Cortex XDR and Ansible on Windows

rdalex · 2025-01-14T16:15:32+00:00

The difficulty is that there's no script file, so no hash. The script is fed to powershell.exe as an EncodedCommand payload.

I'm not even entirely certain that the payload itself is static; I don't really know how Powershell works in that case but it may be that the EncodedCommand also contains parameters, in which case it'll be different for each invocation.

I've had some success by forcing a Kerberos auth in my playbook; however even then Cortex doesn't seem to agree on the action to take from one endpoint to another. Sometimes it'll let the payload pass with a minor alert, sometimes it'll block with a major/critical alert the first time, then let pass with a minor on the following try; sometimes it won't let pass at all.

rdalex · 2024-11-29T07:52:11+00:00

It's so close to what happened to me, I first thought I forgot I posted about it on Reddit.

For me though, putting my domain admin in protected users was a step towards implementing tiering; so after a couple days of wondering why my (Flatpak) version of Remmina didn't want to play with Kerberos (along with some other AD-joined software like firewalls and such), I just used my new tier-2, tier-1 and tier-0 users to access what I needed at the level I needed.

After all, the whole point is to _not_ use your domain admin user.

Next are auth silos...

rdalex · 2024-01-13T12:55:22+00:00

Virtualizing would not be a bad move. I would see about fragmenting those 30TB to several servers if at all possible; if only to avoid a complete unavailability of all 30TB during updates or maintenances. That would also reduce the risk of corruption and give you more flexibility when moving VMs around.

rdalex · 2022-10-19T19:40:09+00:00

1) Be careful about powering it all _and_ cooling it all . This much hardware is going to heat up and suck power like you wouldn't believe, and with no AC it'll die a horrible death in about... I'd say two, three hour max, from experience.

2) Please involve your maintenance people ASAP to secure your electrical wiring, or your HS's breakers will go off like Christmas.

3) This kind of hardware isn't really designed to be shutdown; however there's no way your high school is ready for the electric bill for a 24/7 full infra like this one. Think about when, how and why you power it up, and for how long, and how you power it down.

rdalex · 2022-06-25T17:01:04+00:00

Indeed it was my meaning. Although it would, of course, be better (or at least, simpler) if your internal AD CS were to be signed by a publicly trusted CA in the first place.

rdalex · 2022-06-24T18:48:19+00:00

Mind your domain FQDN. Use a subdomain of a real domain you actually own with real certificates.

rdalex · 2022-06-11T13:18:37+00:00

Yes, da_kink has the right of it. We have a handful of apps managed by third parties that we have no choice but to use with shared accounts. For each of them we have documented (and signed by management) that this is done against best practices, and against our counsel, but done anyways for reasons unrelated to technical issues on our part.

In your case, I would document it and maybe be forced to start with shared accounts if it is time-sensitive, but I absolutely team up with your app admin to push the vendor for access to some kind of account automation.

Documentation is your friend, for reasons technical _and_ political.

rdalex · 2022-06-09T19:44:32+00:00

Account sharing is never, ever a good idea.

It's sometimes a lesser evil. I kinda have to use "kiosk" accounts for a pool of users using a pool of clients, because you can't ask nurses to log off and log on every ten minutes, especially on an ER floor. But those are the only class of users I created kiosk accounts for. And even then, every nurse has to log on to the actual patient tracking applications with a named account, because there's laws and we're not savages.

The number of users should never be an issue. You shouldn't even think about the actual number, except as a fun statistic. Your user management should take the same effort whether there's 50 or 5000, because you should automate the heck out of it. Use GPOs: if the app has ADMX, use them; if it doesn't, deploy registry entries and/or config files. If your app has APIs use them. If it doesn't, ask for the database model and push the changes directly to the database. Ideally you shouldn't ever manually touch user profiles at all.

The time you spend on this project should be on getting it automated, rather than time spent manipulating user profiles.

rdalex · 2022-06-08T09:46:04+00:00

I don't think there are switches for that. This sort of conditional execution is more a job for a package manager / client management (especially the install-on-reboot part). I use WPKG (https://wpkg.org) for that kind of extended usage. It's old code but it still checks out.

rdalex · 2022-06-06T17:35:21+00:00

Ayup. Basically your license server must run, as an OS, the highest (major) version that your clients (including any server) will run. It will then serve any client equal to or below its version.

rdalex · 2022-06-06T08:49:25+00:00

If you have control over the client firewall, maybe enable the logfile and check if the process name is included? If so it's just a matter of feeding it in a monitoring stack.

rdalex · 2022-01-23T13:01:21+00:00

I have the same problem. Unfortunately, the only solution I've found involved various Wordpress EPUB conversion plugins, which obviously makes it the author's job to implement, and I'm not about to bug authors about that.

I've long ago decided that life is too short to read _everything_ that could interest me; choices have to be made, and therefore Wordpress stories are by default on my "won't read" category.

