Skip to content

Latest commit

 

History

History
48 lines (32 loc) · 3.53 KB

File metadata and controls

48 lines (32 loc) · 3.53 KB

Blue team labs

This repository documents my hands-on learning journey through defensive security and DFIR projects. It focuses on practical exercises to detect, analyze, and respond to cyber threats in real-world scenarios, helping me build core blue team skills.

Platforms

Hack The Box

Skills practiced

  • Network Traffic Analysis (Wireshark, TCP/UDP, Telnet exploitation)
  • DFIR & Incident Response (Event log analysis, Sysmon, Windows artifacts)
  • Malware Analysis (Malicious process identification, VirusTotal checks)
  • Credential & Command Extraction (User accounts, brute-force investigation)
  • Persistence Identification (Backdoor accounts, scripts, MITRE ATT&CK mapping)
  • Threat Detection & Mitigation (C2 detection, log correlation, IOCs)
  • Data Exfiltration Investigation (Database and file extraction, SQL queries)
  • Timeline & Contextual Analysis (Event correlation, session reconstruction)
  • Security Monitoring & Alerting (DLP alerts, suspicious GET requests)

Tools used

Wireshark DB Browser for SQLite Event Viewer Sysmon VirusTotal Kali Linux VirtualBox Zui

Labs:

  • Meerkat: PCAP and log analysis of a credential stuffing attack, CVE-2022-25237 exploitation, and SSH persistence using Wireshark, tshark, and jq.

  • Malware compromise: Investigated a malware infection through PCAP analysis, identifying malicious domains, payload downloads, TLS C2 communication, and Ursnif/Dridex-related activity using Wireshark, Zui, and VirusTotal.

  • Web shell: Investigated a web application compromise involving SYN scanning, Gobuster enumeration, SQL injection with sqlmap, malicious PHP web shell upload, and reverse shell execution through PCAP analysis.

  • Telly: Analyzed a compromised backup server involving Telnet exploitation, backdoor account creation, C2 persistence, and database exfiltration through PCAP and SQLite forensic analysis.

  • Unit42: Investigated a malicious UltraVNC campaign using Sysmon and Event Viewer, identifying the malware, tracing DNS/network activity, and reconstructing the attack timeline.

  • Brutus: Investigated a successful SSH brute-force attack through Linux authentication logs, identifying the attacker IP, compromised root account, persistence via local account creation, and post-compromise activity.

How to Use This Repo

Browse through the individual lab folders to see detailed documentation of each exercise. Screenshots, command-line examples, and extracted evidence are included to demonstrate investigation steps and analytical reasoning.