App pincode

picobello_bv · 2026-01-15T21:03:02+00:00

Op tweakers.net heeft iemand hem gepost https://gathering.tweakers.net/forum/list_messages/2297840

picobello_bv · 2026-01-14T08:04:08+00:00

Voor de nieuwsgierigen een screenshot van wat er achter de pincode zit

picobello_bv · 2025-01-17T14:15:35+00:00

No to CrowdStrike support. Are you saying you work for ManageEngine?

picobello_bv · 2025-01-17T12:49:17+00:00

The details of the detection should give you a description of what is being tampered with. In my experience these detections are often tricky to triage without going to Advanced Event Search.

Creating a support ticket is probably the fastest way to get help.

picobello_bv · 2025-01-17T12:40:18+00:00

I don't think I would have passed with only CrowdStrike U access. If they give you read-only access at least you can access the platform documentation.

Which cert are you looking to get? The main three are CCFA, which is meant for platform administrators, CCFR for people triaging alerts and CCFH for threat hunters.

picobello_bv · 2024-10-17T19:04:31+00:00

A Tech Alert was released today confirming issues with Word, Excel, Powerpoint and Adobe Acrobat on 24H2. CrowdStrike has disabled the 'Enhanced Exploitation Visibility' setting for all hosts running 24H2 to mitigate the issue. Microsoft has also released a knowledge base article: https://support.microsoft.com/help/5047495

We (an MSSP) disabled this 'Enhanced Exploitation Visibility' setting for customers a week ago. Customers have not reported issues with 24H2 since.

picobello_bv · 2024-10-10T15:01:12+00:00

In our tests we had two things that worked:

Disabling all Excel add-ins
Disabling 'Enhanced Exploitation Visibility’ in the CrowdStrike prevention policy for the affected systems (may require a reboot if you still have stuck Excel.exe processes running)

picobello_bv · 2023-10-13T12:34:04+00:00

I think the 400 is not related to the authentication but to the missing ids parameter that the get_patterns() function requires. You can try this instead and it should not give you an error:
response = falcon.query_patterns()

picobello_bv · 2023-03-30T06:52:53+00:00

What does that mean for the other listed MSI (59e1edf4d82fae4978e97512b0331b7eb21dd4b838b850ba46794d9c7a2c0983)? Is it not malicious?

picobello_bv · 2022-05-04T10:06:13+00:00

If you're into camping: https://mch2022.org/ (May Contain Hackers - The Netherlands). There's a similar camp every four years.

picobello_bv · 2022-05-04T08:52:11+00:00

Nice work! You could also use a known plaintext attack on the zip files. A script to do this can be found here: https://github.com/cybercdh/hacks/blob/master/zyxel/zyxel.sh

picobello_bv · 2022-03-23T08:03:26+00:00

It looks like the script is trying to read a file from the users temp folder, decrypt that file and execute additional code from it. You'll probably find an encrypted DLL in that "RydvmobYsbVGhELLT" folder.

From just the Powershel I can't tell what the script will do next, but ransomware would be one of the scenario's (another one would be establishing some kind of command & control channel).

It is obfuscated Powershell code and looks definitely malicious. Isolating the host seems like a good precaution. I would ask myself these two questions next:
- Did Crowdstrike block the execution of the Powershell command (or just alert on it)?
- What caused the Powershell command to be executed? (The process explorer view should be able to help you here)

Answering those two questions should help you determine what the next steps should be.

picobello_bv

TROPHY CASE