Blue Team Labs

Analyze a forensic image to extract communication artifacts, identify malware behavior, and decrypt encrypted files using FTK Imager, string analysis, and PowerShell scripting.

Utilize OSINT, VirusTotal, and crt.sh to analyze a multi-stage malvertising campaign, identifying initial access, malware payloads, and attacker infrastructure.

Reconstruct the Rhysida ransomware attack chain, identifying initial access, persistence, C2, and impact using Splunk and CyberChef.

Correlate Sysmon, Windows event logs, and PowerShell history to reconstruct a multi-stage Black Basta ransomware attack, identifying initial access, persistence, C2, exfiltration, and impact.

Correlate Windows Event Logs and Sysmon artifacts to reconstruct a SQL Server attack, identifying initial access, multiple persistence techniques, and the attacker's cryptomining objective.

Reconstruct a targeted cyber attack's timeline by analyzing Splunk event logs, process, and network data to identify initial access, persistence, privilege escalation, and C2.

Investigate macOS authentication artifacts, decrypt `kcpassword`, and extract secure notes from `login.keychain-db` using `Chainbreaker` to reconstruct user activity.

Reconstruct an intrusion timeline by analyzing event logs, registry, file system, and network artifacts to identify attacker TTPs and data exfiltration.

Reconstruct a Bad Rabbit ransomware attack chain by analyzing phishing, persistence, and MBR modification using dynamic analysis and MITRE ATT&CK.

Correlate Windows event logs and Sysmon data across enterprise systems using ELK to reconstruct a multi-stage cyber attack from initial access to ransomware.