Blue Team Labs

Investigate a Linux server compromise by analyzing the XZ backdoor, web shell, log data, and OSINT to uncover attacker TTPs and extract critical IOCs.

Reconstruct an attack timeline by analyzing disk images, event logs, and malicious scripts to identify initial access, persistence, and data exfiltration techniques.

Investigate a multi-stage phishing attack by analyzing LNK files, de-obfuscating scripts, identifying C2, decrypting payloads, and attributing the TTPs to the UAC-0057 APT group.

Reconstruct an ICS attack chain by analyzing network traffic with Arkime and Wireshark to identify PLC compromise, I/O manipulation, and classify techniques using MITRE ATT&CK for ICS.

Reconstruct a multi-stage attack by analyzing Windows event logs, USN Journal, and registry artifacts to identify TTPs, C2, and persistence mechanisms.

Reconstruct a malicious PDF attack chain by analyzing embedded JavaScript, extracting the PE payload, identifying Windows API calls, and uncovering the C2 server and downloaded file.

Analyze malware file system activity with ProcMon, identify scheduled task persistence using AutoRuns, and configure PowerShell logging for script execution.

Analyze a memory dump using forensic techniques to identify artifacts from a spear-phishing attack and trace its origin.

Analyze network traffic to identify exploitation attempts targeting the ProxyShell vulnerability and extract relevant indicators of compromise.

Investigate SIEM logs using GrayLog to identify indicators of compromise associated with the ProxyLogon vulnerability (CVE-2021-26855).