By kind invite of the organising committee I had the pleasure of presenting at the CITC 2025 conference at the RAF Museum Hendon. Shaking things up even more from last year I not only presented from a GitHub repo but also managed to convince screen recording on my iPad mini to work to capture the slides. I’ve had to exclude… Read more
Graylog JSON extractor ‘skipping’ keys and values
In having a play with a general purpose way to get CSVs and other log data into Graylog with PowerShell I’ve been converting the files contents into JSON to then import over RAW HTTP – hardly the most speedy way but as a proof of concept it works. However, after configuring a JSON extractor (System > Inputs > (your input)… Read more
Users on Palo Alto GlobalProtect cannot connect to Citrix VDA
In investigating issues with users on GlobalProtect VPN not being able to connect to Citrix VDA servers I bumped into this forum post. In investigating I first disabled the Packet Based Attack Protection > IP Drop > Fragmented traffic at Network > Network Profiles > Zone Protection > Profiles for GlobalProtect and the zone hosting the Citrix application. While this… Read more
CITC 2024 Practical steps to help mitigate the risk of Zero-Day vulnerabilities
Something new for this year’s presentation at CITC, instead of your classic PowerPoint slides I’ve produced a GitHub repo with the intent on building out the knowledge and ideas presented overtime. GitHub repo: https://github.com/jamesfed/0DayMitigations/
Microsoft Remote Desktop connection – ‘An internal error has occurred’ and ‘The server security layer detected an error (0x80090304)’ event ID 139.
An interesting issue that was discovered after deploying security certificates for Remote Desktop Authentication into the TPM of desktop computers and some (physical) servers, after go live with the security certificate clients could no longer connect with the error below being displayed in the Remote Desktop Services log on the server. The server security layer detected an error (0x80090304) in… Read more
SNMPv3 on Dell OS 10 switches
After how woefully lacking in detail for the novice in OS 10 switches the Dell documentation is below is a little snippet that can be used to configure your switches with what appears to be enough permission for PRTG (or a similar SNMP monitoring system) to keep an eye on them. After entering configuration mode a readonly view with a… Read more
FreeIPA to Palo Alto Networks Next Generation Firewall User-ID
Logs from the FreeIPA server can be used with the Syslog receiver function of a PAN NGFW to send username to IP address mappings into User-ID and in turn be used to create policies based on the users identity. To extract the data from the logs you will need the parser shown below. View the code on Gist. I could… Read more
Palo Alto Networks Captive Portal, long delay in loading – Sophos agent
In recently deploying the Captive Portal feature of a Palo Alto Networks Next Generation Firewall (NGFW) in testing we were finding Apple Macs take 120+ seconds to load the sign-in page. First thoughts jumped to the Apple Captive Network Assistance (CNA) feature not functioning correctly however this appeared to be a dead end. Some time and a few packet captures… Read more
CITC 2023 All of this has happened before. All of this will happen again.
This presentation covers the MITRE ATT&CK matrix and it’s application in an Oxford or Cambridge College (or indeed any intuition) to gain increased awareness of exposure to cyber attacks and what can be done about them. Note, it looks like OBS captured the audio from the videos that wasn’t played back to the audience – sorry for talking over them!… Read more
FIDO2 Security Key Sign-In to Windows – Your credentials couldn’t be verified.
When setting up Passwordless security key sign-in Windows and attempting to sign-in to the first machine you have setup (although it could be any machine!) you may encounter the error: Your credentials couldn’t be verified. (code: 0x000006d, 0x0) This error message appears even though you can sign-in with the key to AzureAD and other web services. The cause is likely… Read more