Blue Team Labs

Synthesize network, binary, and threat intelligence artifacts to reconstruct an exploit kit attack chain, identifying components, deobfuscating payloads, and analyzing binary protections.

Reconstruct an exploit kit attack chain from network traffic, identifying the infected host, extracting malware, and determining the exploited CVE using Wireshark and forensic tools.

Analyze network traffic using Wireshark to identify an infected host, trace an exploit kit infection chain, and extract malicious URLs and file hashes.

Reconstruct multi-stage attack scenarios by analyzing Splunk logs and integrating OSINT from VirusTotal, ThreatCrowd, and WHOXY to identify TTPs and IOCs.

Analyze network traffic to reconstruct a complete domain compromise attack chain, from AS-REP Roasting and Kerberoasting through privilege escalation, lateral movement, and data exfiltration using rclone.

Hunt browser downloads, MFT records, and Prefetch to unmask the initial dropper and rebuild the attack timeline.

Investigate attacker behavior by analyzing Windows artifacts to identify persistence, privilege escalation, and lateral movement using MFTECmd, PECmd, BitsParser, and registry analysis tools.

Investigate a disk image to uncover a UAC bypass and process hollowing and trace the attack back to a compromised software repository.

Reconstruct a macOS attack timeline by correlating Unified Logs, FSEvents, and browser artifacts using macMRU.py and unifiedlog_iterator to identify initial access, Gatekeeper bypass, and persistence.