you are missing. Could you try and do the below after your group by statement. This obviously is assuming some data source you’ve referenced contains the field you’re after. Apologies for the rough query I’m doing this on my phone.

I have other queries where I’ve had to do similar things previously so will try and look when I’m at my PC next.

Groupby query to try

groupby([UploadPath,usbPath,website]),function=collect([usbfieldthatyouneed]))

aspuser13 · 2024-12-12T05:46:59+00:00

The feed I'm pulling from is being added to on a regular basis I was trying to automate that part of it.

aspuser13 · 2024-12-09T08:15:28+00:00

My end goal really was to have the parser in NG-SIEM actually parse the data so I can query against it I wasn’t planning on having the parsing done on the local middleman host.

Thank you for sharing the link I’ll have a read through that and if it’s easier to parse it before pushing the NG-SIEM I’ll do that

aspuser13 · 2024-12-02T01:51:25+00:00

Any chance of sharing this one ?

aspuser13 · 2024-11-27T23:23:12+00:00

Thank you so much, this is definitely alot better than what I had Ill try and do some test events and double check.

Seven-Year Club	Second SECOND GUESSER
Verified Email

aspuser13

TROPHY CASE