Threat hunting.
The most sophisticated actors.

Most guides on LSASS credential dumping focus on the attacker side. This one focuses on what you actually see in the event logs when it happens in your environment.

Zeek is one of those tools that looks overwhelming at first. After a few weeks of using it in a lab environment, here is how I actually got it to a useful state.

A ransomware decryption challenge where the encryption scheme looks custom at first but turns out to be a misused AES implementation.

A week of trialling Sigma rules against a real lab environment. A lot of public rules are too noisy to be useful without tuning.

Testing common EDR bypass techniques in a sandboxed environment to understand where defenders have coverage gaps.

Velociraptor is free, fast, and genuinely useful for rapid triage. A walkthrough of setting it up and collecting artefacts from a simulated compromised host.

Cobalt Strike is everywhere in incident reports. Understanding the default beacon traffic patterns makes hunting it more approachable than most people expect.

A disk image challenge involving a Windows host used to exfiltrate data. The interesting part was figuring out which file was the payload and which was a decoy.

If you are not logging process creation with command line arguments enabled, you are missing a significant chunk of attacker activity.

Yara rules feel mysterious until you write one from scratch against a real malware sample.