Blue Team Labs

Analyze network traffic in PCAP files using Wireshark to extract IOCs and reconstruct attacker tactics like authentication and remote execution.

Analyze Linux disk image artifacts, including logs and Bash history, using FTK Imager to investigate insider threat activities and reconstruct user actions.

Synthesize KQL findings across Windows events and Azure logs to reconstruct an APT29 multi-stage cloud attack, identifying persistence mechanisms and data exfiltration.

Decrypt traffic, decompile smart contracts, and uncover how attackers turned the blockchain into a C2 channel.

Investigate a software supply-chain compromise that escalates into a ransomware attack, with emphasis on identifying pre-encryption operations.

Synthesize and correlate diverse forensic artifacts from multiple systems to reconstruct the complete HiddenTear attack chain and attribute threat actor TTPs.

Reconstruct multi-stage ransomware attack by correlating Splunk telemetry, disk forensics, and registry artifacts to identify persistence mechanisms, credential dumping, and lateral movement.

Reconstruct a multi-stage attack timeline by analyzing Sysmon and Windows event logs in Splunk to identify attacker tactics from initial access to data exfiltration.