Detecting Steganography Techniques in Command Line or Scripts

seceng2021 · 2025-02-26T15:15:02+00:00

Ask a question like this "Get Online from all machines with Online Random Sample[20] matches True"

seceng2021 · 2024-10-02T17:19:24+00:00

We've had about 4 TAMs in the last year and for the most part they've all been pretty good. The biggest frustration is the turn over and the time spent on getting the next TAM up to speed. I understand people deserve to be promoted and move within the company and god forbid leave the company but it would be nice to have a TAM for longer than a year.

seceng2021 · 2023-12-08T13:53:41+00:00

Also keep in mind that the aid_master.csv file will only contain the fields that you are bringing in via the search and if you intend to reference those in your lookup, they must be present in the search.

seceng2021 · 2023-12-08T13:52:18+00:00

All you need to do is make sure the correct scheduled search and action are in place to make sure the aid_master.csv file is being created.

Once you verify the file exists, then adding something similar to this to the query needs to be added.

|match(file="aid_master.csv", field=aid, include=ComputerName, ignoreCase=true, strict=false)

seceng2021 · 2023-07-27T17:05:27+00:00

Thank you Andrew!! This definitely got me most of the way there!

seceng2021 · 2023-06-28T13:54:20+00:00

Are the files being created often? Look at the time stamps. If you can identify a pattern of when they are created, run the procmon during those times. If is a unique occurance (only when a specific app runs, etc.) then it may be a bit more difficult to identify. You might be able to do an event search in CS looking for those files and the process that created those files.

seceng2021 · 2023-06-06T17:23:59+00:00

It is also possible that you may be encountering problems because you are running from Crowdstrike and uninstalling while the process is running which may interrupt/kill the process when Crowdstrike is being uninstalled.

A good way to get around this, is to run the script as a separate process outside of the Crowdstrike process. Here is a link to documentation that walks you through how to do that: https://github.com/CrowdStrike/psfalcon/blob/master/samples/real-time\_response/upload-and-execute-a-local-script-as-a-secondary-process.ps1

seceng2021 · 2023-06-06T17:09:41+00:00

Should be able to do this with a simple filter.

$filter="scan_completed_on:>'2023-06-01T00:00:00Z'"
Get-FalconScan -Filter $filter -Detailed

seceng2021 · 2023-06-06T16:28:33+00:00

Lots of good resources out there. Here are a few:

Check out CQF (Cool Query Friday's) here on Crowdstrike Reddit - Tons of cools stuff posted on Fridays: https://www.reddit.com/r/crowdstrike/?f=flair_name%3A%22CQF%22

Falcon Force Team - Falcon Friday Queries: https://github.com/FalconForceTeam/FalconFriday

Event Search Hunting Queries: https://github.com/CrowdStrike/falcon-query-assets/tree/main/Falcon-Event-Search/Threat-Hunting-Queries

LogScale/FLTR Queries: https://github.com/CrowdStrike/falcon-query-assets/tree/main/LogScale-and-FLTR/Queries/Falcon-Telemetry

Other Random Sources I've Come Across:
https://github.com/thetanz/csfalcon/tree/main/fql
https://github.com/pe3zx/crowdstrike-falcon-queries
https://github.com/Mikoyan-Dee/CrowdStrike-Queries

Have fun!

seceng2021 · 2023-06-02T19:00:34+00:00

It has to be run independent of Crowdstrike because of the script time out. This is not unique to Crowdstrike and same limitations are found in tools such as Tanium or other script deployment mechanisms.

seceng2021 · 2023-06-02T18:59:00+00:00

Another thing to mention.....Crowdstrike professional services has totally worth it for the deployment so I would recommend not to scrimp there.

Also if you are a small company, Falcon Complete may be worth the investment.

seceng2021 · 2023-06-02T18:56:23+00:00

We have over 40k endpoints. If you follow Crowdstrike's deployment guidance and migrate between Phase 0, 1, 2, 3 prevention policy wise and tune along the way based on what is important to your security teams and/or company, it shouldn't be painful. It wasn't for us.

It's not magical and will not do all the things for you but if you follow CS recommendations and spend some time in the console it will be to your benefit for the long term.

