This is applicable. We also periodically have trainings at Fal.con and other events. If you want to super-charge your learning, and your organization is willing to invest in you, we have a catalog of trainings and certifications.
Yup! It's the name of a book :)
The second author, Alex Ionescu, is a founding member of CrowdStrike and Mark Russinovich is an OG MSFT legend.
There was a new attack vector discovered using local websockets for local installs of Log4j-core. IS this something that has been added to the CS tuning for detections?
https://www.blumira.com/analysis-log4shell-local-trigger/
*disclosure: I’m with Cybereason product*
On the prevention / NGAV front, this has been a continued focus area and we’re showing strong results across a growing number of third-party evaluations. Here’s AV-Comparatives, which highlights our level of protection -- without high rates of false positives.
Although it feels like AV is commoditized, there’s a lot of white space for innovation... Adversaries are still cost-effective vs "modern" ML-based detection with fileless & obfuscation. For example, Cobalt Strike w/encodings and fuzzyness bypasses today’s prevention way more than it should. We'll be releasing capabilities that tackles this in a novel way this fall.
OP, DMed you with some interesting info.
Only 80 machines? You can do everything yourself using FOSS tools and having some concrete playbooks. I have no attribution to the following:
https://wazuh.com/
https://www.ossec.net/docs/docs/manual/ar/index.html
/u/lelwin -- It can, but honestly we're a legacy AV replacement in its entirety. There are many organizations that run a static scanning element like what you're describing on top of CrowdStrike NGAV with all detection/prevention and quarantining enabled.
Fun fact, with the Hybrid-Analysis system, our free service supports any kind of PE (.exe, .scr, .pif, .dll, .com, .cpl, etc.), Office (.doc, .docx, .ppt, .pps, .pptx, .ppsx, .xls, .xlsx, .rtf, .pub), PDF, APK, executable JAR, Windows Script Component (.sct), Windows Shortcut (.lnk), Windows Help (.chm), HTML Application (.hta), Windows Script File (.wsf), Javascript (.js), Visual Basic (.vbs, .vbe), Shockwave Flash (.swf), Perl (.pl), Powershell (.ps1, .psd1, .psm1), Scalable Vector Graphics (.svg), Python (.py) and Perl (.pl) scripts, Linux ELF executables, MIME RFC 822 (.eml), Microsoft Installer packages(.msi) and Outlook .msg files.
We also include a convenient "Quick Scan" endpoints that perform CrowdStrike Falcon Static Analysis (ML) and e.g. Metadefender AV scans rapidly. To do bulk scans, utilize the 'scan_file' CLI of the VxAPI Python API connector or utilize the Quick Scan endpoints directly.
TL;DR: We can read zip files if you upload them
https://github.com/PayloadSecurity/VxAPI https://www.hybrid-analysis.com/docs/api/v2#/Quick_Scan
Hey /u/lelwin -- CrowdStrike is a scanless technology. Imagine every time a process executes, the analysis and protection is done in real time. We then ship this metadata up to the cloud for further analysis as endpoint detection and response (EDR) data is used to power the UI and auxiliary modules and services.
Do you have a unique file or folder you think has something malicious in it? If you want to run a file through our systems for analysis you can manually upload the file internally via Falcon X or use Hybrid-Analysis as a free service.
Let us know if you have any further questions.
Regards,
BradW@CS
.(\tor.exe).
.((?i)speedifyui.exe|betternet.exe|bdvpnservice.exe|openvpn.exe|speedifyui.exe|vpnsvc.exe|hamachi-2.exe|mudflow.exe|nordvpn.exe|nordvpn-service.exe|wv2ray.exe|vpnclient_x64.exe|vpnserver_x64.exe|surfshark.exe|vpngame.exe|pia-service.exe|RvRvpnGui.exe|ProtonVPNService.exe|SurfEasyVPN.exe|Speedify.exe|AdVpnService.exe|hola_svc.exe|alk2MVpnService.exe|expressvpn-browser-helper.exe|ExpressVPNNotificationService.exe|ExpressVPNNotificationServiceStarter.exe|NEGui.exe|Talk2MVpnService.exe).
and
.torrent.