Blue Team Labs

Reconstruct a Microsoft Entra ID privilege escalation chain by correlating Exchange message traces, Azure AD telemetry, and unified audit logs using KQL.

Investigate a complex Business Email Compromise attack by correlating AWS CloudTrail and Lambda logs in CloudWatch Logs Insights to reconstruct the attack timeline and attribute TTPs.

Reconstruct a multi-stage Azure attack timeline by analyzing Entra ID, Audit, and Storage Blob logs using Kusto Query Language to identify initial access, persistence, privilege escalation, and data exfiltration.

Analyze AWS GuardDuty, CloudTrail, S3, and CloudWatch logs to identify attacker actions, exploited misconfigurations, and reconstruct an AWS cloud security incident.

Correlate Azure AD, Activity, and Blob Storage logs in Elastic Stack to reconstruct an attack timeline, identifying initial access, lateral movement, persistence, and data exfiltration.

Investigate AWS CloudTrail logs using Splunk to identify unauthorized access, analyze configuration changes, and detect persistence mechanisms.

Synthesize KQL findings across Windows events and Azure logs to reconstruct an APT29 multi-stage cloud attack, identifying persistence mechanisms and data exfiltration.

Analyze a cloud-native attack chain involving illicit consent grants, hardcoded credential discovery, Temporary Access Pass abuse, and ABAC bypass to understand modern Azure threat actor techniques.

Master the detection, investigation, and remediation of password spray attacks in Azure AD by analyzing sign-in logs with KQL queries, identifying attack patterns and compromised accounts, implementing Microsoft Sentinel analytics rules for automated detection, and applying security controls including Smart Lockout, Conditional Access policies, and incident response playbooks to protect against credential-based attacks.

Analyze network traffic and AWS CloudTrail logs using Wireshark and JQ to reconstruct an IMDSv1 SSRF exploitation and subsequent data exfiltration attack.

Learn cloud forensics by analyzing Google Cloud logs with JQ to identify compromised accounts, data exfiltration, and attacker persistence methods in a simulated breach scenario.

Analyze AWS CloudTrail logs with `jq` to reconstruct attacker TTPs, identify privilege escalation, and detect persistence mechanisms within a compromised cloud environment.

Reconstruct a multi-stage APT29 intrusion by analyzing Azure and M365 logs to trace device code phishing, OAuth token abuse, service account chaining, Silver SAML forgery, and PHI exfiltration.