Wps
Decoding OWA Ids in On-Prem Exchange
How to decode OWA Id parameters from IIS logs to extract the PR_ENTRYID and identify specifically which emails were accessed in an on-prem Exchange environment.
Honeypot Diaries: SSH Authorized Keys
Analyzing threat actor activity and malware observed in geographically dispersed honeypots.
Migrating Splunk Storage to S3 SmartStore
A short guide on how I transitioned an existing Splunk deployment to S3 SmartStore to decouple and scale storage.
Managing Password Hygiene
Reviewing the current state of password hygiene and why unique, long, and complex passwords are more important than ever.
Email Spam: Forgotten Bitcoin
This post investigates a Bitcoin recovery email scam step-by-step, exposing how it uses Google Apps Script to bypass filters, a chatbot manager persona, and a fraudulent conversion fee to steal funds.
Detecting Default Meterpreter HTTPS Listeners
Detecting default Meterpreter HTTPS listeners by fingerprinting TLS certificate metadata, cipher suites, and HTTP response bodies using Nmap, Zeek, Splunk, and Elastic.
Honeypot Diaries: Masscan
A honeypot observations post documenting a threat actor attempting to install and use the masscan port scanner on a compromised host to scan for RDP and SSH targets, with SSH hardening mitigations.
Setup and Securing Winlogbeat
Setting up Winlogbeat 8.0 with TLS communication and keystore-based credential management, following the principle of least privilege with role-based API keys.
Ingesting PCAP Files with Zeek and Splunk
How to safely ingest and analyze pcap files at scale using Zeek and Splunk.
Cryptocurrency Pump & Dumps
This post exposes cryptocurrency pump-and-dump schemes operating on Discord, explaining how organizers pre-position before signaling group buys of low-cap coins and leave retail participants holding losses.
Better Secure Shell (SSH)
This post covers hardening SSH workflows by generating ed25519 and RSA key pairs, deploying public keys, and configuring an SSH client config file with per-host identity files and strong cipher settings.
Detecting Tor communication
A guide to creating inverse Suricata IDS rules from Proofpoint Emerging Threats Tor signatures using sed and regex, enabling detection of outbound connections from internal hosts to Tor relays.
Using DoD Root Certificates with Git
This post explains how to convert DoD root certificates from DER to PEM format and configure Git on Linux to use them for TLS verification when cloning from DoD-hosted repositories.
Honeypot Diaries: Dota Malware
A deep dive into detecting and analyzing the Dota malware campaign.
Blue Team Tactics: Honey Tokens Pt. III
The final installment of the honey tokens series, covering multiple methods to centralize Windows Event ID 4663 audit logs including PowerShell, WEF, Splunk Universal Forwarders, and Splunk search queries.
Blue Team Tactics: Honey Tokens Pt. II
Part two of the honey tokens series covering PowerShell-based token deployment, validating audit ACL settings, and testing adversary interaction detection via PowerShell remoting, RDP, and Meterpreter process injection.
Load Balancing a Splunk Search Head Cluster
A guide to using an Ansible playbook to deploy and configure Nginx as a TLS-terminating load balancer in front of a Splunk Search Head Cluster for high availability and a single user entry point.
FreeIPA integration with Splunk
This post walks through integrating Splunk authentication with FreeIPA LDAP by creating a bindDN system account and configuring LDAP settings in both the Splunk web UI and an authentication.conf app.
Blue Team Tactics: Honey Tokens Pt. I
Part one of a series on deploying honey token files in a Windows enterprise environment, covering GPO-based file system auditing, creating pseudo sensitive files, and configuring audit ACL templates.
DIY IP Threat Feed
This post describes building a DIY IP threat feed by aggregating honeypot SSH login data in Splunk, enriching it with geo and reputation context, and exporting it as a regularly updated CSV blacklist.
Deploying Splunk Universal Forwarders via GPO
A guide to deploying the Splunk Universal Forwarder across Windows endpoints using a Group Policy Object and an Orca-generated MST transform file containing the deployment server and credentials.
