Blue Team Labs

Reconstruct a multi-stage Azure attack timeline by analyzing Entra ID, Audit, and Storage Blob logs using Kusto Query Language to identify initial access, persistence, privilege escalation, and data exfiltration.

Reconstruct multi-stage APT attack chain by correlating email, browser, Sysmon logs, and registry artifacts to identify persistence mechanisms and data exfiltration techniques.

Identify threat actor TTPs and IOCs for APT29 by navigating and querying the OpenCTI threat intelligence platform.

Analyze AWS GuardDuty, CloudTrail, S3, and CloudWatch logs to identify attacker actions, exploited misconfigurations, and reconstruct an AWS cloud security incident.

Analyze a malicious Chrome extension's code and behavior to identify data theft mechanisms, covert exfiltration via `<img>` tags, and anti-analysis techniques.

Analyze PCAP data using Wireshark to identify XXE vulnerabilities, extract compromised credentials, and detect web shell uploads for persistence.

Analyze network traffic using Wireshark to investigate a web server compromise, identify web shell deployment, reverse shell communication, and data exfiltration.

Analyze a sandbox report using Any.Run to identify Stealc malware behavior, extract configuration details, and map observed tactics to MITRE ATT&CK.

Reconstruct Amadey Trojan behavior by analyzing memory dumps with Volatility3 to identify malicious processes, C2 communications, payload delivery, and persistence mechanisms.

Analyze a cryptocurrency phishing kit to identify exfiltration methods, extract critical IOCs, and gather threat actor intelligence using local logs and Telegram APIs.

Analyze network traffic to reconstruct a complete domain compromise attack chain, from AS-REP Roasting and Kerberoasting through privilege escalation, lateral movement, and data exfiltration using rclone.

Synthesize and correlate diverse forensic artifacts from multiple systems to reconstruct the complete HiddenTear attack chain and attribute threat actor TTPs.

Reconstruct multi-stage ransomware attack by correlating Splunk telemetry, disk forensics, and registry artifacts to identify persistence mechanisms, credential dumping, and lateral movement.

Reconstruct a multi-stage attack timeline by analyzing Sysmon and Windows event logs in Splunk to identify attacker tactics from initial access to data exfiltration.

Synthesize forensic artifacts and Python source code from a disk image to reconstruct a credential theft attack, identifying persistence methods and C2 communications.

Correlate Android and Windows forensic artifacts, including logs and malware analysis, to reconstruct a multi-stage BYOD breach from initial access to persistence.

Correlate Windows event logs and Sysmon data across enterprise systems using ELK to reconstruct a multi-stage cyber attack from initial access to ransomware.

Reconstruct attacker methods on a Linux system by analyzing a disk image, recovering deleted files with Photorec, and correlating logs, command history, and configuration files.

Analyze an Android device dump and reverse engineer a malicious APK using ALEAPP and JADX-GUI to identify malware functionality, data exfiltration, and extract compromised credentials.

Reconstruct a Linux system's unauthorized access and ransomware incident by analyzing logs, browser, and email artifacts, decrypting payloads, and identifying persistence.