Blue Team Labs

Hunt Sysmon process trees, Chrome browsing artifacts, and Mark-of-the-Web streams to rebuild a the full kill chain from phishing delivery through AD enumeration to HTTPS exfiltration.

Reconstruct the attack timeline by correlating Suricata and Zeek logs in Splunk to identify malicious IPs, C2 domains, targeted hosts, and file hashes.

Analyze Sysmon logs in Elastic SIEM to investigate REvil ransomware attack behaviors, decode recovery sabotage commands, and identify IOCs including the C2 onion domain.

Synthesize forensic artifacts from event logs and disk images to reconstruct a multi-stage attack chain, detailing initial access, privilege escalation, lateral movement, and data exfiltration.

Investigate a software supply-chain compromise that escalates into a ransomware attack, with emphasis on identifying pre-encryption operations.

Synthesize and correlate diverse forensic artifacts from multiple systems to reconstruct the complete HiddenTear attack chain and attribute threat actor TTPs.

Reconstruct multi-stage ransomware attack by correlating Splunk telemetry, disk forensics, and registry artifacts to identify persistence mechanisms, credential dumping, and lateral movement.

Reconstruct a multi-stage attack timeline by analyzing Sysmon and Windows event logs in Splunk to identify attacker tactics from initial access to data exfiltration.

Correlate Splunk logs and filesystem artifacts from a workstation and domain controller to reconstruct an attack chain involving Kerberos delegation and credential theft.

Reconstruct a sophisticated attack timeline by analyzing Windows logs, network traffic, and disk artifacts to identify initial access, persistence, and data exfiltration using Splunk and forensic tools.

Reconstruct the Rhysida ransomware attack chain, identifying initial access, persistence, C2, and impact using Splunk and CyberChef.

Correlate Sysmon, Windows event logs, and PowerShell history to reconstruct a multi-stage Black Basta ransomware attack, identifying initial access, persistence, C2, exfiltration, and impact.

Reconstruct a targeted cyber attack's timeline by analyzing Splunk event logs, process, and network data to identify initial access, persistence, privilege escalation, and C2.

Correlate Windows event logs and Sysmon data across enterprise systems using ELK to reconstruct a multi-stage cyber attack from initial access to ransomware.

Reconstruct a multi-stage intrusion timeline by analyzing Windows and Sysmon event logs within Elastic SIEM to identify key attack tactics, techniques, and procedures.

Investigate and analyze malicious activity in an Active Directory environment using log analysis and Splunk queries to identify initial access, persistence, lateral movement, and data exfiltration techniques.

Detect, analyze, and respond to Kerberoasting attacks by investigating Kerberos logs, identifying compromised accounts, and uncovering attacker persistence methods.

Analyze Windows event logs in Splunk to identify T1197 BITS abuse, LOLBAS usage, attacker IP, and persistence mechanisms.