Blue Team Labs

Analyze network traffic using Wireshark to identify an infected host, trace an exploit kit infection chain, and extract malicious URLs and file hashes.

Reconstruct multi-stage attack scenarios by analyzing Splunk logs and integrating OSINT from VirusTotal, ThreatCrowd, and WHOXY to identify TTPs and IOCs.

Correlate Splunk Sysmon logs and disk forensic artifacts across multiple hosts to reconstruct a multi-stage Latrodectus malware intrusion from initial access to data exfiltration.

Reconstruct RansomHub ransomware attack chain by correlating Splunk logs and disk artifacts to identify password spray, lateral movement, data exfiltration, and ransomware deployment tactics.

Correlate Sysmon events and forensic artifacts across multiple hosts using Splunk to reconstruct a full ransomware kill chain, from initial compromise to domain-wide impact.

Investigate attacker behavior by analyzing Windows artifacts to identify persistence, privilege escalation, and lateral movement using MFTECmd, PECmd, BitsParser, and registry analysis tools.

Investigate a disk image to uncover a UAC bypass and process hollowing and trace the attack back to a compromised software repository.

Reconstruct a macOS attack timeline by correlating Unified Logs, FSEvents, and browser artifacts using macMRU.py and unifiedlog_iterator to identify initial access, Gatekeeper bypass, and persistence.

Analyze a web server compromise by analyzing network traffic to trace a Java deserialization exploit and the subsequent deployment of a Cobalt Strike beacon.