One of the many reasons I decided to deploy honeypots is to be able to observe attacker tactics, techniques, and procedures (TTPs). This blog post will share a frequently used tactic that attackers use to keep access once they have compromised one of my distributed honeypots. You may benefit from the rest of this content … Read more
According to a study by NordPass, the average user with an online presence has about 80-100 passwords. This explains to some degree why individuals tend to use easy passwords. Just take a moment to think about how many passwords you have. What’s the current state of your password hygiene? Do you use the same password … Read more
This blog post is the second installment of a series I want to use to cover lessons learned and interesting observations from my honeypots. These honeypots are geographically dispersed and have been running for a few years. Hopefully, this and future posts will add some value for someone. While looking over some of my honeypot … Read more
Winlogbeat is a lightweight open-source Windows agent that uses the Windows API to ship different event logs to Logstash or Elasticsearch. I have been a Splunk user for quite some time, but I have started to also leverage the Elastic Stack at work and in my home lab. This post is for my reference and anyone trying to configure … Read more
This is a multipart blog post, read part one and then continue here. We enabled filesystem auditing, created our audit template, and staged our honey tokens for deployment in part one. In part two, we will deploy the honey tokens and identify various methods for monitoring adversary interaction. Deploying honey tokens using PowerShell (PoSh) I … Read more
Before we begin let us enable Services for NFS and both Sub Features. The typical way you will see an NFS share mounted in Windows involves mounting the remote file system using the anonymous (anon) user: mount -o anon \\192.168.28.155\mnt\NAS0\media G: This will give you read only access based on the configured permissions of the … Read more
Setting up a Pi to be a centralized log store is amazingly simple. If you are using Raspbian it comes with rsyslog installed by default, so all that’s left is to setup the config and tailor log rotation. First, you should create a directory under /var/log for all the remote logs. sudo mkdir /var/log/central Then edit the … Read more