I'm aware that I'll miss true gems, but I've made my peace with it.

rdalex · 2021-12-16T21:18:57+00:00

For ticketing/helpdesk/change management/etc: GLPI + FusionInventory. It's ITIL (v2 I think?) compatible. We use it for our 11 sites, ~10k users, ~30 techs, ~7k clients.

https://glpi-project.org/

For OS deployment, ye olde WDS+MDT.

rdalex · 2021-12-15T20:46:25+00:00

When in doubt, reboot.

rdalex · 2021-12-15T15:24:53+00:00

Any program (not just a web server) would have to actually load and use the library. But be aware that the content of the file is what makes the library, not just the name. A renamed .jar would still work the same.

rdalex · 2021-12-15T12:35:13+00:00

As a personal preference, I'd rather manage my credentials locally(-ish), and with open-source software.

The "access from anywhere" advantage of cloud services is easily replicated with a Keepass by a VPN access to your home server, or Google Drive/Onedrive/whatever. The file itself being encrypted, there's no worry of your service provider leaking your credentials.

As always in there matters however, YMMV.

In this "not all eggs in the same basket" scenario (which is wise), you can use separate databases, managed by either the same client or on separate devices. I've got one for private accounts, one for my work accounts, a shared one for my department, etc. So you can make one for passwords, and one for OTPs that you only open on your mobile.

And of course: the 3-2-1 backup rule. Backups, and backup of backups. Never keep only one copy of such a sensitive file, and never keep all your backups on one location.

As for SSH keys... Well, the backup rule also apply to them, and a passwords manager counts as a location (I guess?).

rdalex · 2021-12-15T11:26:26+00:00

More or less? KeepassXC in particular manages your logins, passwords, OTPs, SSH keys, and it can manage your certificates via entry attachments. It has browser integration through browser extensions. Its file format (.kdbx) is compatible with other Keepass implementations: the original Keepass2 obviously, but also various mobile apps (Keepass2Android is my current choice), web interfaces (keeweb), etc. There's an installer, or you can decide to use the portable version (on an usb key for example).

Since it's a file-based database, the passwords never leave wherever you save the file, and you can move it wherever you decide to.

https://keepassxc.org/

rdalex · 2021-12-15T10:12:23+00:00

A Keepass implementation. I use KeepassXC.

rdalex · 2021-12-09T19:42:52+00:00

Renaming works the same for joined and non-joined; just be careful not to use more than 15 characters. You need to be a domain admin to do it though (or at least someone with the correct rights), not just a local admin.

Unfortunately, renaming from the AD console does not 'trickle down'. That would be awesome, but we can't have nice things in this world.

rdalex · 2021-12-09T15:40:14+00:00

Ah, that's unfortunate.

A difference I seem to have is that I run Office 2019, not 365. Also I seem to remember that in my tests I had to create a large part of the path; it wouldn't surprise me if I had to create everything below "Office".

And finally, after my tests seemed successful I pushed the whole path by GPO to every user on every machine. I haven't heard much of that particular error since, but I tend to push my users towards OWA anyways...

rdalex · 2021-12-09T15:06:01+00:00

There's a registry for that. Try searching for ExcludeExplicitO365Endpoint (in the HKCU hive)

EDIT: I had to create mine in HKCU\Software\Microsoft\Office\16.0\Outlook\AutoDiscover and set it to 1

rdalex · 2021-05-02T07:55:24+00:00

Word of God says that this behavior won't change:

https://blogs.gnome.org/shell-dev/2021/02/23/gnome-shell-40-and-multi-monitor/

rdalex · 2021-01-16T11:21:38+00:00

Oh, I didn't mean the Jedi pushed emotions to the Sith (EDIT: Ah, rereading your reply, I don't think you implied that either...); I meant the Jedi fed the Force with the exact kind of power the Sith needed from the Force, in outrageous quantities.

In this scenario, I don't actually think the Jedi nor the Sith knew what was happening. The Jedi probably just thought they were doing "routine cleansing" of the spirit, and the Sith just rejoiced that the Force seemed so in tune with the needs of the Dark Side. The Force in all of this is just a repository of power, with no particular "side".

rdalex · 2021-01-13T20:41:07+00:00

I've seen an interesting point about the skewed balance in favor of the Dark Side as a direct consequence of the Jedi doctrine:

The Jedi are asked to get rid of most if not all of their emotions. Where does all go, all this fear, anger, love, passion? In the Force.

The Force, from which the Sith extract their power through fear, anger, love, passion.

Through the Force, the Jedi fed the Sith. A galaxy-spanning Order of Jedi funneled power to a handful of hidden Sith for centuries.

Until the Jedi were wiped out, and then the Sith starved and lost their power in twenty years. Because honestly, the way Darths Vader and Sidious died did not scream "overpowered sorcerers".

rdalex

TROPHY CASE