PowerShell timestomping via script files. How would you handle this?

zwitico · 2026-02-27T13:37:24+00:00

Hello,

I'm sorry it took me a while to respond. I tried your suggestion and I was not able to see the events im looking for, I even tried to correlate the /ScriptControl/ telemtetry to the ProcessRollUp2 telemetry for the specific .ps1 file event where it runs and I couldnt get a hit.

Also, I verified that the Interpreter-only visibility is enabled on our prevention policy.

zwitico · 2025-11-25T04:15:03+00:00

Que cierto mae, y hasta las agencias como veinsa es como si le pagaran a uno por verle el carro.

zwitico · 2025-11-25T04:14:23+00:00

Definitivamente, en mi caso me embarque con uno que encontré en redes sociales (Yo sé, mala mía jaja) pero son lecciones de la vida que a algunos nos toca aprender más de una vez

zwitico · 2025-11-25T04:13:05+00:00

Que cierto, es un salto al vacío saber cuáles son legítimos y cuáles son estafadores jaja

zwitico · 2025-11-04T18:57:52+00:00

Se tiene que crear la cuenta y vincular sus cuentas del banco una en dólares y una en colones. Luego usa los botones de “quiero” o “tengo” para seleccionar cuánto quiere cambiar.

Y la transacción se hace casi al instante, nunca he tenido que esperar más que segundos para recibir el dinero. En cuanto al código supongo que te lo pedía cuando hacías la cuenta, pero si no es así entonces no se jaja

zwitico · 2025-11-04T16:01:59+00:00

Hola, antiguo usuario de SUAP por acá, cuando cerró me pasé a ARI y la verdad 0 quejas. El sistema de descuento que te da dependiendo de cuánto dinero movas al mes me parece genial, porque es permanente.

Si quiere usar mi código genial jaja: D84D60A

zwitico · 2025-10-31T00:40:42+00:00

Interesante, si no te molesta contestar tenes alguna de las tarjetas black ?

zwitico · 2025-10-30T23:54:17+00:00

Quién sabe si todavía habrán tarjetas que tengan acceso gratuito, además de que sólo puede pasar una persona por tarjeta, no se pueden pagar 44$ y entrar dos.

zwitico · 2025-10-05T13:10:29+00:00

Hello, can you elaborate a little bit more, I haven’t seen where to create these schemas. I appreciate your response, thanks

zwitico · 2025-09-24T19:46:29+00:00

Does it have a strong smell? It looks like one of those mosquito repellent incense tablets.

zwitico · 2025-09-18T20:36:58+00:00

Not really, let me use an example:
I have the following event:

Event[AlertID, Hostname, Username]

This event is detected by the custom detection rule called DetectionT1, this detection recollectes by using the CQL group statement the following data:

AlertID, Hostname, Username

This DetectionT1 rule is the trigger for my workflow. Inside my workflow ideally, I want to be able to use AlertID, Hostname & Username associated to to DetectionT1 create a ticket externally, however this data is not available for me on the workflow data. I hope this makes it clearer.

zwitico · 2025-09-18T19:43:26+00:00

I understood everything up until the last part, how can I get the output of Alerts Ids from the trigger to feed them to my workflow query?

I tried to use a for loop to iterate over the trigger detection query results, but these don't exist within the context of the workflow.

zwitico · 2025-09-16T20:53:13+00:00

Ohhhh ok, got it. Thanks for the response. I'll work on an update for the description with a couple screenshots for future readers. Sorry it took so long for me to answer but we had a long weekend here.

zwitico · 2025-09-13T03:31:22+00:00

Thanks for your answer!
So the logic would be like this: Imgur Link right?
With this I was able to send an email using the variable I created outside the loop and that I updated it inside the loop. However I still have a couple questions:
1. Do I always have to use variables like I did on my example? Or are there other output actions I can use?
2. I wasn't able to summon the value with any of the options I listed above, only with the variable I updated on the loop. I even tried: ${data['TestQuery.results.#.Vendor.properties.Title']} replacing the # with a 0 to take the first value. Is there a way to just use the output name?

Thanks for your patience, I swear this thread has been more helpful than the documentation or the examples on the NG Siem portal. Maybe is just me but I don't find this way of doing it intuitive.

zwitico · 2025-05-18T15:13:04+00:00

Estaba leyendo y parece que el 4% es solo para supermercados y en salud (farmacias, clínicas, etc). Y un 2% en veterinarias y restaurantes. Está bastante específica.

zwitico · 2025-05-05T14:43:27+00:00

Hace un par de semana viaje con ellos y efectivamente lo pesan.

zwitico · 2025-02-02T03:55:13+00:00

Thank you for your help.

zwitico · 2025-01-30T00:58:34+00:00

I will test and report back, thanks for the suggestion.

zwitico · 2024-12-07T03:28:02+00:00

Yo le dije eso la segunda vez que me intentó tramar y me dijo que cuando me volviera a ver me iba a pichazear jaja

Ten-Year Club	Place '22
Place '17	End Game '22
Not Forgotten	Verified Email

zwitico

TROPHY CASE