Moving SYSVOL deserves a cautious, well-tested runbook because the directory is central to Group Policy and domain logon behavior. The junction points, replication state, backups, and rollback plan matter more than the file copy itself.

When using dnSpy to make a small managed-code change, the simplest edit is often to replace an instruction with a no-op rather than rewriting an entire method. This note explains that workflow while keeping the focus on controlled lab changes and repeatable verification.

This post documents a suspected WordPress backdoor investigation. It is split into two useful tracks: the operational lessons from finding and cleaning up a compromised site, and a technical analysis of the malicious PHP so the indicators and tradecraft can be understood.

Search is a strong Active Directory lab for attackers and defenders because it rewards disciplined enumeration more than tool memorization. The useful habit is to keep asking which identity has which right over which object, then prove the path before escalating.

Shadow Credentials abuse targets the msDS-KeyCredentialLink attribute and the way Active Directory supports key trust authentication. The blue-team priority is simple: understand who can write that attribute, how those rights are inherited, and what telemetry exists when a new key credential appears.

I have been revisiting exploit-development fundamentals: simple stack overflows, register state, bad characters, debugger practice, and the small decisions that turn a crash into reliable control flow. This post keeps the scope narrow so the mechanics remain visible.

This post captures a first-pass OpenShift local development setup on Windows using CodeReady Containers, now succeeded by Red Hat OpenShift Local. The main value is the operational checklist: install, start the cluster, understand where startup can fail, and verify the CLI before building on top of it.

These WinDbg notes are a living reference for Windows debugging practice. They are best used as a working index: commands, mental models, and examples that can help you get oriented before going back to the official debugger documentation for exact syntax and edge cases.

This is a small lab note on using a USB Rubber Ducky from macOS. Treat the examples as authorized testing material only: keystroke-injection devices are useful for awareness and control validation, but they should be handled with the same care as any other offensive security tool.

Sometimes the hard part of Group Policy is not creating the policy. It is controlling who the policy applies to, changing that scope safely, and leaving enough process behind that the next person can understand why an exception exists.

Windows Defender Application Control, now documented as App Control for Business in many Microsoft materials, is one of the strongest application-control options available on Windows. These notes are a practical learning companion, with the reminder that policy design, audit mode, exception handling, and staged rollout matter as much as the...

This note examines an edgegdi.dll persistence idea from a defensive research perspective. DLL loading behavior can create surprising execution paths, but a reliable assessment needs to confirm the search order, file permissions, process context, and detection opportunities.

This is a short note on Wi-Fi testing tooling and the value of revisiting simpler utilities. The professional takeaway is to keep wireless testing scoped, authorized, and repeatable: know what the tool captures, where credentials or handshakes are stored, and how to clean up afterward.

This post is a defensive case study in DLL search-order hijacking using a real-world application path. The technique is useful to understand because it sits at the intersection of application packaging, file-system permissions, service context, and Windows loader behavior.

This post captures lessons learned while testing and tuning Defender Exploit Protection. The mistakes are useful because exploit mitigations are easy to enable in a lab and much harder to operate safely across a mixed application estate.

This follow-up looks at image-load controls and process-injection style behavior through the lens of Defender Exploit Protection. The focus is on what the mitigation is designed to block, how to test it safely, and where compatibility assumptions can surprise you.

This post evaluates how Windows Defender Exploit Guard, now documented under Microsoft Defender Exploit Protection, behaves against a deliberately vulnerable lab application. The useful question is not whether one mitigation “wins”; it is which mitigations apply, which require compatible binaries, and how failures appear in telemetry.

This post moves a small password-generation service into Azure Functions. The useful lesson is not the sample code itself; it is the deployment shape: local development, configuration, publishing, and the operational trade-offs of a serverless endpoint.

This post starts with the basics of deploying a small Azure web service by hand. Manual deployment is not the end goal, but it is a good way to understand the resources, runtime settings, and security controls before automating the same pattern.

Ansible and PowerShell can work well together for Windows administration when each tool is used for what it is good at: Ansible for orchestration and desired state across hosts, PowerShell for native Windows operations on the endpoint.

