About dkrull

dkrull · 08-14-2020

What is a RAT?Create A Profile:Wrap Up What's worse than a RAT? Multiple! What is a RAT? RATs are also known as Remote Access Trojans. They allow attackers to place backdoors on infected system. This gives them a foothold into your environment to f...

dkrull · 07-08-2020

Overview URL Rewrite Enable Directory BrowsingWorking with Harden Windows IIS Servers Overview In this guide will we be taking a look at how to configure the web.config file using the URL Rewrite tool when deploying the TETRA update server. ...

dkrull · 07-07-2020

Quick Overview of TETRA on AMP for EndpointsTETRA AV Signature Bandwidth ConsumptionQuick Overview of ETHOS, SPEROS, DFC and SHA256 LookupETHOS, SPEROS, DFC and SHA256 Lookup Bandwidth ConsumptionConsiderationsTETRAETHOS, SPEROS, DFC and SHA256 Looku...

dkrull · 07-06-2020

Getting StartedPrerequisitesFinding your Orbital CloudGenerate your API CredentialsUsing PythonGenerate your TokenConfirming your token is validCreating a QueryChecking a JobConclusion Getting Started You will need to make sure that you have Orbit...

dkrull · 10-27-2020

Greetings, You will need to update to a newer software version to mitigate this issue depending on your software version (IOS/IOS XE/NX-OS/NX-OS ACI). You can check to see if a new version is affected by using the Cisco IOS and IOS XE Software Chec...

dkrull · 10-05-2020

There's not a good way to get both since the query will return the 'messages' in a single column you wont be able to tell them apart without checking each one. However, here is the query that will return both. You may want to do this query from the A...

dkrull · 10-05-2020

Greetings SteveZelik48355,You would need to create a custom query to filter those particular Login types. Orbital Already has one that will pull all 4624 events. You can use the 'NewCredentials Windows Event Logs' as a base template and modify it as...

dkrull · 10-02-2020

Greetings kevdpc,Long story short you mention that this is a file server for VMs which I would image there is quite a lot of disk I/O as devices or VMs access their need files for daily operation. This would cause AMP to scan or monitor those files a...

dkrull · 09-21-2020

Greetings VladBulai02437,Please reach out to Cisco TAC and provide a sample of the file for False Positive identification. However, this alert does not look like it stating that Chrome.exe is malware but a file called 'a6c9e967-66ea-41d7-a82d-ead1a...

Member Since	‎10-16-2015 01:45 PM
Date Last Visited	‎02-14-2021 03:48 PM
Posts	20
Total Helpful Votes Received	52

User Statistics

User Activity

Orbital Query Corner - Hunting RATs

Companion Guide for TETRA Update Server Deployment

AMP for Endpoints Bandwidth Consumption and Considerations

Working with Orbital API

Re: BUG CSCsm45390 and CSCuw77959

Re: Have Orbital Search pull a specific event id and logon type

Re: Have Orbital Search pull a specific event id and logon type

Re: Cisco AMP CPU usage

Re: Google Chrome update detected as Malware