Posts
Decoding OWA Ids in On-Prem Exchange
How to decode OWA Id parameters from IIS logs to extract the PR_ENTRYID and identify specifically which emails were accessed in an on-prem Exchange environment.
Honeypot Diaries: SSH Authorized Keys
Analyzing threat actor activity and malware observed in geographically dispersed honeypots.
Migrating Splunk Storage to S3 SmartStore
A short guide on how I transitioned an existing Splunk deployment to S3 SmartStore to decouple and scale storage.
Managing Password Hygiene
Reviewing the current state of password hygiene and why unique, long, and complex passwords are more important than ever.
Email Spam: Forgotten Bitcoin
This post investigates a Bitcoin recovery email scam step-by-step, exposing how it uses Google Apps Script to bypass filters, a chatbot manager persona, and a fraudulent conversion fee to steal funds.
Detecting Default Meterpreter HTTPS Listeners
Detecting default Meterpreter HTTPS listeners by fingerprinting TLS certificate metadata, cipher suites, and HTTP response bodies using Nmap, Zeek, Splunk, and Elastic.
Honeypot Diaries: Masscan
A honeypot observations post documenting a threat actor attempting to install and use the masscan port scanner on a compromised host to scan for RDP and SSH targets, with SSH hardening mitigations.
Setup and Securing Winlogbeat
Setting up Winlogbeat 8.0 with TLS communication and keystore-based credential management, following the principle of least privilege with role-based API keys.
Ingesting PCAP Files with Zeek and Splunk
How to safely ingest and analyze pcap files at scale using Zeek and Splunk.
Cryptocurrency Pump & Dumps
This post exposes cryptocurrency pump-and-dump schemes operating on Discord, explaining how organizers pre-position before signaling group buys of low-cap coins and leave retail participants holding losses.