-
A Look at the Vulnerable Internet Through LeakIX
We all know that there are vulnerable things on the internet, but for some reason I’m always left surprised by how many vulnerable or compromised things there are floating around out there. During some Holiday time off in December, I spent some time getting familiar with the LeakIX.net platform which provides a front row seat…
-
Honeypot Project – Badpwd.com
I recently built a honeypot with a focus on the capture of passwords that I could use to share results in real-time. I recognize that there are plenty of great honeypots out there (I run an instance of T-POT and am always impressed with how well it was built and all the honeypots it includes),…
-
Akira Ransomware
April 2023 has brought about a new ransom group called Akira. This post serves as a consolidation of public intel to help filter through the searches for Akira that just result in anime :-). IOCS Twitter Posts:
-
ESXArgs Ransomware
My thoughts and observations as I followed this incident and watched it unfold across the internet at the beginning of February. There’s not much that hasn’t already been said by various infosec resources (some links I found useful are shared throughout this post), but here’s my take all the same. What’s Special About It? This…
-
OpenCanary
Spent some time setting up OpenCanary https://github.com/thinkst/opencanary and was impressed with how easy it was to set up. I wanted to add pushover notification support, and luckily someone shared their setup https://jasonmurray.org/posts/2022/install-tcanary-ubuntu/ For preservation purposes, I’m copying the entire loggerconfig section that worked for me:
-
Cisco ASA Log Analysis in Elastic
If you’re new to reviewing SIEM logs and you come across a Cisco firewall, you’ll find out that Cisco ASA logs can be challenging to interpret. Unlike most other vendors, Cisco decided to leave out the word “allowed” or “accepted” from log data of allowed traffic. Take a Fortigate firewall for instance: Pretty easy to…
-
.PLAY Ransomware
I came across what appears to be a new ransomware variant last month during an IR engagement (June 2022). While I’m unable to determine attribution or affiliation at this time, my hope that sharing TTP and IOC related to .PLAY ransomware will help map information around this new variant by other responders and threat researchers.…
-
GVM 11 Install
Using the following site as my guide, I installed GVM with these commands:
-
Output to web from terminal
I found myself on a terminal console session with no easy way to get output off the machine. I came across dpaste.com and it worked perfectly. In this example, you can replace the find command with whatever you need, and then curl the output as content to the dpaste.com API.
-
Adding a drive in VMware
If you find yourself needing to add an additional drive to VMware, for instance if you have a USB drive attached, Enable SSH and then use the following command: Copy the volume label that is returned. Then run the following command: