Blue Team Labs

When a "candidate" submits a resume that’s more than it seems, it’s up to you to hunt through the artifacts, reconstruct the infection chain, and stop a data breach in its tracks.

Analyze network traffic to reconstruct a complete domain compromise attack chain, from AS-REP Roasting and Kerberoasting through privilege escalation, lateral movement, and data exfiltration using rclone.

Correlate Splunk Sysmon logs and disk forensic artifacts across multiple hosts to reconstruct a multi-stage Latrodectus malware intrusion from initial access to data exfiltration.

Reconstruct RansomHub ransomware attack chain by correlating Splunk logs and disk artifacts to identify password spray, lateral movement, data exfiltration, and ransomware deployment tactics.

Correlate Sysmon events and forensic artifacts across multiple hosts using Splunk to reconstruct a full ransomware kill chain, from initial compromise to domain-wide impact.

Investigate PLC network traffic and system logs to identify insider manipulation attempts and determine the cause of the solar panel disruption at AetherCore Technologies.

Reconstruct an ICS attack chain by analyzing network traffic with Arkime and Wireshark to identify PLC compromise, I/O manipulation, and classify techniques using MITRE ATT&CK for ICS.

Investigate SIEM logs using GrayLog to identify indicators of compromise associated with the ProxyLogon vulnerability (CVE-2021-26855).

Correlate Windows Defender, Sysmon, and Security logs in Elastic Stack to reconstruct HafinumAPT's initial access, persistence, and lateral movement TTPs.