Category: BlueTeam

  • BTLO: Network Analysis – Web Shell

    The SOC received an alert in their SIEM for ‘Local to Local Port Scanning’ where an internal private IP began scanning another internal system.

  • Insider

    You acquired a disk image and found that Karen uses Linux OS on her machine. Analyze the disk image of Karen’s computer and answer the provided questions.

  • L’espion

    You have been tasked by a client whose network was compromised and brought offline to investigate the incident and determine the attacker’s identity.

  • Conti


    An Exchange server was compromised with ransomware. Use Splunk to investigate how the attackers compromised the server.

  • BTLO : The Planet’s Prestige

    Download the file and open it with a text editor. What is the email service used by the malicious actor? What is the Reply-To email address? What is the filetype of the received attachment which helped to continue the investigation? When investigating the file it shows as a pdf attachment. However when downloading the attachment…

  • BTLO : PowerShell Analysis – Keylogger

    A suspicious PowerShell script was found on one of our endpoints. Can you work out what it does? Unzip the folder and open the PowerShell script in a text editor. What is the SHA256 hash value for the PowerShell script file? Get the file hash with the sha256sum tool. What email address is used to…

  • BTLO : Malware Analysis – Ransomware Script

    One of our web servers recently got compromised and was hit with ransomware. Luckily we had a restore point just before the files were encrypted, and managed to recover a suspicious script file that didn’t appear to have been run yet. What is the malicious IP address referenced multiple times in the script? The script…

  • BTLO : Malicious PowerShell Analysis

    Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team –…

  • BTLO : Network Analysis – Ransomware

    ABC Industries worked day and night for a month to prepare a tender document for a prestigious project that would secure the company’s financial future. The company was hit by ransomware, believed to be conducted by a competitor, and the final version of the tender document was encrypted. Right now they are in need of…

  • BTLO : Deep Blue

    BTLO : Deep Blue

    A Windows workstation was recently compromised, and evidence suggests it was an attack against internet-facing RDP, then Meterpreter was deployed to conduct ‘Actions on Objectives’. Can you verify these findings?

Create a website or blog at