Archives
All the articles I've archived.
-
Home Lab Diaries, Part 1: I Just Wanted a SIEM
Repurposing an old laptop into a Splunk lab sounded like a weekend project. It became a BIOS standoff, a USB ethernet graveyard, and one genuinely terrifying reboot.
-
Poisoned at the Source
Someone shared an interesting article. A colleague forwarded it. Three managed devices got wiped before the week was out.
-
Today's Special: Juicy Nothing-Burger
762 sessions. Rotating AWS infrastructure. Dual C2 channels. Jittered intervals specifically designed to defeat statistical detection. On a cafeteria menu board.
-
Four Days, 22 Emails, and One Very Patient AI Persona
I built an autonomous AI scambaiting persona and pointed her at a fake government grant scammer. Four days later he rage-quit and called her an Olofo.
-
Instructure Paid. Now What? The Case For and Against the Canvas Ransom Deal.
Instructure reached an agreement with ShinyHunters hours before the May 12 deadline. The ransom debate is old but this case adds new wrinkles worth working through.
-
The Canvas Breach and What It Tells Us About Vendor Risk in Education
ShinyHunters breached Instructure and compromised data from thousands of institutions. The technical details matter less than what this breach pattern keeps telling us about third-party risk.
-
The Midnight Beachhead: A Real-World RCE Incident on a University Network
Shortly after midnight, an attacker exploited a known vulnerability in a web-facing server at one of our international campus locations. This is what happened next.
-
Sinkhole, Bursts, and a 142-Minute Retry Timer: Reading C2 Behavior in the Logs
A phishing click led to fixed-size C2 check-ins arriving in two distinct bursts with a 142-minute gap between them. The pattern told the story before we had a verdict.
-
Anatomy of a Crypto Drainer: Phishing, a 22MB Payload, and 180 Identical Beacons
A user clicked through a phishing warning and ended up with what the evidence points to as a crypto drainer. Here's what the traffic looked like and how we assessed it.
-
Receiving a Responsible Disclosure: What Happens When a Researcher Finds Something First
An independent researcher found an open directory listing on one of our public-facing servers exposing archive files that had been sitting there since 2023. Here's how we handled it.
-
MFA Bypass via Push Fatigue: When the Second Factor Isn't Enough
A phishing campaign captured two sets of credentials and resulted in one full account breach with MFA bypass. Here's how it unfolded and what contained it.
-
PcClient.bal RAT Outbreak: Six Hosts, After-Hours Beaconing, and a Gap in Egress Policy
A single IDS alert turned into a six-host RAT cluster, all beaconing after hours on non-standard ports. The firewall didn't catch it. The IDS did.
-
Two C2 Cases, One Day: Reading the Difference Between Infected and Blocked
Two C2 investigations on the same day with very different outcomes — one confirmed infection with active beaconing, one clean block. The key was knowing what the firewall logs were actually telling me.
-
When Three Controls Agree: Catching InstallMiez on a BYOD Network
A user device beaconing to a hardcoded Akamai IP every 17 minutes turned into a clean example of why defense-in-depth isn't just a buzzword.