Blue Team Labs

Correlate Sysmon events and forensic artifacts across multiple hosts using Splunk to reconstruct a full ransomware kill chain, from initial compromise to domain-wide impact.

Investigate PLC network traffic and system logs to identify insider manipulation attempts and determine the cause of the solar panel disruption at AetherCore Technologies.

Reconstruct an ICS attack chain by analyzing network traffic with Arkime and Wireshark to identify PLC compromise, I/O manipulation, and classify techniques using MITRE ATT&CK for ICS.

Investigate SIEM logs using GrayLog to identify indicators of compromise associated with the ProxyLogon vulnerability (CVE-2021-26855).

Correlate Windows Defender, Sysmon, and Security logs in Elastic Stack to reconstruct HafinumAPT's initial access, persistence, and lateral movement TTPs.

Investigate iOS device artifacts using iLEAPP and SQLite Browser to identify anomalous user behavior and potential illicit activity.

Reconstruct a Diameter signaling attack on an LTE core network using Kibana to identify 2FA bypass and unauthorized transactions.

Apply Splunk search queries to extract information and answer questions from provided log data.

Apply Attack-Based Hunting methodology using Splunk to analyze and correlate diverse network and host logs, identifying multiple distinct cyberattack scenarios.