A Tale of an MSBuild In-Line Task
This post covers an incident response analysis of a malicious MSBuild in-line task file containing an embedded Cobalt Strike beacon DLL, including the method used to extract and statically analyze the payload.
Stack Smashing at Home
A practical guide to disabling GCC and Linux kernel security protections including SSP, ASLR, exec-shield, and SELinux to reproduce wargame buffer overflow challenges in a local lab environment.
Ansible User Account Provisioning
This post shows an Ansible playbook for automating new Linux host provisioning by creating user accounts, configuring sudoers, and deploying SSH public keys across home lab and cloud systems.
Replacing the Default Splunk Web SSL Certificate
A step-by-step guide to generating an OpenSSL CSR, signing it with a pfSense Root CA, and configuring Splunk Web to use the resulting certificate chain via web.conf.
Working with Raw LVM Disk Images
This post demonstrates how to mount and unmount raw disk images containing LVM partitions on Linux using udisksctl, vgchange, and dmsetup, useful for CTF and DFIR analysis scenarios.
Slackware LVM over LUKS
A step-by-step guide to installing Slackware with full disk encryption using LUKS over LVM, covering disk sanitization, partition setup, volume group creation, and initrd configuration for UEFI boot.
Using NetworkManager with DNSMasq and Slackware
This post describes recompiling dnsmasq with D-Bus support on Slackware 14.2 by patching the Makefile and SlackBuild, enabling NetworkManager to manage dnsmasq as its DNS backend.
Migrating and Upgrading Apache Guacamole to Docker
A walkthrough of migrating Apache Guacamole from a standalone install to a Docker Compose microservices setup with MariaDB, guacd, and guacamole containers, including database schema upgrade steps.
AutoFS with DHCP Classless Static Route Option
This post covers configuring AutoFS on Slackware to dynamically mount NFS and CIFS shares and using a Python script to generate RFC 3442 classless static route hex values for pfSense DHCP.
Using Physical Security Keys with Slackware Linux
A short guide to configuring a YubiKey hardware security key on Slackware Linux by creating a udev rule with the correct idVendor, idProduct, group, and mode attributes.
Using OpenSSL and pfSense to sign a Subordinate Windows Enterprise Certificate Authority
This post explains how to use OpenSSL on pfSense to sign a Windows Enterprise Subordinate CA certificate signing request, including the openssl.conf setup and CRL distribution requirements.
Handcrafting Linux Shellcode
A tutorial on writing 32-bit Linux shellcode from scratch using NASM assembly, covering execve system call conventions, stack-based string construction, bad character avoidance, and opcode extraction.
Mounting NFS Shares in Windows Using Identity Mapping
A guide to mounting NFS shares on Windows 10 with read/write access using UID/GID identity mapping via local passwd and group files, improving on the less secure anonymous mount approach.
Tracking SSH Brute-force Logins with Splunk
This post demonstrates using Splunk field extraction and search queries to track SSH brute-force login attempts, identifying the top attacking usernames and source IP addresses via dashboards.
Raspberry Pi Centralized Log Server
A guide to configuring a Raspberry Pi as a centralized syslog server using rsyslog with per-host log files, log rotation, and forwarding configuration for syslog, rsyslog, and syslog-ng clients.
ELF Binary Disassembly
A detailed walkthrough of reverse engineering a 32-bit ELF binary by analyzing its objdump disassembly output in AT&T syntax, reconstructing stack frames, loops, and C source code from opcodes.
IBM M1015 9220-8i cross-flashed to LSI 9211-8i IT mode
A step-by-step guide to cross-flashing an IBM M1015 RAID card to LSI 9211-8i IT mode firmware using FreeDOS and UEFI, covering common errors and the BIOS/UEFI combination approach.
Scams in the Crypto Coin Space
This post exposes a Twitter-based Ethereum giveaway scam impersonating Binance, walking through the social engineering tactics and fake account indicators used by the fraudsters.
Running an Authoritative DNS Server
This post covers running a self-hosted BIND9 authoritative DNS server on FreeBSD, with examples of reconnaissance attempts seen in query logs and Splunk-based analytics.
Michael Edie (tankmek)
An introductory post where the author introduces himself and announces the start of his blog covering security and technology topics.