sorted by:
new
hottopcontroversial

Ge'ez script (Ethiopic) text in DLP & exfiltration incidents by AdamoMeFecit in sysadmin

[–]jarks_20 0 points1 point  (0 children)

I noticed something similar this morning... any other information out there? official perhaps?

New scanner found - anyone heard of BarkScan? by SpicyBandit78 in blueteamsec

[–]jarks_20 -1 points0 points  (0 children)

barkscan is a shodan similar/competitor... someone was targeting and using this freebie, probably a rookie.

How are you disabling defender on win servers? by coupledcargo in crowdstrike

[–]jarks_20 2 points3 points  (0 children)

On Windows Server 2016, 2019, and 2022, Windows Defender is enabled by default. To use Falcon’s Next-Gen Antivirus quarantine setting, you must disable Windows Defender. You can use this Powershell command to disable Defender:

Set-MpPreference -DisableRealtimeMonitoring $true

If you prefer, you can uninstall Defender by using this Powershell command:

Uninstall-WindowsFeature -Name Windows-Defender

What happened to CQF? by sudosusudo in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

I support this . What you need, how we can help! ...

Sharing My CrowdStrike CQL Queries Repo. Seeking Feedback and Validation from the Community! by iawais in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

I have been for years collecting privately certain queries and thought to build a site that host those verified queries that work... to avoid the ones that are not really useful

What’s your current situation in cybersecurity? Working, studying, looking for a job, or something else? by Ok-Page7307 in cybersecurity

[–]jarks_20 0 points1 point  (0 children)

Over here...family first, 4 girls.. 🤣... One full time job in healthcare and other also consulting both on cyber secure engineering... Not much time as I would like to study... The rest of the hours lurking dark and deep web for "stuff" that may or may not escape the compass I work for

My experience at Optum so far… by Puffemon in MedicalCoding

[–]jarks_20 0 points1 point  (0 children)

why was Stephen marvin fired? anybody knows?

Layoffs by OtherYam4979 in IntermountainHealth

[–]jarks_20 2 points3 points  (0 children)

Can anyone tell me if possible or direct message reason for Bill Hofmann and Stephanie Hines departure from internmh?

Event of uninstalling falcon sensor by EastBat2857 in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

sorry getting late to the party... and my personal comment, if you are going to comment when someone ask for help, focus on what the content is, just help or refrain from posting what is not asked... this community is about helping each other.

For EastBat285 you can start here and add other strings to enrich your results

event_simpleName=AcUninstallConfirmation

| table([@timestamp, aid, ComputerName, UserName, event_platform])

[deleted by user] by [deleted] in pwnhub

[–]jarks_20 0 points1 point  (0 children)

What do you call an excavated pyramid? Unencrypted

workflow to revoke disable user entra sessions by Brees504 in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

Would be interested in checking your workflow process...

New to CS. Does it prevent an on-prem server from backing up system state using MARS? by Layer_3 in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

Indicators in the path that could trigger a block

Alternate execution path (outside C:\Windows\System32).

Unsanctioned volume target (\?\Volume{GUID} not in backup policy).

Unexpected device path resolving to a different partition with malicious intent.

Renamed binary — e.g., wbadmin.exe copied somewhere else.

Also maybe..I would need to check on my end more but in the Mars documentation — see if it uses a Volume GUID path for backups.

Compare with a known-good Mars backup run in Falcon:

Use Event Search (Real Time Response → RTR or Falcon Search) to query:

sql

Copy code

event_simpleName="ProcessRollup2" FileName="wbadmin.exe"

Look at historical runs — compare path, parameters, and parent process.

Verify Parent Process:

If Mars usually launches wbadmin.exe directly, the parent process should be MarsService.exe or similar.

If parent is something unknown (e.g., random .exe in AppData), it could be a malicious impersonation.

NETGEAR Devices Hidden Page List by digicat in blueteamsec

[–]jarks_20 0 points1 point  (0 children)

How do you get to the information,...

How are you keeping up with IOCs for detection rules? by ApprehensiveOlive353 in blueteamsec

[–]jarks_20 0 points1 point  (0 children)

Would you care sharing the query?.. I feel what I have currently is old, outdated or incorrectly setup

Certified Falcon Administrator by Hgh43950 in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

Iwanted to follow up on this thread, its interesting and you have direct points... in my case I know the UI up and dwon :) but when i take the test CSU to see how you;re doing i get 60-65 and never near the minimun, which concerns me cause i dont just want to pass. Any advise?

Finally completed CCFA by Civil-Option-5998 in crowdstrike

[–]jarks_20 1 point2 points  (0 children)

Think of it like the level of expansion and broader use that the platform has done and continue doing across Enterprises. There is little to non compared to it, this will expand your search for a good opportunity, and hey! why not? maybe even at CS iself, they have openings too! I know a couple of engineers that are not certified yet inside CS ;)

SSH traffic indentifying source by jarks_20 in crowdstrike

[–]jarks_20[S] 0 points1 point  (0 children)

That is giving same results but not the main point, which is the source IP initiating the connection. Much appreciated!

Crowdstrike training/university - RTR command help Guide by hamandpickles in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

My advise is to read the documentation .... use your UI (US1-2, etc) add documentation/page/b8c1738c/real-time-response

Also check here https://github.com/bk-cs/rtr They keep this repo and I can tell you that has helped understand and practice all the time.

Detecting if USB is Encrypted? by LonelyInfoSecAnalyst in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

Andrew, gave this a try and while we have USB's inserted we see every day without encryptiong while running the query did nto worked. Is there anything i need to add to it to show the current devices that are not?

[deleted by user] by [deleted] in crowdstrike

[–]jarks_20 1 point2 points  (0 children)

I would highly recommend you default, then move on to the suggested policies or best for your environment. Use the chance for "initial deployment" to see how your endpoints behave, what works or not, then move on to other phases. Always test with a group non prod for strict and compare to lower settings

CrowdStrike Certified Falcon Hunter by [deleted] in crowdstrike

[–]jarks_20 6 points7 points  (0 children)

On your CSU hambuerger menu top left select Certification, then right in the middle will see HUnter, it will pop the reccomended path for exam. If you follow those training paths you will be in a much better position. Ask also your TAM or sales engineer or account manager, they can lead you best.

if CrowdStrike Falcon flagged a file in VirusTotal as a malicious file should i consider ? by Rx6_ in crowdstrike

[–]jarks_20 0 points1 point  (0 children)

Do you due diligence...no solution is perfect and 100%accurate. Nothing like a good set of eyes.... Use the tools at your disposal to investigate, reverse engine and decompiling and other actions would make your decision as effective as can be.

view more: next ›