Blue Team Labs

Analyze browser, filesystem, and event artifacts to reconstruct the attack chain, identify the malicious download source, extract second-stage and C2 indicators, and determine persistence, account creation, and lateral movement.

Reconstruct the Fog ransomware attack chain by analyzing browser, registry, event logs, and MFT artifacts to identify initial access, persistence, BYOVD privilege escalation, and IOCs.

Reconstruct a multi-stage attack by analyzing Sysmon, WMI, and Prefetch logs to identify initial infection, advanced persistence, and C2 communications.

Analyze a forensic image to extract communication artifacts, identify malware behavior, and decrypt encrypted files using FTK Imager, string analysis, and PowerShell scripting.

Correlate Windows Event Logs and Sysmon artifacts to reconstruct a SQL Server attack, identifying initial access, multiple persistence techniques, and the attacker's cryptomining objective.

Investigate macOS authentication artifacts, decrypt `kcpassword`, and extract secure notes from `login.keychain-db` using `Chainbreaker` to reconstruct user activity.

Reconstruct an intrusion timeline by analyzing event logs, registry, file system, and network artifacts to identify attacker TTPs and data exfiltration.

Correlate Sysmon, MFT, and application logs to reconstruct a ransomware attack timeline, identifying persistence, defense evasion, and data exfiltration TTPs.

Reconstruct a multi-stage malware attack chain by analyzing Windows event logs with EvtxECmd and memory dumps with Volatility to identify LOLBins and C2 communications.

Analyze memory images and event logs using MemProcFS, EvtxECmd, and Timeline Explorer to identify Andromeda bot IOCs, reconstruct its infection timeline, and attribute it to an APT group.