Honeypot Diaries: Masscan

This blog post is the second installment of a series I want to use to cover lessons learned and interesting observations from my honeypots. These honeypots are geographically dispersed and have been running for a few years. Hopefully, this and future posts will add some value for someone. While looking over some of my honeypot … Read more

Setup and Securing Winlogbeat

Winlogbeat is a lightweight open-source Windows agent that uses the Windows API to ship different event logs to Logstash or Elasticsearch. I have been a Splunk user for quite some time, but I have started to also leverage the Elastic Stack at work and in my home lab. This post is for my reference and anyone trying to configure … Read more

Blue Team Tactics: Honey Tokens Pt. II

This is a multipart blog post, read part one and then continue here. We enabled filesystem auditing, created our audit template, and staged our honey tokens for deployment in part one. In part two, we will deploy the honey tokens and identify various methods for monitoring adversary interaction. Deploying honey tokens using PowerShell (PoSh) I … Read more

Mounting NFS Shares in Windows Using Identity Mapping

Before we begin let us enable Services for NFS and both Sub Features. The typical way you will see an NFS share mounted in Windows involves mounting the remote file system using the anonymous (anon) user: mount -o anon \\192.168.28.155\mnt\NAS0\media G: This will give you read only access based on the configured permissions of the … Read more

Raspberry Pi Centralized Log Server

Setting up a Pi to be a centralized log store is amazingly simple. If you are using Raspbian it comes with rsyslog installed by default, so all that’s left is to setup the config and tailor log rotation. First, you should create a directory under /var/log for all the remote logs. sudo mkdir /var/log/central Then edit the … Read more