Blue Team
Honeypot Diaries: SSH Authorized Keys
Analyzing threat actor activity and malware observed in geographically dispersed honeypots.
Honeypot Diaries: Masscan
A honeypot observations post documenting a threat actor attempting to install and use the masscan port scanner on a compromised host to scan for RDP and SSH targets, with SSH hardening mitigations.
Ingesting PCAP Files with Zeek and Splunk
How to safely ingest and analyze pcap files at scale using Zeek and Splunk.
Detecting Tor communication
A guide to creating inverse Suricata IDS rules from Proofpoint Emerging Threats Tor signatures using sed and regex, enabling detection of outbound connections from internal hosts to Tor relays.
Blue Team Tactics: Honey Tokens Pt. I
Part one of a series on deploying honey token files in a Windows enterprise environment, covering GPO-based file system auditing, creating pseudo sensitive files, and configuring audit ACL templates.