Gravwell search API PowerShell Module

07.12.2023 00:00 api github gravwell powershell

This quick and easy PowerShell module was designed to facilitate search queries between a Gravwell search API endpoint and a local client. It supports pre-configured JSON profiles for running repeated searches and queries.

Profiles can be saved in the following format. The ServerIP and Key attributes are required in all profiles. However, query parameters can be run during invocation.

JSON

{
  "ServerIP": "<IP>:<port>",
  "Key": "<key>",
  "Query": "<query>",
  "Duration": "<hours>h",
  "Format": "<format>"
}

Following are some example invocations.

Playing around with Solarmarker/Jupyter InfoStealer

03.12.2023 00:00 infostealer jupyter malware powershell solarmarker

Jupyter InfoStealer is fairly common these days. We certainly see a lot of users downloading it in various forms. It’s typically spread through Search Engine Optimization (SEO) poisoning, convincing users that they’re downloading some legitimate software. Often, we see it masquerading as PDFs or other files as well. It’s pretty common to see it deploy a decoy file that pretends to be whatever the user was looking for. Sometimes, this is even the correct file! (As far as I can tell, people are looking for weird things lol)

Honeypot Statistics Week 2 & 3

02.12.2023 00:00

This is a compilation of the last two weeks of traffic analysis. As always, this is a low-interaction honeypot that deploys FTP, SSH, Telnet, HTTP, HTTPS, IMAP, and VNC honeypots. Data is collected into a SIEM where it is correlated with location data and sent to a data visualization tool for report generation. Raw data is provided at the bottom of this post.

This past two weeks saw the United Kingdom as the top connecting country. This is largely due to the 88.91k connections from 144[.]126[.]206[.]248 on the VNC honeypot.

Honeypot Statistics Week #1

17.11.2023 00:00

Honeypot statistics from November 10th - 16th. This is a low-interaction honeypot that is deploying FTP, SSH, Telnet, HTTP, HTTPS, IMAP, and VNC honeypots. Data is collected into a SIEM where it is correlated with location data and sent to a data visualization tool for report generation. Raw data is provided at the bottom of this post.

This week there have been 108.06k connections observed. Of this, there were 3196 unique addresses. They were primarily from China, the United Kingdom, and the United States. China made up 36% (38.84k) of all traffic.

01.01.0001 00:00

awdwadawdawda

Previous Page 5 of 5