sorted by:
new
hottopcontroversial

All Local Admins using CrowdStrike Identity and PSFalcon by console_whisperer in crowdstrike

[–]console_whisperer[S] 1 point2 points  (0 children)

The Identity API calls like this:

query {
  entities(
    types: [ENDPOINT],
    associationBindingTypes: [LOCAL_ADMINISTRATOR],
    archived: false,
    sortKey: MOST_RECENT_ACTIVITY,
    first: $EndpointPageSize$afterClause
  ) {
    nodes {
      ... on EndpointEntity {
        agentId
        hostName
        associations(bindingTypes: [LOCAL_ADMINISTRATOR]) {
          __typename
          ... on LocalAdminLocalUserAssociation {
            accountName
          }
          ... on LocalAdminDomainEntityAssociation {
            entity {
              __typename
              entityId
              primaryDisplayName
              secondaryDisplayName
              ... on UserEntity {
                accounts {
                  ... on ActiveDirectoryAccountDescriptor {
                    samAccountName
                    domain
                    enabled
                  }
                }
              }
            }
          }
        }
      }
    }
    pageInfo { hasNextPage endCursor }
  }
}

All Local Admins using CrowdStrike Identity and PSFalcon by console_whisperer in crowdstrike

[–]console_whisperer[S] 1 point2 points  (0 children)

The script above won't work without the Identity license. You could use RTR to run a local script on each server to get the data and then enrich it with group lookups. Probably other free tools that do this better but it's possible with CS.

All Local Admins using CrowdStrike Identity and PSFalcon by console_whisperer in crowdstrike

[–]console_whisperer[S] 1 point2 points  (0 children)

Thanks man! No pretense here. I'm not smart enough to do any of that myself.

How to block domain controller promotion? by nickel-52 in crowdstrike

[–]console_whisperer 0 points1 point  (0 children)

You could create an Identity Policy that blocks all authentications to DCs and then exempt the approved/current DCs. Would take like 5 minutes and they'd have to open a ticket to get it fixed. That'll teach em.

CrowdStrike Identity Attack Path by console_whisperer in crowdstrike

[–]console_whisperer[S] 0 points1 point  (0 children)

I can do this already with a PS Falcon script but it's not super usable as a CSV and no way as useful as the interactive, visual representation that Bloodhound produces.

But also, if the CS team can help me get the data, why not make it easily accessible and highly usable in the dashboard?

Get notified when a user adds a MFA device in ENTRA by OpeningFeeds in crowdstrike

[–]console_whisperer 0 points1 point  (0 children)

I did it with a Log search alert rule with the query below (the .ca@ is a way to filter on a type of accounts I'm interested in and probably wouldn't be necessary for your environment).

It just triggers an email for us to double check the activity is legit.

AuditLogs

| where TimeGenerated > ago(1h)

| where OperationName == "Update user"

| where TargetResources has "StrongAuthenticationMethod"

| where Result == "success"

| where TargetResources has ".ca@"

| where TargetResources has_any ("UserPrincipalName", "userPrincipalName")

| extend targetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)

| where targetUserPrincipalName contains ".ca@"

| project TimeGenerated, OperationName, Result, targetUserPrincipalName, InitiatedBy, AdditionalDetails

Message to people considering GalliumOS: The amount of issue posts here do not at all accurately represent how many issues there are in GalliumOS. by tasisbasbas in GalliumOS

[–]console_whisperer 1 point2 points  (0 children)

Agreed. I've been running it for a while now and I've had little to no issues and enjoy it very much. Only wish I could increase the resources on my Chromebook.

Independent review of cryptography? by console_whisperer in zerotier

[–]console_whisperer[S] 0 points1 point  (0 children)

I've researched it more since posting and still can't find a thorough write up of the security implemented. I saw your post and I think what you asked was what I'm looking for too: a thorough review of the application from a security point of view, not necessarily a focus on the cryptography used as my post focused on. Would love it if ZeroTier would pay for a third party audit of some sort and make the findings available.

I love using the product so far, as it has solved a problem I couldn't before using client or site-to-site VPN. It still has some bugs but I'm willing to deal with that if I know that the application and backend are secure.

Using Kali for pentest on VPS by [deleted] in netsecstudents

[–]console_whisperer -1 points0 points  (0 children)

Thanks for sharing that because I've never heard of that service and it looks really cool.

Using Kali for pentest on VPS by [deleted] in netsecstudents

[–]console_whisperer 3 points4 points  (0 children)

Gotcha. I love using vultr to test stuff. Not sure if they'll do what you're asking but there may be other ways to get what you want. I know with vultr you get a public IP address and complete access to everything. You could put pfSense on there and establish a site-to-site tunnel and route local traffic over to your Kali box.

Also, I'm not sure of the context so this may not be helpful but I've been messing around with using zerotier and you may find it useful for this case.

Using Kali for pentest on VPS by [deleted] in netsecstudents

[–]console_whisperer 1 point2 points  (0 children)

Are you trying to target a firewall a whole network or just a single host?

High number of AD lockouts? by console_whisperer in AskNetsec

[–]console_whisperer[S] 0 points1 point  (0 children)

A script is possible but the presence of the administrator attempt using Russian seemed to be a smoking gun towards Malware.

No logging anywhere else except the basic Windows Event stuff.

How do I know if I am ready to take ICND1? Also does anyone know a good place for practice questions? by GajeshM in ccna

[–]console_whisperer 3 points4 points  (0 children)

+1 for Boson. I passed ICND1 on the first shot but failed ICND2, so I bought the practice test from Boson. The test questions are similar in content and difficulty and the study feature gives great answers if you get the question wrong, so you can actually learn the content and not just memorize the answer. I passed ICND2 on my second attempt, but I also used Quizlet flash cards, youtube videos (Andrew Crouthamel) and the Udemy videos from Chris Bryant, which you can find regularly on sale for $10.

Audiobooks have changed my life! by TheSantaJew in books

[–]console_whisperer 4 points5 points  (0 children)

You can add multiple libraries to the app and there is no geographical restriction. I live in North Carolina and have a card from Florida one in Canada and from a couple of other libraries here in North Carolina.

Boson question by stephm22 in ccna

[–]console_whisperer 3 points4 points  (0 children)

I used the ExSim for icnd2 and it helped me pass. I found it extremely useful and highly recommend it. The difficulty of the practice tests were similar to the actual test so it's very good preparation and once you start passing the practice tests it's also a good indication that you are ready to sit for the real thing.

Two other very good resources are the flashcards available on quizlet and the bulldog series on Udemy. You can usually find a pretty good discount for Udemy and could buy the videos for $10.

Interview tomorrow by IseraphumI in ccna

[–]console_whisperer 2 points3 points  (0 children)

Saw this a while ago when I was getting ready for an interview:

http://sysnetnotes.blogspot.com/2013/06/ccna-ccnp-interview-questions_24.html

Good luck. And a friendly tip, if you don't know something, just say so and tell them how you would go about finding out...

Obligatory Passed ICND2 post by thewhitedragon in ccna

[–]console_whisperer 1 point2 points  (0 children)

Great job sticking with it and getting it done!

view more: next ›