Blue Team Labs

Correlate Sysmon events and forensic artifacts across multiple hosts using Splunk to reconstruct a full ransomware kill chain, from initial compromise to domain-wide impact.

Investigate attacker behavior by analyzing Windows artifacts to identify persistence, privilege escalation, and lateral movement using MFTECmd, PECmd, BitsParser, and registry analysis tools.

Synthesize disparate forensic artifacts across email, network, and host logs to reconstruct a multi-stage phishing, malware, and C2 attack, attributing it to a known campaign.

Investigate a disk image to uncover a UAC bypass and process hollowing and trace the attack back to a compromised software repository.

Reconstruct a macOS attack timeline by correlating Unified Logs, FSEvents, and browser artifacts using macMRU.py and unifiedlog_iterator to identify initial access, Gatekeeper bypass, and persistence.

Analyze a web server compromise by analyzing network traffic to trace a Java deserialization exploit and the subsequent deployment of a Cobalt Strike beacon.

Reconstruct Rilide browser extension attack mechanisms by deobfuscating JavaScript, analyzing Chrome extension artifacts, and leveraging OSINT to identify persistence, C2, and exfiltration IOCs.

Correlate memory, registry, and filesystem artifacts using Volatility 3, MemProcFS, and Timeline Explorer to reconstruct a multi-stage attack timeline and map attacker TTPs to MITRE ATT&CK.

Reconstruct BlackSuit ransomware's attack lifecycle by analyzing PE artifacts, encrypted payloads, API calls, and network communication using Ghidra, x64dbg, and CFF Explorer.

Reconstruct a sophisticated intrusion's timeline by correlating Windows Event, Sysmon, and PowerShell logs in Splunk, identifying RDP-based initial access, persistence, privilege escalation, and C2.