One of the many reasons I decided to deploy honeypots is to be able to observe attacker tactics, techniques, and procedures (TTPs). This blog post will share a frequently used tactic that attackers use to keep access once they have compromised one of my distributed honeypots. You may benefit from the rest of this content … Read more
Splunk is a software technology that allows you to index, search, analyze, and visualize data at scale. I use it to ingest logs from my honeypots, homelab, and other projects. Initially, I had Splunk running in a local virtual machine where everything was fine except for the downtime, so I rapidly migrated it to an Amazon … Read more
According to a study by NordPass, the average user with an online presence has about 80-100 passwords. This explains to some degree why individuals tend to use easy passwords. Just take a moment to think about how many passwords you have. What’s the current state of your password hygiene? Do you use the same password … Read more
This is the first installment of a spam email series where I investigate what happens when you click on those links we security professionals keep telling you not to click on. I hope it provides some value to someone and keeps one less person from falling prey to these ever-prevalent schemes. Like most of you, … Read more
Meterpreter is an advanced payload within the well-known Metasploit Framework (MSF). We will look specifically at the reverse_https payload and see how we can detect the listener in our environment. I always tell my junior analysts to make sure they can detect the low-hanging fruit. For instance, most tools such as Metasploit and Cobalt Strike … Read more
This blog post is the second installment of a series I want to use to cover lessons learned and interesting observations from my honeypots. These honeypots are geographically dispersed and have been running for a few years. Hopefully, this and future posts will add some value for someone. While looking over some of my honeypot … Read more
Winlogbeat is a lightweight open-source Windows agent that uses the Windows API to ship different event logs to Logstash or Elasticsearch. I have been a Splunk user for quite some time, but I have started to also leverage the Elastic Stack at work and in my home lab. This post is for my reference and anyone trying to configure … Read more
Whenever I want to analyze a relatively small packet capture (PCAP), I load it up in Wireshark and get the job done. However, this process does not scale and becomes a problem with large-sized pcap files. Even if you split, let’s say, a 25 terabyte PCAP up into smaller chunks, can you imagine how long it would … Read more
Cryptocurrencies like Bitcoin and Dogecoin have seen greater adoption by retail and institutional investors over the last year. I’m not going to get into the reasons for this, but the ubiquitous stories of crypto millionaires add to the fear of missing out (FOMO). I use discord for a subset of my online collaboration, and that includes following some cryptocurrency … Read more
I highly recommend using SSH Public Key Authentication and a customized SSH client configuration to ease your everyday SSH workflows. I have more than 10 servers that I manage on a daily basis and using a password for each one would be tedious. Using the same password for all of them is definitely not recommended … Read more