Author Archives: dfirblog

Funny Honey – tracking hackers in cyberspace part 2

SSH Now lets continue with probably the most interesting service. First question – Who connected to our SSH? Here is top 10. Overall we got connections from 85 countries. Interesting that US and China are so close. Now to ASN data: Here is top 10. Overall we got connections from 578 ASNs. I thought the […]

Funny Honey – tracking hackers in cyberspace part1

Like many people in the security community I’ve decided to run a bunch of honeypots and see whats out there on the scary Internet. You’ve probably heard it’s all China, right? So, I’ve setup a six hosts honeypot that was hosted on Google Cloud for a few months to find out. Tech stack To really […]

How to parse Windows Eventlog

I often have to work with windows log files during incident response and every time it’s a very frustrating experience. Honestly, I think Windows logging system needs a complete rework. Windows logs for the most part completely useless with their cryptic messages, thousands of undocumented events and lack of any easy interface to work with. […]

Protecting Windows Networks – EMET

Memory corruption bugs continue to plague us in all kinds of software – they often at the core of headline breaches and dangerous zero-day vulnerabilities. Over the years various mitigation technologies was developed to address this problem, such as EMET – a free suite of protections from Microsoft. What memory bugs? In unsafe languages like […]

Protecting Windows Networks – AppLocker

Application Whitelisting is a powerful technology that could protect us from unknown malware, but it never really take off. One of the main reasons for that – it is hard to configure and maintain. Another – there are quite a few known bypass techniques, so it can’t stop determined attackers. Although, there are multiple commercial […]

Protecting Windows Networks – Kerberos Attacks

MEDIA NOTE: This is not a new flaw, just a good write-up! I don’t know why media reporting this as a new flaw. Kerberos is an authentication protocol that is used by default in Windows networks and provide mutual authentication and authorization for clients and servers. It does not require you to send a password […]

Protecting Windows Networks – Dealing with credential theft

Credential theft is a huge problem, if you care to look at Verizon Data Breach reports over the years, you will see that use of stolen credentials was lingering at the top intrusion method for quite some time. They also prevalent in APT attacks. And why wouldn’t it be? You don’t need expensive zero days […]