AS-REP roasting is one of the most practical Kerberos attacks because it does not require domain admin rights. If a user account has preauthentication disabled, an attacker can request an AS-REP an...

Containers are not VMs. If an attacker escapes the container boundary, they often gain access to the host. eBPF-based sensors give you a low-level view of kernel activity and make it possible to de...

Threat intelligence is only useful if you can operationalize it. STIX provides a standard data model for indicators, and TAXII provides an API to move those indicators between systems. In a lab, yo...

Local LLMs are surprisingly useful in a home lab, especially for log triage. LMStudio lets you run a model locally with an OpenAI-compatible API. That means you can build a lightweight summarizatio...

SSH is the most attacked service in most home labs. Hardening it is not just about disabling passwords. You want modern cryptography, strong authentication, and an audit trail that lets you investi...

Lateral movement is the point where an intrusion turns into a breach. Two of the most common Windows pathways are SMB (port 445) and WinRM (ports 5985 and 5986). If you can monitor how these protoc...

TLS 1.3 dramatically simplified the handshake and removed legacy cryptography, but it also changed how you debug and inspect secure traffic. If you want to defend modern networks, you need to under...

A home SIEM does not need to be massive, but it should be coherent. The most stable pattern I have found is Wazuh for host telemetry, Zeek for network metadata, and OpenSearch for storage and searc...

YARA is the workhorse of malware triage. It lets you express matching logic over bytes, strings, and PE metadata, then scan large corpora quickly. The trick is writing rules that are stable, specif...

If you want serious Windows detection in a home lab, you need structured telemetry. Sysmon gives you high value process, network, and file events. Windows Event Forwarding (WEF) ships those events ...