Blue-Team
Found 5 related articles.
Back to Categories- 2025-02-23
The Crime - Mobile Forensics with ALEAPP to Reconstruct a Crime Timeline
Detailed mobile forensics writeup solving a murder case by analyzing an extracted Android device using ALEAPP. The analysis successfully traces the victim's final actions, identifying the primary financial stressor (Olymptrade and a 250,000 EGP debt owed to 'Shady Wahab'), the victim's final known location ('The Nile Ritz-Carlton'), planned escape route ('Las Vegas' flight ticket), and a final scheduled meeting location ('The Mob Museum') based on Discord chat logs.
- 2025-02-17
Network Forensics of LLMNR/NBT-NS Poisoning Attacks
Detailed network forensics writeup investigating an LLMNR/NBT-NS poisoning incident using Wireshark. The analysis tracks the attack chain, identifying the initial mistyped network query (FILESHAARE), the attacker's rogue IP (192.168.232.215), the compromised user (janesmith) whose NTLM hash was intercepted via SMB, and the hostname of the accessed machine (AccountingPC), demonstrating the vulnerability of unauthenticated name resolution protocols.
- 2025-02-06
WebStrike - Network Forensics of Web Shell Upload and Data Exfiltration
Detailed network forensics writeup analyzing a PCAP file to investigate a web shell incident. The analysis successfully identifies the attack's origin (Tianjin, China), the attacker's User-Agent, and the exploitation of a file upload vulnerability to deploy a malicious web shell ('image.jpg.php' in the /reviews/uploads/ directory). Further investigation reveals the attacker's attempt to establish a reverse shell to port 8080 and the subsequent data exfiltration of the sensitive /etc/passwd file.
- 2025-01-30
UFO-1 - Sandworm Team (APT44) MITRE ATT&CK TTP Analysis
Research writeup focusing on the Sandworm Team (APT44), a highly aggressive Russian APT group, using the MITRE ATT&CK framework. Analysis covers their TTPs, critical infrastructure attacks (e.g., 2016 Ukraine power grid, 2022 SCADA attacks), key malware (e.g., Industroyer2, NotPetya, Exaramel), persistence methods, and specific tools used for code execution and data destruction.
- 2025-01-26
Noxious - LLMNR Poisoning and NTLMv2 Hash Cracking
Network forensics writeup detailing the analysis of an LLMNR poisoning attack. The process covers identifying the rogue device via LLMNR and DHCP traffic, locating the victim's credential leak (NTLMv2 hash) within SMB Session Setup packets, extracting NTLM Challenge/Response components, and performing hash cracking with Hashcat to recover the plaintext password, providing full context on the credential theft incident.