Technical writing across homelab research, detection engineering, and offensive security. Published articles link to Medium; portfolio-original posts live here directly.
Python HTTP header recon tool for active bug bounty workflows - checks for missing security headers, outdated server fingerprints, and wildcard CORS misconfigurations.
Read on Medium →Exploited an overpermissioned SMB share via smbclient with compromised service account credentials - automated exfiltration every 5 minutes, detected via Event 5145 in Splunk, followed by hardening.
Read on Medium →Building the target environment - four shares on DC01 with intentional misconfigurations: overpermissioned Public share, weak service account credentials, CrackMapExec enumeration demonstrated.
Read on Medium →hMailServer on Windows Server 2022 with MX/A DNS records, Thunderbird IMAP/SMTP client, and a credential-harvesting phishing chain using swaks from Kali.
Read on Medium →IIS + PHP + MySQL on Windows Server 2022 with 100 fake employees, 200 customer records, 300 invoices - SQL injection in search, credentials exposed in config files, built as a data exfil target.
Read on Medium →1,120 process creation events per hour - tuning Sysmon EventID 1 noise via SPL eval categorization framework with mvindex path extraction to separate infrastructure from investigation targets.
Read on Medium →Detection patterns for 9 attack classes - credential dumping, Kerberoasting, Pass-the-Hash, PowerShell C2, DCSync, SMB relay - built from Sysmon + Windows Event ID chains with parent-process and access-mask analysis.
Read on Medium →NCSI DNS probes (EventCode 1014) generating hundreds of false positives - filtering methodology using SPL NOT clauses targeting msftncsi, _msdcs, and _ldap query patterns.
Read on Medium →Splunk Universal Forwarders on 3 Windows hosts feeding an Ubuntu indexer - 5 core SPL queries for brute force detection, privileged activity, process execution chains, and attack chain visualization.
Read on Medium →Directory browsing enabled + app pool as Domain Admin + MySQL bound to 0.0.0.0 - Hydra brute force, web shell via directory traversal, RCE through w3wp.exe for immediate domain-wide access.
Read on Medium →Deliberately configured SMB signing disabled, weak Fine-Grained Password Policy (7 chars, no lockout), and three Kerberoastable service accounts (DoesNotRequirePreAuth=true) - each enabling a documented MITRE technique.
Read on Medium →Three real-world technical debt scenarios - Domain Admin autologon, disabled security controls for legacy app compatibility, and unsecured RDP - modeled from actual enterprise patterns with MITRE technique mapping.
Read on Medium →PowerShell baseline assessment of IIS/MySQL server - unencrypted HTTP, MySQL on all interfaces, SMB/WinRM exposed, three overprivileged service accounts - findings classified Critical/High/Medium with remediation steps.
Read on Medium →Baseline PowerShell assessment of DC01 - excessive Domain Admin membership, zero account lockout threshold, NTP misconfiguration affecting Kerberos, public DNS forwarder, legacy NetBIOS exposure. Published as DC01-Baseline-Assessment-Quick.ps1 on GitHub.
Read on Medium →Executive workstation assessment - AutoAdminLogon with DA credentials in plaintext registry, UAC disabled, RDP open with no NLA, Kerberoastable service accounts - critical chain to domain compromise documented.
Read on Medium →7-VM enterprise simulation on a Dell OptiPlex 5070 (32GB RAM, 1TB) - DC01, APP01, MGR1, DEV1, USER1, SIEM01, and Kali - with intentional misconfigurations across each layer for a full attack-defend environment.
Read on Medium →10-step attack chain: Nmap → CrackMapExec SMB enumeration → RID cycling → Responder NTLM capture → Hashcat → Kerberoasting via impacket-GetUserSPNs → DCSync. Full domain compromise documented from first ping.
Read on Medium →10 ASR rules deployed on WIN11-MGR1, RDP and cached logon reduction via registry, 14-char password policy, PowerShell ScriptBlock logging enabled - Wazuh rule for RDP re-enablement detection mapped to MITRE T1021.001.
Read on Medium →SOC 2 Type II gap remediation - CC6.1 account tiering with "-std" model, CC7.1 Wazuh rule 100010 alerting on privileged logins, CC8.1 LDAPS via internal CA with PowerShell verified on port 636.
Read on Medium →Five bash scripts assessing a fresh Wazuh 4.14.0 deployment: system config, Wazuh manager, indexer (OpenSearch 7.10.2), Filebeat, and log collection - ~400 lines across 34 output files.
Read on Medium →Sysmon (SwiftOnSecurity config) integrated with Wazuh via ossec.conf eventchannel - custom rules for brute force (Rule 100001), password spray (Rule 100002, MITRE T1110.003), and LSASS access detection (Rules 100010/100011).
Read on Medium →Wazuh on Ubuntu 24.04.3 with agents on DC01, APP01, and MGR1 - time synchronization via Chrony NTP, MITRE ATT&CK mapped alerts, Event ID 4625 detection with error code interpretation (0xc000006d, 0xc0000064).
Read on Medium →A disclosed CVE reproduced in a local lab - exploitation walkthrough, HTTP evidence, detection logic, and remediation analysis.
What annotating LLM training data reveals about model safety gaps, and how that maps directly to adversarial red team methodology - three prompt injection classes broken down.
A simulated SOC 2 Type II readiness assessment - controls mapped to evidence, gaps flagged, remediation plan written as a practitioner engagement report.
Multi-part series: for each OWASP Top 10 class exploited in a lab, what the attack looks like in logs and the Sigma/KQL rule written to catch it.