Blue Team Labs

Investigate attacker behavior by analyzing Windows artifacts to identify persistence, privilege escalation, and lateral movement using MFTECmd, PECmd, BitsParser, and registry analysis tools.

Synthesize disparate forensic artifacts across email, network, and host logs to reconstruct a multi-stage phishing, malware, and C2 attack, attributing it to a known campaign.

Investigate a disk image to uncover a UAC bypass and process hollowing and trace the attack back to a compromised software repository.

Analyze a web server compromise by analyzing network traffic to trace a Java deserialization exploit and the subsequent deployment of a Cobalt Strike beacon.

Reconstruct BlackSuit ransomware's attack lifecycle by analyzing PE artifacts, encrypted payloads, API calls, and network communication using Ghidra, x64dbg, and CFF Explorer.

Reconstruct a sophisticated intrusion's timeline by correlating Windows Event, Sysmon, and PowerShell logs in Splunk, identifying RDP-based initial access, persistence, privilege escalation, and C2.

Investigate PLC network traffic and system logs to identify insider manipulation attempts and determine the cause of the solar panel disruption at AetherCore Technologies.

Reconstruct an ICS attack chain by analyzing network traffic with Arkime and Wireshark to identify PLC compromise, I/O manipulation, and classify techniques using MITRE ATT&CK for ICS.

Learn to investigate a domain controller compromise by analyzing logs, memory, and artifacts to uncover attacker tactics, persistence methods, and the full intrusion timeline.