Blue Team Labs

Reconstruct an exploit kit attack chain from network traffic, identifying the infected host, extracting malware, and determining the exploited CVE using Wireshark and forensic tools.

Analyze network traffic using Wireshark to identify an infected host, trace an exploit kit infection chain, and extract malicious URLs and file hashes.

Reconstruct multi-stage attack scenarios by analyzing Splunk logs and integrating OSINT from VirusTotal, ThreatCrowd, and WHOXY to identify TTPs and IOCs.

Correlate Splunk Sysmon logs and disk forensic artifacts across multiple hosts to reconstruct a multi-stage Latrodectus malware intrusion from initial access to data exfiltration.

Reconstruct RansomHub ransomware attack chain by correlating Splunk logs and disk artifacts to identify password spray, lateral movement, data exfiltration, and ransomware deployment tactics.

Hunt browser downloads, MFT records, and Prefetch to unmask the initial dropper and rebuild the attack timeline.

Correlate Sysmon events and forensic artifacts across multiple hosts using Splunk to reconstruct a full ransomware kill chain, from initial compromise to domain-wide impact.

Investigate attacker behavior by analyzing Windows artifacts to identify persistence, privilege escalation, and lateral movement using MFTECmd, PECmd, BitsParser, and registry analysis tools.

Synthesize disparate forensic artifacts across email, network, and host logs to reconstruct a multi-stage phishing, malware, and C2 attack, attributing it to a known campaign.