Blue Team Labs

Hunt mail caches, MFT records, and Prefetch to unmask the initial dropper and rebuild the attack timeline.

Synthesize KQL findings across Windows events and Azure logs to reconstruct an APT29 multi-stage cloud attack, identifying persistence mechanisms and data exfiltration.

Decrypt traffic, decompile smart contracts, and uncover how attackers turned the blockchain into a C2 channel.

Investigate a software supply-chain compromise that escalates into a ransomware attack, with emphasis on identifying pre-encryption operations.

Analyze a cloud-native attack chain involving illicit consent grants, hardcoded credential discovery, Temporary Access Pass abuse, and ABAC bypass to understand modern Azure threat actor techniques.

Reconstruct multi-stage ransomware attack by correlating Splunk telemetry, disk forensics, and registry artifacts to identify persistence mechanisms, credential dumping, and lateral movement.

Reconstruct a multi-stage attack timeline by analyzing Sysmon and Windows event logs in Splunk to identify attacker tactics from initial access to data exfiltration.

Correlate Android and Windows forensic artifacts, including logs and malware analysis, to reconstruct a multi-stage BYOD breach from initial access to persistence.