These are defensive notes from Windows persistence training. The goal is to understand where persistence commonly hides, how it survives reboots or user logons, and which host telemetry should be available to confirm or disprove a suspected technique.

VMware Workstation is mostly a desktop tool, but it still exposes enough automation surface to make lab work less manual. The local vmrest service can list virtual machines, inspect details, and perform common power operations without opening the GUI.

Docker is easiest to understand if you start with the plain definition: a container is a packaged process with runtime dependencies and a set of isolation boundaries around it. From there, the practical questions become image construction, storage, networking, and how much isolation the host actually provides.

These are defensive learning notes from working through Windows malware-development material in a controlled lab. The purpose is to understand techniques well enough to evaluate controls, telemetry, and detection logic, not to provide an operational playbook for misuse.

This note covers extending an on-premises lab network into an Azure virtual network with a site-to-site VPN. The core design work is address planning, gateway selection, routing, shared-key handling, and proving that traffic follows the intended path in both directions.

X-Forwarded-For is common in proxy and load-balancer deployments, but it should be treated as contextual metadata rather than proof of client identity. The trusted proxy boundary is the key design point: only infrastructure you control should be allowed to set or extend the value you rely on.

A small personal VPN can be useful for travel, lab work, and a disposable trusted egress point in a cloud subscription. The important word is disposable: a personal VPN should be easy to create, easy to audit, and easy to destroy when it is no longer needed.

Linux host security is a layered exercise: identity, patching, service exposure, SSH configuration, privilege boundaries, logging, filesystem controls, and incident visibility all matter. These notes collect practical checks that are useful when hardening small servers and lab systems.

Azure Key Vault is a security boundary for secrets, keys, and certificates, not a general-purpose configuration database. These notes focus on the operational choices that matter most: separation by application or environment, access control, soft delete, purge protection, logging, and network exposure.

Forest is a Hack The Box lab centered on Active Directory enumeration and privilege escalation. The value of the exercise is not the individual commands; it is the attack path: enumerate accurately, validate assumptions, and understand which directory permissions change the outcome.

CVE-2020-0796, often discussed as “SMBGhost,” was a remote code execution vulnerability in SMBv3 compression handling. This note focuses on the mitigation guidance that mattered at the time: patch quickly, disable SMB compression where needed, and avoid exposing SMB to untrusted networks.

WinDbg is still one of the best tools for understanding Windows crashes, hangs, and user-mode process state. For many crash dumps, a correct symbol path and !analyze -v will get you oriented; deeper cases require comfort with threads, stacks, modules, memory, and exception context.

Accidentally deleting an important Active Directory object is a special kind of stomach drop. The good news is that modern Active Directory recovery is much better than the old tombstone-reanimation days, provided Active Directory Recycle Bin was enabled before the deletion occurred.

This note captures the practical setup required to use a YubiHSM 2 for low-volume code signing. The device is well suited to lab and small-team workflows where the priority is protecting signing keys without introducing a large enterprise HSM platform.

Smart card logon ties Windows authentication to certificate-based identity and Kerberos PKINIT. The flow is easier to reason about when you separate the certificate validation, account mapping, domain controller certificate requirements, and the eventual Kerberos ticket exchange.

This is an old technique, but it remains one of the clearest demonstrations of why full-disk encryption matters. If an attacker can modify an offline Windows installation, local operating system protections no longer have the same meaning.

An Amazon VPC is the basic network boundary for many AWS workloads, but most design issues come from the details: subnet placement, route tables, NAT, security groups, network ACLs, DNS, and how traffic enters or leaves the environment.

Microsoft Entra pass-through authentication lets users sign in to cloud applications while their password is validated against on-premises Active Directory by an authentication agent. These notes focus on the moving parts, failure modes, and security decisions that matter when choosing PTA over password hash synchronization or federation.

This scenario comes up when an application, directory, certificate, and DNS namespace do not all line up neatly. LDAPS is straightforward when names match; it becomes more interesting when certificate subject names, service names, and client expectations point in different directions.

