Mike

Some of you may have heard by now that there's a new Microsoft EVTX log going around. In this particular case, it detects attempted exploitation of CVE-2020–0601. Ideally, this source, "Microsoft-Windows-Audit-CVE" could be used to detect the attempted (or actual) exploitation of any

There's really nothing special here except a mildly updated example of the code found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Python_example Basically, updated to python3 due to the impending end-of-life (print() adjustment, and urlencode had changed in

Wireshark on Red Hat Enterprise Linux is, for some reason, about a decade out of date. The current version available via yum install is 1.10.14. This version was released in June 2013, and reached end of life in June 2015. Now, RHEL

From time to time I need to audit a large number of devices for default credentials. I typically use Metasploits http_login module for this. You can pass it a file of rhosts with something like set rhosts file://root/hosts.txt and have

I thought this tweet might make a good blog post. I'm sure everyone in infosec will have their own answers, and all will be, generically, correct. Most of what I've seen is disagreements over one or two of the points, or how to remedy

This appears to be a somewhat recent problem, and when searching for an answer, a lot of posts reference solutions or VMWare KB's that don't help (enabling swap, checking inodes, etc.). This problem appeared somewhere between ESXi-6.7.0-20190104001-standard (Build 11675023) and ESXi-6.7.

TL;DR - I wanted to audit for the presence of a particular username, with a particular password, across every endpoint in our environment. As usual, I had a theory. The theory was that, when we applied LAPS several years ago, there were things

I've been in need of a tool that would take two different sets of port numbers, and subtract one set from the other. This would be similar to comm -13, but would be able to act upon ranges in a list (e.g. 8,

I found a really cool thing several months ago. I was scanning my network from an external perspective (AWS specifically), and found a live host. The very odd thing about this finding is that there were no open ports, no listening services, and ICMP

I'm re-posting something from redleg/Memory Sieve regarding HP firmware upgrades. In their case, it was a matter of not being able to install the latest firmware package. However, in my case I wanted to force the reinstall of the same firmware. This trick

While reviewing Windows RDP event logs for the RDP project, I noticed one in particular. Windows Event ID 1029 can be found under Microsoft-Windows-TerminalServices-RDPClient/Operational.evtx. This event is created on the computer initiating the connection, and contains a hash of the username being

This isn't exactly undocumented, but I definitely feel like it's underdocumented. I've seen the metasploit browser_autopwn feature in the modules in the past, but what I didn't realize until recently is that BeEF integrates directly with Metasploit. There's a lot more metasploit modules

I recently wanted a video of a large amount (lets say 24 hours worth) of footage from my Ubiquiti UniFi camera. If you're doing 24/7 recording, the NVR interface chunks videos into 10 minute segments. You can check multiple videos to download at

I've had the need in the past to run dirb (dirbuster like web directory brute force tool) against a range targets. However, dirb only takes a single host as an argument. It would be pretty easy to wrap it in an loop, but you're

The TL;DR up front, because I hate buried leads. Microsoft created an undocumented API that gave incident handlers, forensic teams, and blue teams a tool that they have long wished for and that Microsoft denied having. This API was known to five major