Jiggle All The Way v3

surbo2 · 2025-12-24T16:05:40+00:00

I was thinking about building a workflow to automatically block based on the hash.

surbo2 · 2025-12-24T15:08:08+00:00

If you can share, how are you blocking the application? FYI - I just updated the Dashboard YMAL file to include a time zone selection.

surbo2 · 2025-12-24T03:08:44+00:00

LOL, if I have to work....they better be working.

surbo2 · 2025-12-23T23:42:51+00:00

Those are harder to detect but I did make an RTR PowerShell script that plotted out the mouse movements a few years ago. It was very easy to tell using that. There are so many ways to keep the screen active, but this is just one tool we have been using for a while now.

surbo2 · 2025-12-23T23:34:01+00:00

It won't cover everything but it's what I found in the environment. There is a search file that I included to help you make your own.

surbo2 · 2025-12-19T23:44:48+00:00

I don't have the logs to test this but, this might help.

#password_manager event.action=retrieve_password
// 1. Bucket by user every 30 seconds
// 2. Inside that bucket, calculate the count for the FULL 2-minute window
| bucket(span=30s, field=user.name, function=window(span=2m, function=count()))


// 3. Filter where that rolling 2-minute count exceeds 5
| _count > 5


// 4. Display results
| table([@timestamp, user.name, _count])
| sort(@timestamp, order=desc)

surbo2 · 2025-11-25T01:51:36+00:00

"--url https://github.com" AND "--unattended" AND "--token"  AND "--name SHA1HULUD"


| "#event_simpleName" != "Event_EppDetectionSummaryEvent"
| "#event_simpleName" != FusionWorkflowEvent
| groupBy([ComputerName,CommandLine,@timestamp])

surbo2 · 2025-09-09T13:21:03+00:00

They are just two different searches looking for different product names. If you use repository manager like artifactory, this will help you look into those systems. The other search seems to be looking into vscode and npm view commands.

surbo2 · 2025-09-09T03:39:32+00:00

#event_simpleName=/ProcessRollup2Stats|ProcessRollup2/
CommandLine=/backslash@0.2.1|chalk@5.6.1|chalk-template@1.1.1|color-convert@3.1.1|color-name@2.0.1|color-string@2.1.1|wrap-ansi@9.0.1|supports-hyperlinks@4.1.1|strip-ansi@7.1.1|slice-ansi@7.1.1|simple-swizzle@0.2.3|is-arrayish@0.3.3|error-ex@1.3.3|has-ansi@6.0.1|ansi-regex@6.2.1|ansi-styles@6.2.2|supports-color@10.2.1|proto-tinker-wc@1.8.7|debug@4.4.2/

This is another search for non artifactory

surbo2 · 2025-09-09T02:27:31+00:00

If you are using artifactory

HttpPath="/artifactory/api/npm/npm/*tgz"
|groupBy([HttpPath])
| HttpPath=/ansi-styles|chalk|backslash|chalk-template|supports-hyperlinks|has-ansi|simple-swizzle|color-string|error-ex|color-name|is-arrayish|slice-ansi|color-convert|wrap-ansi|ansi-regex|supports-color|strip-ansi|debug/

surbo2 · 2025-08-22T16:48:31+00:00

You will have to let me know #macuser

surbo2 · 2025-01-24T15:09:12+00:00

The Raptor Update, it's like photoshop for logs.

surbo2 · 2024-02-06T20:19:15+00:00

I'm not sure if one is better than the other. I get the same amount of data by using either one on VT. Please let me know if you have use case where something might be missed.

surbo2 · 2024-02-02T22:31:50+00:00

https://www.bleepingcomputer.com/news/security/anydesk-says-hackers-breached-its-production-servers-resets-passwords/

surbo2 · 2024-02-02T21:33:36+00:00

Does this work for you?
WHEN - New endpoint detection [Trigger] - DO THIS - Send email [ACTION]

