Posts
Better Secure Shell (SSH)
This post covers hardening SSH workflows by generating ed25519 and RSA key pairs, deploying public keys, and configuring an SSH client config file with per-host identity files and strong cipher settings.
Detecting Tor communication
A guide to creating inverse Suricata IDS rules from Proofpoint Emerging Threats Tor signatures using sed and regex, enabling detection of outbound connections from internal hosts to Tor relays.
Using DoD Root Certificates with Git
This post explains how to convert DoD root certificates from DER to PEM format and configure Git on Linux to use them for TLS verification when cloning from DoD-hosted repositories.
Honeypot Diaries: Dota Malware
A deep dive into detecting and analyzing the Dota malware campaign.
Blue Team Tactics: Honey Tokens Pt. III
The final installment of the honey tokens series, covering multiple methods to centralize Windows Event ID 4663 audit logs including PowerShell, WEF, Splunk Universal Forwarders, and Splunk search queries.
Blue Team Tactics: Honey Tokens Pt. II
Part two of the honey tokens series covering PowerShell-based token deployment, validating audit ACL settings, and testing adversary interaction detection via PowerShell remoting, RDP, and Meterpreter process injection.
Load Balancing a Splunk Search Head Cluster
A guide to using an Ansible playbook to deploy and configure Nginx as a TLS-terminating load balancer in front of a Splunk Search Head Cluster for high availability and a single user entry point.
FreeIPA integration with Splunk
This post walks through integrating Splunk authentication with FreeIPA LDAP by creating a bindDN system account and configuring LDAP settings in both the Splunk web UI and an authentication.conf app.
Blue Team Tactics: Honey Tokens Pt. I
Part one of a series on deploying honey token files in a Windows enterprise environment, covering GPO-based file system auditing, creating pseudo sensitive files, and configuring audit ACL templates.
DIY IP Threat Feed
This post describes building a DIY IP threat feed by aggregating honeypot SSH login data in Splunk, enriching it with geo and reputation context, and exporting it as a regularly updated CSV blacklist.