Azure Virtual Machine Scale Sets let you manage a group of load-balanced VMs as a single service boundary. The important design questions are when to scale, how to health-check instances, how updates are rolled out, and what dependencies could become the real bottleneck.

Scapy is useful when you need to craft or inspect packets without writing a full network tool. This note keeps the examples simple and focuses on the workflow: build a packet, inspect the fields, send it, and verify what happened on the wire.

These are the GDB commands I reach for when working through small Linux reversing, CTF, and exploit-development labs. It is not a full GDB guide; it is a practical starter map for getting oriented inside a process, setting breakpoints, inspecting memory, and feeding controlled input into a binary.

Azure Storage is more than “somewhere to put files.” A storage account can expose blob, file, queue, and table services, and the right design depends on access patterns, redundancy requirements, identity controls, network boundaries, and lifecycle expectations.

Azure networking design is where application architecture, operations, and security meet. The notes below focus on the core building blocks: virtual networks, subnets, address planning, routing, network security groups, load balancing, and connectivity back to existing environments.

These are practical notes on Amazon Route 53 and DNS design. The focus is on the operational details that tend to matter during an incident: delegation, TTLs, health checks, alias records, routing policies, and how resolvers behave when the design is under stress.

Active Directory backup is one of those areas where boring is usually good. Domain controllers have replication metadata, invocation IDs, USNs, SYSVOL content, and service state that need to remain consistent, so system state backups and tested forest-recovery procedures are still the safest foundation.

This is a short archival note from a home-office cleanout, keeping a few SANS penetration-testing references that were useful enough to record before the paper copies disappeared.

This note explores what changes when a Windows or Active Directory logon falls back to NTLM instead of Kerberos. That distinction matters for defenders because the credential material, network flows, delegation behavior, and detection opportunities are different.

Windows Firewall allow and block rules are often enough, but some environments need a more precise condition: allow the traffic only when the peer can authenticate. IPsec connection security rules can provide that extra requirement by combining firewall policy with computer or user authentication.

This post looks at a practical LAPS delegation problem: how to restrict which administrators can read local administrator passwords for a specific class of computer objects. The underlying lesson is broader than LAPS itself: sensitive directory attributes should be delegated deliberately, tested with effective permissions, and reviewed as the OU...

Vulnserver remains a useful training target for practicing the full exploit-development loop: fuzzing, crash triage, offset calculation, bad-character analysis, control-flow redirection, and payload delivery. The goal of this walkthrough is to make each decision explicit enough that the process can be repeated against similar lab binaries.

A Skeleton Key attack modifies authentication behavior in memory on a domain controller so that a chosen password works alongside users’ real passwords. It is a high-impact domain compromise technique and should be treated as an incident affecting the integrity of domain controller memory and credential validation.

A Silver Ticket attack targets a service rather than the whole domain. If an attacker obtains the long-term key for a service account, they can forge a service ticket for that SPN and may avoid the normal TGT request path that would otherwise touch the domain controller.

Overpass-the-hash is a Kerberos abuse pattern where an attacker uses a recovered NT hash to request Kerberos tickets, commonly by relying on RC4-HMAC compatibility. The important point for defenders is that this can turn credential material that looks “NTLM-only” into Kerberos access when the environment still permits the relevant encryption...

The fastest way to make an infrastructure security review useful is to move the conversation away from impressions and toward a shared model of the system. This checklist is designed to help reviewers ask consistent questions about identity, network exposure, operational resilience, and the controls that protect the highest-value paths...

A Golden Ticket attack becomes possible when an attacker obtains the long-term key material for the domain krbtgt account. With that key, the attacker can forge Kerberos ticket-granting tickets (TGTs) and impersonate domain principals until the compromised key material is rotated and existing forged tickets expire.

This is a compact inputs.conf example for collecting the standard Windows event logs and the Sysmon operational log with Splunk Universal Forwarder. It keeps the configuration intentionally small so it can be adapted into a deployment app or lab forwarder without pulling in unrelated settings.