Posts

Summary For a few months I’ve had a basic Azure Linux box with SSH open to the world to collect the usernames brute forced and the IP address of the bot trying. This worked OK for a while but I was only taking the username and nothing else, plus it was slightly risky if the attacker ever guessed a username or password. What I really wanted to see was the Username and Password that was being used. From this I could build a list of compromised passwords and build out some Threat Intel of threat actors and the tools they are using. After googling around it became clear I needed some form of Honeypot that would collect the Logons and also let the attacker in. This way I can see what commands are run post breach. ...

TLDR: Decom your test machines properly! Hashes are still useful after the machine is gone Background Decided to write this up as a post because I found it mildly interesting and something I haven't seen yet in the Blue Team world! New Toys are fun I have been learning the ins and outs of Sentinel for the past few weeks and after getting fed up with writing KQL alarms decided to use it to hunt some bots online. Fastest way to find bots online................spin up a Windows VM in Azure and set all ports to be open. 20,266 logins in 12 hours! Should be enough to get started. ...