Blue Team Labs

Analyze Sysmon logs in Elastic SIEM to investigate REvil ransomware attack behaviors, decode recovery sabotage commands, and identify IOCs including the C2 onion domain.

Analyze network traffic using Wireshark's custom columns, filters, and statistics to identify suspicious web server administration access and potential compromise.

Analyze network traffic in PCAP files using Wireshark to extract IOCs and reconstruct attacker tactics like authentication and remote execution.

Analyze Linux disk image artifacts, including logs and Bash history, using FTK Imager to investigate insider threat activities and reconstruct user actions.

Synthesize forensic artifacts from event logs and disk images to reconstruct a multi-stage attack chain, detailing initial access, privilege escalation, lateral movement, and data exfiltration.

Reconstruct the complete attack timeline by analyzing browser history, event logs, registry, and Git artifacts to identify initial access, persistence, and data exfiltration mechanisms.

Hunt mail caches, MFT records, and Prefetch to unmask the initial dropper and rebuild the attack timeline.

Synthesize KQL findings across Windows events and Azure logs to reconstruct an APT29 multi-stage cloud attack, identifying persistence mechanisms and data exfiltration.

Decrypt traffic, decompile smart contracts, and uncover how attackers turned the blockchain into a C2 channel.

Investigate a software supply-chain compromise that escalates into a ransomware attack, with emphasis on identifying pre-encryption operations.