Skip to content

lopezrunco/blue-team-labs

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Blue team labs

This repository documents my hands-on learning journey through defensive security and DFIR projects. It focuses on practical exercises to detect, analyze, and respond to cyber threats in real-world scenarios, helping me build core blue team skills.

Platforms

Hack The Box

Skills practiced

  • Network Traffic Analysis (Wireshark, TCP/UDP, Telnet exploitation)
  • DFIR & Incident Response (Event log analysis, Sysmon, Windows artifacts)
  • Malware Analysis (Malicious process identification, VirusTotal checks)
  • Credential & Command Extraction (User accounts, brute-force investigation)
  • Persistence Identification (Backdoor accounts, scripts, MITRE ATT&CK mapping)
  • Threat Detection & Mitigation (C2 detection, log correlation, IOCs)
  • Data Exfiltration Investigation (Database and file extraction, SQL queries)
  • Timeline & Contextual Analysis (Event correlation, session reconstruction)
  • Security Monitoring & Alerting (DLP alerts, suspicious GET requests)

Tools used

Wireshark DB Browser for SQLite Event Viewer Sysmon VirusTotal Kali Linux VirtualBox Zui

Labs:

  • Meerkat: PCAP and log analysis of a credential stuffing attack, CVE-2022-25237 exploitation, and SSH persistence using Wireshark, tshark, and jq.

  • Malware compromise: Investigated a malware infection through PCAP analysis, identifying malicious domains, payload downloads, TLS C2 communication, and Ursnif/Dridex-related activity using Wireshark, Zui, and VirusTotal.

  • Web shell: Investigated a web application compromise involving SYN scanning, Gobuster enumeration, SQL injection with sqlmap, malicious PHP web shell upload, and reverse shell execution through PCAP analysis.

  • Telly: Analyzed a compromised backup server involving Telnet exploitation, backdoor account creation, C2 persistence, and database exfiltration through PCAP and SQLite forensic analysis.

  • Unit42: Investigated a malicious UltraVNC campaign using Sysmon and Event Viewer, identifying the malware, tracing DNS/network activity, and reconstructing the attack timeline.

  • Brutus: Investigated a successful SSH brute-force attack through Linux authentication logs, identifying the attacker IP, compromised root account, persistence via local account creation, and post-compromise activity.

How to Use This Repo

Browse through the individual lab folders to see detailed documentation of each exercise. Screenshots, command-line examples, and extracted evidence are included to demonstrate investigation steps and analytical reasoning.

About

This repository documents my learning path of projects focused on core defensive security concepts, equipping learners with the skills to detect, analyze, and respond to cyber threats in a practical, hands-on environment.

Topics

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors