Blue Team Labs

Reconstruct a macOS attack timeline by correlating Unified Logs, FSEvents, and browser artifacts using macMRU.py and unifiedlog_iterator to identify initial access, Gatekeeper bypass, and persistence.

Analyze a web server compromise by analyzing network traffic to trace a Java deserialization exploit and the subsequent deployment of a Cobalt Strike beacon.

Reverse engineer and analyze RotaJakiro Linux malware using Ghidra, strace, and Wireshark to identify persistence, anti-analysis, and C2 mechanisms.

Correlate memory, registry, and filesystem artifacts using Volatility 3, MemProcFS, and Timeline Explorer to reconstruct a multi-stage attack timeline and map attacker TTPs to MITRE ATT&CK.

Reconstruct a sophisticated intrusion's timeline by correlating Windows Event, Sysmon, and PowerShell logs in Splunk, identifying RDP-based initial access, persistence, privilege escalation, and C2.

Investigate PLC network traffic and system logs to identify insider manipulation attempts and determine the cause of the solar panel disruption at AetherCore Technologies.

Reconstruct a Palo Alto RCE attack timeline by analyzing firewall logs in ELK, identifying initial access, reverse shell, persistence, and data exfiltration artifacts.

Investigate a Linux server compromise by analyzing the XZ backdoor, web shell, log data, and OSINT to uncover attacker TTPs and extract critical IOCs.

Analyze a memory dump using forensic techniques to identify artifacts from a spear-phishing attack and trace its origin.

Analyze network traffic to identify exploitation attempts targeting the ProxyShell vulnerability and extract relevant indicators of compromise.