Blue Team Labs

A developer's workstation is the new perimeter — trace an MCP-based intrusion from the first malicious deeplink through to a multi-region cloud compromise and follow the money on-chain.

Investigate a real-world supply chain attack from first alert to threat actor attribution — and find out how a single Python package nearly handed over the keys to an entire cloud environment.

Investigate a trojanized game installer by analyzing browser history, logs, registry hives, and filesystem artifacts to map the full attack chain and extract IOCs.

Reconstruct multi-stage APT attack chain by correlating email, browser, Sysmon logs, and registry artifacts to identify persistence mechanisms and data exfiltration techniques.

Reconstruct a multi-stage attack by analyzing Windows memory dumps using Volatility 3, identifying malicious processes, command lines, and correlating findings with threat intelligence.

Analyze a memory dump using Volatility to identify malicious processes, persistence mechanisms, defense evasion techniques, and map them to MITRE ATT&CK.

Analyze a memory dump using Volatility to identify a malicious process, extract network IOCs, file hash, and compilation timestamp, correlating with external threat intelligence.

Utilize ALEAPP to analyze Android device artifacts, reconstructing a victim's financial details, movements, and communication patterns.

Analyze a spearphishing email to identify social engineering techniques and extract indicators of compromise from its headers and malicious attachment.

Employ Volatility to analyze a memory dump, identifying suspicious processes, network IOCs, memory protections, and attacker's command-and-control infrastructure.

Analyze Linux disk image artifacts, including logs and Bash history, using FTK Imager to investigate insider threat activities and reconstruct user actions.

Reconstruct the complete attack timeline by analyzing browser history, event logs, registry, and Git artifacts to identify initial access, persistence, and data exfiltration mechanisms.

Hunt mail caches, MFT records, and Prefetch to unmask the initial dropper and rebuild the attack timeline.

Synthesize forensic artifacts and Python source code from a disk image to reconstruct a credential theft attack, identifying persistence methods and C2 communications.

Correlate Android and Windows forensic artifacts, including logs and malware analysis, to reconstruct a multi-stage BYOD breach from initial access to persistence.

Analyze PowerShell and Sysmon logs to investigate macro-based malware, identify persistence via scheduled tasks, and extract C2 indicators and keylogger behavior using FTK Imager and olevba.

Reconstruct an attack timeline by analyzing forensic artifacts to identify a UAC bypass, WMI persistence, and backdoor user creation techniques.

Analyze forensic artifacts to trace an attacker's progression from initial social engineering and remote access to a "Sticky Keys" privilege escalation.