Blue Team Labs

Employ Volatility to analyze a memory dump, identifying suspicious processes, network IOCs, memory protections, and attacker's command-and-control infrastructure.

Analyze network traffic in PCAP files using Wireshark to extract IOCs and reconstruct attacker tactics like authentication and remote execution.

Analyze network traffic to reconstruct a complete domain compromise attack chain, from AS-REP Roasting and Kerberoasting through privilege escalation, lateral movement, and data exfiltration using rclone.

Synthesize and correlate diverse forensic artifacts from multiple systems to reconstruct the complete HiddenTear attack chain and attribute threat actor TTPs.

Hunt through Splunk logs to uncover how attackers exploited a DMZ server, pivoted to the internal network, and deployed ransomware after exfiltrating sensitive data.

Reconstruct multi-stage ransomware attack by correlating Splunk telemetry, disk forensics, and registry artifacts to identify persistence mechanisms, credential dumping, and lateral movement.

Reconstruct a multi-stage attack timeline by analyzing Sysmon and Windows event logs in Splunk to identify attacker tactics from initial access to data exfiltration.

Synthesize forensic artifacts and Python source code from a disk image to reconstruct a credential theft attack, identifying persistence methods and C2 communications.