Ryan Basden

Ryan Basden With a little luck, the last ever iteration of my personal site.

# LOLC2: C2 via Legitimate Services (2025/02/25)

LOLC2 is a collection of legitimate services and how to use for command-and-control. The detection sections for Microsoft services are especially interesting (funny) to look at:

Microsoft Sharepoint

C2 Projects:

Detection:

Abusing Microsoft SharePoint for C2

Actors can upload malicious files or embed instructions in SharePoint lists, leveraging common document collaboration channels to hide C2 communications.

# Introduction and Link Blogs (2025/02/21)

I recently came across the idea of a link blog and loved it immediately.

One of the biggest barriers to me writing anything at all is usually feeling like I need to say something long and profound, when in reality I more often have short commentary to make on what I've read (which I do a lot):

I decided to follow simon's approach to creating a link blog, where I can share interesting links I find on the internet along with my own comments and thoughts about them.

I am deciding to follow Xuanwo's approach to Simon's approach for some of the early content here so I can fill it up without the pressure of changing the world with an essay.

# Burnout Recovery and Prevention 101 (Part 0) (2023/08/13)

Note: This is the written version of a talk I gave at BSides Atlanta 2022 called “These Violent Delights”. Since it wasn’t recorded, I thought I would make it more available to people by blogging it. You can see the slides on Github here.

It’s been about two years since I wrote all of this for the first time.

The reception of the talk version at BSides Atlanta last year was good enough that I figured publishing these ideas and lessons for everyone to access would be beneficial.

But in trying to make it all perfect and complete, I’ve procrastinated publishing anything at all.

So, to remedy this, I’m going to publish in parts.

This is Part 0. Based on my massive list (mess) of talking points, here’s what’s coming up:

Recovery First, Prevention After

I will talk about burnout and how to prevent it, but more importantly, I want to talk about recovery.

Why?

Because most people have already experienced burnout, and I suspect a lot are still in it. I have to suspect because, though I have tried, I cannot find any data on how many people have recovered.

There are plenty of data sources for how many people have been or are currently burnt out, and prevention only matters if you’re not burnt out already.

Why even talk about this?

Because the working world has a burnout problem, and to make matters worse. infosec as an industry also has a talent problem.

According to plenty of sources, there were 2.72 million job openings in 2021. That number is going down, but it’s not one to laugh at.

Meanwhile, 75% of employees said they’ve experienced burnout, and 56% of employers admitted to have retention issues, 36% of those surveyed by Eagle Consulting said their organization isn’t doing anything to help them NOT be burnt out, Gallup found that burned-out employees are 2.6 times as likely to be actively seeking a different job, AND that only 60% of workers can strongly agree that they know what is expected of them at work.

The bottom line is that people are burning out, a lot of them aren’t getting help, and almost as many have no idea what standard they’re even supposed to be meeting.

Maybe you can see why I’m not confident about that number going down reliably. What are we missing out on because the talented people we already have are at or near the end of their rope?

Crime pays a lot, actually

Adversaries are making more money, their jobs are easier, and they work remotely. I’ve talked to people I know who were in ransomware gangs or are currently in them, and most of them say their work lives are easier.

What they told me boils down to a few simple points:

How are salaried, commuting, underfunded infosec professionals supposed to keep up?

There is a greater mission and much of the industry is not prepared to accomplish it.

Disclaimer

Before I go any further, I need to get some things out of the way:

I am not an expert, a medical professional, or a psychiatrist

I cannot diagnose or account for existing mental illnesses, personal situations, or other variables

But rest assured, I have had my fair share of hard times. I am no stranger to mental illness nor trauma. I know that life can be hard and there are a lot of factors at play.

I get it. I’m not here to sell you a cure-all, or even a cure-most. I’m here to share what worked for me and maybe impart something useful to you.

How I Got Here

Like many, I spent the majority of 2020 working too hard, burning too hot, and not getting the things I needed to be happy.

The company I worked at was in a period of intense growth where we had plenty of new pentesting work to do, but some of us still needed to make audits happen to pay the bills.

During that time, I started to study for my OSCP, and after seven months, it had knocked me out. I would study for 3-4 hours per night and all weekend in the labs, grabbing flags and honing my methodology.

I failed my first exam attempt in late September but came back with a vengeance by the end of October. Then I descended into one of the deepest ruts of my life.

Collecting debt from yourself

What confounded me is that I was just doing something I loved: learning and improving my pentesting skill set.

But the price I ended up paying was steep, and it took a lot longer to cover my debt to my passion than it did to destroy my passion.

The year after (2021) was filled with attempts to pursue my passion without the energy I needed, leaving me feeling unfulfilled and frustrated at my sudden lack of progress in my career, but even more disappointingly, lack of appreciation for something I was once fascinated by.

I would listen to my favorite security podcasts and roll my eyes when people would talk about how energized they were and could spend hours just learning. My cynicism was through the roof, and the problem wasn’t them - it was me. I needed to feel better. My new state was not sustainable, and I needed a solution. That’s how I came up with what’s in this blog.

It took me a long time, but I made it, and I want to share that with anyone who’s in that same place.

Look out for “Part 1: Where To Start”, coming soon.

# Learn Exploit Development for Free (2022/03/23)

The most frustrating thing about hacking has become finding good learning resources without breaking the bank.

While studying for CEH (hold the judgment, please, I was young and naive), I had to resort to far more than just the EC-Council curriculum. If you’ve ever tried for one of their certifications, you’ll know why: the material isn’t good enough.

For the OSCP, I had the same experience. The PWK lab was not diverse enough to make me feel truly prepared, and looking back, I’m glad I resorted to sites like HackTheBox, Vulnerable Hacking Labs, and Vulnhub for extra practice. Luckily, many outstanding individuals like TJNull had compiled lists of practice machines for me to reference.

After spending time learning advanced pentesting and red team tactics in a useful-but-never-too-deep manner, I’ve landed on exploit development as my next deeper learning path. I’ve built a roadmap for myself entirely made up of free resources and compiled it here.

I may edit this as I go, and I will post reviews as separate blogs if warranted. If I do make a meaningful update, I’ll be sure to mention that.

(Prerequisite) x86 Assembly and C

NASM and C are more important than I realized at first. A strong understanding of both will help you tremendously as you get into the actual exploit development and research parts of this.

Resources will be mostly focused around Linux to ensure that the barrier to entry is as low as possible. Once I get into Windows, I’ll add resources around that OS, but I’ll stick with what I know best for now.

Books:

Linux Exploit Development

This list contains a healthy mix of challenges, guides, course material, and books. These resources are invaluable and I cannot believe they are free.

Books: