ben@thomson.cx:~$ ls -la /labs/writeups/
CTF walkthroughs, blue team lab writeups, and tool reference guides — 32 writeups.
Email Analysis / Threat Intel
Investigated a suspicious phishing email, extracted IOCs, identified malicious infrastructure, and documented findings to support a simulated incident response.
Read WriteupAI Security / LLM Attacks
How LLMs can be manipulated through direct and indirect prompt injection � covering real-world incidents, injection techniques, and a hands-on practical with CalBot.
Read WriteupThreat Hunting / Log Analysis
Hunted through web server logs to identify exploitation of Apache Tomcat, traced lateral movement across the network and mapped attacker TTPs to the MITRE ATT&CK framework.
Coming SoonSIEM / Threat Hunting
A practical KQL reference for Microsoft Sentinel � covering key operators, Sentinel tables, authentication and endpoint queries, and threat hunting techniques with real-world examples.
Read WriteupDigital Forensics / DFIR
A practical guide to Autopsy � building a case, adding disk images, recovering deleted files, extracting browser and registry artefacts, and generating investigation reports.
Read WriteupMemory Forensics / Malware Analysis
A practical guide to Volatility 3 � analysing memory dumps to uncover running processes, network connections, injected shellcode, registry persistence, and hidden malware.
Read WriteupNetwork Analysis / Packet Capture
A practical guide to Wireshark � capture and display filters, protocol dissection, following streams, spotting C2 beaconing and DNS exfiltration, and extracting artefacts from packet captures.
Read WriteupVulnerability Management
A practical introduction to InsightVM � core concepts, scanning workflow, understanding risk scores, and how to prioritise vulnerabilities across your organisation.
Read WriteupActive Directory / Threat Hunting / Windows
Detecting the most common Active Directory attacks � Kerberoasting, Pass-the-Hash, DCSync, Golden Tickets, and LDAP enumeration � using Windows Event Logs and key IOCs.
Read WriteupLinux / Log Analysis / DFIR
A practical reference for investigating Linux systems � covering key log files, SSH attack patterns, privilege escalation indicators, persistence mechanisms, and the commands to find them.
Read WriteupEmail Analysis / Phishing / Threat Intel
Reading and analysing email headers � tracing the delivery path, validating SPF, DKIM, and DMARC, identifying spoofing attempts, and extracting IOCs from suspicious emails.
Read WriteupCertification / Exam Prep
A revision reference for the Security+ exam � all five domains, key concepts, important terminology, CIA triad, encryption, attack types, IR phases, and exam strategy tips.
Read WriteupCertification / Exam Prep
A revision reference for the SecurityX CAS-005 exam � security architecture, advanced operations, cryptography, threat hunting, GRC, and what separates it from Security+.
Read WriteupCertification / Exam Prep
A revision reference for the Network+ exam � OSI model, subnetting, common ports and protocols, network devices, wireless standards, network security, and troubleshooting methodology.
Read WriteupCertification / Exam Prep
A revision reference for the Security Blue Team BTL1 24-hour practical exam � phishing analysis, threat intelligence, Autopsy, Volatility, Splunk SPL, incident response, and report writing.
Read WriteupSIEM / Threat Hunting / Log Analysis
A practical SPL reference for SOC analysts � search syntax, statistical commands, field extraction, time modifiers, subsearches, and real-world threat hunting queries for common attack patterns.
Read WriteupXDR / EDR / Threat Detection
A practical guide to Palo Alto Cortex XDR � incident management, alert triage, causality chain analysis, response actions, and XQL threat hunting queries for SOC analysts.
Read WriteupSOAR / Automation / Incident Response
A practical guide to Palo Alto Cortex XSOAR � playbooks, incident management, war room investigation, context data, integrations, and automation scripts for SOC orchestration.
Read WriteupIdentity / Cloud / Zero Trust
A practical guide to Microsoft Entra ID � sign-in log investigation, Conditional Access, Identity Protection, risky users, PIM, and detecting identity-based attacks including AiTM and password spray.
Read WriteupLinux / CLI / DFIR
An essential Linux CLI reference for security analysts � file navigation, user investigation, process and network analysis, log searching, file integrity checking, and persistence hunting.
Read WriteupMalware Analysis / Sandbox / DFIR
A practical guide to Any.Run � submitting samples, reading process trees, analysing network activity, extracting IOCs, and mapping malware behaviour to MITRE ATT&CK for incident response.
Read WriteupEDR / Threat Detection / Microsoft
A practical guide to MDE � alert investigation, device timeline, Advanced Hunting with KQL, response actions, Threat & Vulnerability Management, and Attack Surface Reduction rules.
Read WriteupIncident Response / DFIR / SOC
A practical IR reference � the NIST lifecycle, triage checklists, containment strategies by incident type, evidence collection order of volatility, eradication, and post-incident review.
Read WriteupDigital Forensics / Disk Imaging / DFIR
A practical guide to FTK Imager � creating forensically sound disk images, browsing evidence, recovering deleted files, exporting artefacts, capturing live memory, and verifying hash integrity.
Read WriteupPowerShell / Windows / Threat Hunting
A practical PowerShell reference for blue team analysts � system and network investigation, event log querying, Active Directory queries, persistence hunting, remote investigation, and defensive hardening.
Read WriteupNetwork Scanning / Reconnaissance / Enumeration
A practical Nmap reference � host discovery, port scanning techniques, service and OS detection, NSE scripts, output formats, and common ports reference for asset discovery and vulnerability assessment.
Read WriteupWindows / Sysmon / Threat Hunting
A practical guide to deploying and using Sysmon � key event IDs, configuration, hunting queries for credential dumping, process injection, named pipe C2, and lateral movement detection.
Read WriteupMalware Analysis / YARA / Detection Engineering
A practical guide to writing YARA rules � rule structure, string types, modifiers, conditions, and real examples for detecting Mimikatz, XOR-obfuscated shellcode, and PowerShell download cradles.
Read WriteupThreat Intelligence / OSINT / IOC Analysis
A practical guide to threat intelligence � IOC types, enrichment tools (VirusTotal, Shodan, MISP), threat feeds, investigation workflow, the Pyramid of Pain, and the Diamond Model.
Read WriteupWindows / Registry / Persistence / DFIR
A practical reference for registry forensics � hive file locations, persistence run keys, forensic artefacts (shellbags, UserAssist, USB history), and PowerShell investigation commands.
Read WriteupNetwork / DNS / Threat Hunting
A practical guide to hunting threats through DNS � record types, suspicious patterns, DGA detection, DNS tunneling, C2 over DNS beaconing, and hunting queries using Sysmon and DnsEvents.
Read WriteupIDS / Network Detection / Rule Writing
A practical guide to Suricata � rule anatomy, actions, protocol headers, key rule options, example detections for C2 and tunneling, EVE JSON log analysis, and tuning for production environments.
Read WriteupCloud / AWS / Threat Hunting
A practical guide to hunting threats in AWS � key CloudTrail API events, GuardDuty findings, IAM enumeration detection, persistence mechanisms, and Athena SQL queries for cloud investigations.
Read Writeup