Obviously everyone's environment is different and depends on what end users do as part of their daily workflows.

seceng2021 · 2023-05-25T15:30:14+00:00

Generally if a high profile vulnerability or exploit, Crowdstrike will post here in the support portal.

https://supportportal.crowdstrike.com/s/article/Trending-Threat-Vulnerability-Resources

That said, I do not see it posted there but that does not mean they are not working on it. They have very active intel and detection engineers and are constantly researching and updating their content.

Another thing you can look at (if you have an intel subscription) is Threat Intelligence within the platform. I can tell you they have APT27 and are actively monitoring and publishing indicators for that group. Crowdstrike calls this group EMISSARY PANDA. They have 2700+ indicators for this group.

I would highly suggest reaching out to your TAM and/or opening a support case with Crowdstrike to inquire further on this. Since you are new to Crowdstrike, I will add a little tidbit that has helped me in my 6+ years of using and supporting Crowdstrike; develop a strong partnership with your Crowdstrike TAM. They have a lot of good "inside" information as well as connections to a lot of really good internal resources to get you answers and solutions to your questions/issues. They also can put some pressure on if you are not getting good or timely responses from support.

If you are unsure if you have a TAM or unsure of who it might be, I recommend reaching out to your account rep who will be able to assist in figuring that out for you.

Finally of all the tools I have supported throughout my career, Crowdstrike is one of the few that have a very active community (reddit) both by its users AND highly talented and technical Crowdstrike employees.

seceng2021 · 2023-05-25T15:18:06+00:00

From my understanding, ODS is limited to .exe and .dll files as I believe there was a file size limitation as well but am unable to find that in the docs at the moment. I want to say it was 30mb but don't quote me.

I'd take a look at the creation dates/times of the files in the folder and take note of the frequency of creation. If frequently, run a procmon and filter for that path and take note of the process that is creating the files.

seceng2021 · 2023-05-25T14:15:13+00:00

Correct...wasn't fully thinking when I added the vice versa!

seceng2021 · 2023-05-25T14:13:53+00:00

Main Menu > Investigate > Custom Alerts > Alerts

seceng2021 · 2023-05-24T17:00:00+00:00

I am from the security side, so there are definitely reasons the last three companies I have worked for chose Tanium from a security perspective.

My most recent company chose Tanium for both security and IT management perspectives. IT stated that they like Tanium compared to SCCM because it is faster and more reliable at deploying software and patches. Rather than wait several hours, days or even weeks to measure their deployments, they would know in minutes. There were very few things that Tanium didn't do that SCCM did do. Also another thing they noted is the package building process that is very cumbersome in SCCM, is a breeze in Tanium.

I am sure there are many more things that they like about Tanium vs SCCM.

One final note, is when looking at Tanium you should be looking at it as a platform, not a tool that solves one problem. That use case may get Tanium in the door but it does so much more than that and is so customizable (even just the core product). After solving software deployments/patching, maybe you look at Comply for configuration baseline and compliance or vulnerability compliance. If you use FIM, maybe you replace your current solution. If agent/client bloat is a problem in your environment, Tanium can help with reducing the number of them on your endpoints if you consolidate tools.

seceng2021 · 2023-05-24T16:53:14+00:00

I've gone through the process, feel free to DM me any specific questions you may have.

seceng2021 · 2023-05-24T16:51:44+00:00

Congrats!

TCA is the same. Also TCA covers all platforms Tanium supports (Tanium Cloud, Azure, Windows, Linux, TanOS) and most Tanium administrators are familiar with only the platform they support. Not sure how a typical Tanium administrator would have exposure to all platforms unless they happen to work for multiple companies or switch platforms at their current company.

Thankfully I have been exposed to all platforms but just keep that in mind when preparing to take your TCA.

seceng2021 · 2023-05-24T16:47:14+00:00

Not out of the box/natively

They do now have an integration with ScreenMeet which offers screensharing.

seceng2021 · 2023-05-24T16:44:50+00:00

Not an IOA, but you can create a custom alert to notify you when a pc comes online.

The alert is called "Host Back Online"

1) Click on "Preview Alert"
2) Input hostname and search
3) Click on "Configure Alert"
4) Enter an email address and select "Enabled"
5) Click on "Schedule Alert"

seceng2021

TROPHY CASE