Skip to content

Cybersecurity Musings

Cybersecurity and everything else!

  • home
  • detection
  • lab
  • ir
topics
  • all
  • Detection 6
  • Network & Logging
  • Endpoint
  • Cloud
  • Incident Response 1
  • Identity & Hardening 2
  • Vuln Mgmt
  • Lab Notes 5
  • Office 365 1
  • logs 1

Category: Lab Notes

DetectionLab, tooling setups, and reproducible experiments.

Spotting BloodHound on LDAP: Wire Patterns from bloodhound-python

Jul 17, 2026 Detection, Lab Notes

BloodHound / SharpHound / bloodhound-python are not subtle on LDAP if you know what “enumerate the world” looks like. Host telemetry helps. On a span or IDS sitting …

Continue reading →

Rubeus Kerberoast & AS-REP Roast: LDAP Filters and What to Log

Jul 17, 2026 Detection, Lab Notes

Kerberoasting and AS-REP roasting are still bread-and-butter AD abuse. Rubeus makes both loud in a lab and educational on the wire: the LDAP search that finds targets is …

Continue reading →

PetitPotam and Friends: Coercion Noise on 445

Jun 17, 2024 Detection, Lab Notes

PetitPotam is the “please coerce that machine into authenticating over there” energy that made AD CS and NTLM relay feel fresh again for a while. Different story than …

Continue reading →

Impacket on LDAP: GetNPUsers, GetUserSPNs, and What the Wire Looks Like

Jun 17, 2024 Detection, Lab Notes

Impacket is still the Swiss army knife people reach for when they want AD pain without opening Visual Studio. In the lab I care less about the binary …

Continue reading →

Certipy, AD CS, and the Day Suricata Told Me “dce” Isn’t a Protocol

Jun 14, 2024 Detection, Identity & Hardening, Lab Notes

Yeah so AD CS abuse is one of those things that looks clean in a conference talk and messy the second you try to detect it on a …

Continue reading →

Browse

  • Detection 6
  • Network & Logging 0
  • Endpoint 0
  • Cloud 0
  • Incident Response 1
  • Identity & Hardening 2
  • Vuln Mgmt 0
  • Lab Notes 5
  • Office 365 1
  • logs 1

Series of writeups from labs, detections, and hardening notes.

echo "© 2026 Cybersecurity Musings — lab notes & detection writeups" ~/ · rss