Mike

I have, for a long time, been watching my logs for unusually long command line artifacts. Something suspicious doesn't have to be long, but except for a few well-known and easily ignored applications, most long command lines are suspicious. For example, imagine you came across this in your logs: Suspicious,

I'm sure the first thing you're asking yourself is why. Stubbornness is your answer. I was playing with Zeek at home (if you want to get started, check out Zeekurity Zen on Eric Ooi's page, quality stuff) and built everything on Ubuntu 20.04. I decided I wanted to add

Plus CloudFlare and proper LetsEncrypt CertsI got bored and decided to play with a cloud-hosted Foundry VTT server. They have some great guides for getting started with some of these. I could get a little more bang for my buck though if I went with Amazon Lightsail. Lightsail is basically

Just notes because every forum post I came across for this was 10 years old, and all the references and links were out of date. Once you find the files, there's nothing difficult here. From the Wiki "MrSID (pronounced Mister Sid) is an acronym that stands for multiresolution seamless image

I've spent some time searching for an additional IR illuminator to supplement my security cameras. For those of you not familiar with what these are, the IR lights (or near-infrared, 850nm) on your camera are what allows it to see in the dark. Most cameras have decent lights, especially for

Very quick post, mostly notes for myself. When using Volatility 3 you might noticed that some plugins cannot be loaded # ./vol.py -h [...] The following plugins could not be loaded (use -vv to see why): volatility.plugins.windows.cachedump, volatility.plugins.windows.callbacks, volatility.plugins.windows.hashdump, volatility.plugins.windows.

It's been a while since I have posted anything, and today I ran across a Tweet and had a conversation that I thought would make a perfect subject. It begins with "A mini thread: I periodically see folks suggest that to prevent weak passwords you should dump AD and compare

Updated: 29 May 2020 @ 13:25 UTC - Added additional Pipal analysis.This is the first of my "Password Analysis" posts that I've published, but the second one I've written. I started with 000webhost, but had not completed that when this breach hit. This one is more relevant at the

Update 27 May 2020 @ 13:17 UTC - See bottomUpdate 27 May 2020 @ 19:48 UTC - Related post analyzing passwords in use: https://nullsec.us/livejournal-password-analysis/ There's a lot of talk about the LiveJournal breach going on right now. I wasn't too surprised to receive the HIBP email, I

I'm a huge fan of https://makemeapassword.ligos.net/generate/readablepassphrase, and regularly advise people to use it when generating passwords that need to be memorized or typed frequently. However, there's been numerous times people have expressed concerns that they're effectively generating passwords on someone else's computer. This is (typically)

I wanted to address a tweet posted today by the UK's National Cyber Security Centre advising people to use three random words as a passphrase. When choosing your password, use #threerandomwords: memorable but not easy to guess, a good compromise between protection and usability https://t.co/6pEf004ohb pic.twitter.

There's a lot of useless posts going around about this right now. I hope mine is a little more useful since most of these don't mention if this is being exploited in the wild. TL;DR - no, it isn't, no need to panic right now. Keep an eye on

Or "Microsoft SQL Express and the Truly Terrible, Just Awful, No Good Downloader"TL;DR up front. On a secondary machine/VM, setup a Burp proxy to use the non-localhost interface (192.168.1.230 in my case) as a proxy. Turn off interceptOn your Windows system, set Internet Properties

Update: This event appears for both binaries and websites in build 1809 and 1909, but only for binaries in 1903 (not web). So if you're looking for this event and not finding it, that may be why. I have not confirmed this myself, so if someone else comes across this,

There's really nothing special here except a mildly updated example of the code found here: https://docs.splunk.com/Documentation/Splunk/8.0.1/RESTTUT/RESTsearches#Python_example Basically, updated to python3 due to the impending end-of-life (print() adjustment, and urlencode had changed in Python3). While I was at it,

Wireshark on Red Hat Enterprise Linux is, for some reason, about a decade out of date. The current version available via yum install is 1.10.14. This version was released in June 2013, and reached end of life in June 2015. Now, RHEL might be back-porting security patches (I'm

From time to time I need to audit a large number of devices for default credentials. I typically use Metasploits http_login module for this. You can pass it a file of rhosts with something like set rhosts file://root/hosts.txt and have it check numerous systems quickly. However,

I thought this tweet might make a good blog post. I'm sure everyone in infosec will have their own answers, and all will be, generically, correct. Most of what I've seen is disagreements over one or two of the points, or how to remedy a point, or the implementation. What

This appears to be a somewhat recent problem, and when searching for an answer, a lot of posts reference solutions or VMWare KB's that don't help (enabling swap, checking inodes, etc.). This problem appeared somewhere between ESXi-6.7.0-20190104001-standard (Build 11675023) and ESXi-6.7.0-20190404001-standard (Build 13473784). When updating via

TL;DR - I wanted to audit for the presence of a particular username, with a particular password, across every endpoint in our environment. As usual, I had a theory. The theory was that, when we applied LAPS several years ago, there were things that got missed (as their always