Skip to content


  • Whoami

    Hi, I'm straysheep-dev.

    I'm here learning security from an offensive perspective and documenting things in a useful way as I go.

    I also focus on building defensive (or "visibility") tools, and configuration templates learned from applying offensive techniques to systems.

  • Connect



    9906 9EB1 2D40 9EA9 3BD1 E52E B09D 00AE C481 71E0

  • Linux Configs

    Various configuration files for Unix/Linux operating systems

    Go to repo

  • Windows Configs

    Various configuration files for Microsoft Windows operating systems

    Go to repo

  • Ansible Configs

    A collection of ansible roles

    Go to repo

  • Terraform Configs

    Various configuration templates for terraform

    Go to repo

  • Vagrant Configs

    Various notes and configurations for Vagrant

    Go to repo

  • Alert Service

    Send an alert (to Discord, Slack, or any webhook) based on a condition

    Go to repo

  • OSCP

    OffSec Certified Professional

  • OSWP

    OffSec Wireless Professional

  • PNPT

    Practical Network Penetration Tester

  • eCMAP

    Certified Malware Analysis Professional

  • eCPPT

    Certified Professional Penetration Tester

  • eJPT

    Junior Penetration Tester

  • OpenSCAP Practical Usage

    A complete guide to starting with OpenSCAP content focusing on Ansible.

    • Install OpenSCAP
    • Pull compliance profiles from GitHub/ComplianceAsCode
    • Debug policies with Ansible's -C and -D options
    • Apply, test, and maintain policies with Ansible tags.

    Go to blog post

  • Linux Utils

    Visualization tools with built in parsing options in color. These tools are in the base of the linux-configs repo. Parse + search auditd Parse aide results rkhunter / chkrootkit in color Dump system + network process in color bstrings-like recursive string parser

    Go to blog post CHECK BACK LATER!

    Go to repo

  • VMware Kernel Module Signing

    To run VMware on Linux with SecureBoot enforced, the vmmon and vmnet modules require signing to load into the kernel.

    • Automates this process
    • Run after each kernel update

    Go to script

  • pfSense Administration

    This guide covers CLI usage and other things like:

    • Home office / lab use
    • pkgs for Zeek, sudo, and more
    • GUI and CLI quirks
    • External storage and ZFS

    Go to blog post

  • Deploy auditd

    Installs and configures auditd to adhear to a specified policy on Debian / RedHat family systems.

    • Use built in rules for PCI, STIG, OSPP
    • Load your own custom rules instead
    • Choose log size, number, and type
    • Locks rules to prevent live modification

    Go to ansible role

    Go to shell script

  • Deploy & Manage Sysinternals

    Interactive PowerShell script to load Sysinternals onto a Windows machine.

    • Deploys sysmon
    • Can update sysmon
    • Option to use SwiftOnSecurity config
    • Option to supply your own config instead
    • Option to add essential monitoring tools
    • Option to add entire suite (malware analysis)

    Go to ps1 script

  • Deploy & Manage AIDE

    Ansible role to deploy, run, and manage AIDE at scale

    • Install AIDE (advanced intrusion detection environment)
    • Initialize a database if one does not exist
    • Check existing systems for integrity
    • Update a database if one exists (optional)

    Go to ansible role

  • Wireguard VPN / IDS Server

    Combines and automates a number of components to monitor traffic on a wireguard interface.

    Go to ansible role

  • Build Tailscale Node

    Automates deployment of a Tailscale node.

    Go to ansible role

  • Manage OpenSSH Server on Windows

    OpenSSH Server is not always available by default, and is time consuming to configure each deployment manually.

    • Installs + modifies OpenSSH Server
    • Enforces public key auth
    • Can change the listening port
    • Updates firewall rules
    • Imports public keys

    Go to ps1 script

  • Tail-EventLogs PS Module

    Windows has no tail -f equivalent to visualize live Event Logs. This is especially useful in tuning and testing sysmon rules locally.

    • Can tail any event log
    • Filter based on Event ID
    • Write to file with Tee-Object

    Go to ps1 module

  • Windows Sandbox Configs

    Detailed examples and premade .wsb files for:

    • Ephemeral environment
    • Development environment
    • Malware analysis

    The .wsb files and scripts are in the base of the windows-configs repo.

    Go to repo

  • Connect-UsbipSSHTunnel PS Module

    Convenience script to open a reverse ssh tunnel to the Windows host from WSL, giving WSL access to usbipd devices on localhost tcp/3240 without any inbound firewall rules active on the host.


    • WSL is up to date
    • usbipd is version 4.0.0 or later
    • The Windows host has an ssh key that the target WSL instance will accept
    • The ssh identity is loaded into Windows ssh-agent
    • WSL accepts incoming ssh connections
    • You can execute commands as admin (this script can run as a normal user but you need to know an admin's credentials)
    • You have sudo privileges within WSL

    Go to ps1 module

  • Customizing Shell Profiles

    Use your shell prompt to track the following (and more) in real time:

    • Username
    • Hostname
    • TTY
    • Date & time
    • Network interface information
    • Working directory

    Go to blog post

  • About

    This site was created as a better way to document, maintain, and share notes with demonstrations or visual components, cross-platform.

    The blog section (at the top) is where this content lives, and is an easily searchable archive of anything I've found useful to demonstrate. Try using the search function at the top of the page. It autocompletes suggestions from all of my content.

    Using mkdocs to build this makes it both a searchable "database" with no backend, and an archive with everything in chronological order.