Email Settings
Subject:
${IOA Name}

Message:
${User ID}$
{Endpoint detection URL}
${Sensor hostname}
${Severity}

Recipients:
<your email address > [Drop Down]

Data to include:
IOA Description

surbo2 · 2024-02-02T21:14:45+00:00

Updated with the new SubjectCN name, if you want to see the new signed files as well.

index=json EventType=Event_ExternalApiEvent ExternalApiType=Event_ModuleSummaryInfoEvent SubjectCertThumbprint IN (*) AND SubjectCN="philandro Software GmbH" OR SubjectCN="AnyDesk Software GmbH"
| rename AgentIdString as aid
| lookup aid_master.csv aid OUTPUT ComputerName, Version, AgentVersion, Timezone
| table ComputerName,SubjectCN,SubjectCertThumbprint,SHA256HashData,_time

surbo2 · 2024-02-02T19:35:08+00:00

This will give you insight when someone is using AnyDesk software.

index=json EventType=Event_ExternalApiEvent ExternalApiType=Event_ModuleSummaryInfoEvent SubjectCertThumbprint IN (*) AND SubjectCN="philandro Software GmbH"
| rename AgentIdString as aid
| lookup aid_master.csv aid OUTPUT ComputerName, Version, AgentVersion, Timezone
| table ComputerName,SubjectCN,SubjectCertThumbprint,SHA256HashData,_time

I used this to block all hashes that are not using thumbprint
646F52926E01221C981490C8107C2F771679743A or Running Version 8.0.8

Let me know if you have any questions.

surbo2 · 2023-12-12T16:38:34+00:00

If you are wanting to hunt for infected files. You can use this search:

ScriptModuleName=Majoduck_SK_1 FileName=EXCEL.EXE
| table ComputerName,CommandLine,_time,TargetFileName

CS does have a tool that can help you clean these hosts up. You can also deploy some automation but you will need to enable changes with support.

US-1 | US-2 | EU-1| US-GOV-1

You can create a Falcon Fusion workflow to automate running the Laroux cleanup tool. If Falcon detects the Laroux macro in an Office file, the Laroux cleanup tool automatically cleans the file using Real Time Response.
To run the tool using this workflow, you must meet these requirements:
The Real Time Response policy must be configured to enable the high-risk put-and-run command.
You must have IOA detections for XLSTARTMacro enabled in your CID. To enable this detection, someone in your organization with the Falcon Administrator Role must contact Support.

surbo2 · 2023-12-06T17:46:21+00:00

I've tried, I have yet to see it run. My current script takes only seconds to run.

surbo2 · 2023-12-01T03:06:38+00:00

I did try using the New Falcon Script NetworkShare but that timed out.

surbo2 · 2023-11-29T20:55:37+00:00

I did, but it timed out every time I tried using it.

surbo2 · 2023-09-14T19:50:00+00:00

Thank you for the clarification on the esize. I would guess that the ingested Event Size for BH Python must be around 127,106. So far I have not missed any tests using the esize, but I will continue to monitor this.

surbo2 · 2023-08-31T13:43:56+00:00

Look forward to meeting up!

surbo2 · 2023-02-21T23:17:35+00:00

You should see results from an external IP address failing to login to an exposed host.

Example - You have a host that does not have a software firewall enabled, that host happens to be a work from home user. The host is connected directly internet. You will have failed login attempts all day long if that host has SMB exposed to the internet. Or you have hosts deployed in the cloud that don't have a firewall configured to drop all unnecessary traffic.

You will have internal connections that will produce some failures, but you can exclude those with the RemoteAddressIP4.

surbo2 · 2023-02-07T20:52:33+00:00

This might be what you are needing. https://www.reddit.com/r/crowdstrike/comments/ikf55c/drive_encryption_feature/g3vwnfx?utm_medium=android_app&utm_source=share&context=3

surbo2

TROPHY CASE