Campaign attribution analysis involves systematically evaluating evidence to determine which threat actor or

Monitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates,

Detect abnormal access patterns in AWS S3, GCS, and Azure Blob Storage by analyzing CloudTrail Data Events, GCS

Extract and analyze Cobalt Strike beacon configuration from PE files and memory dumps to identify C2 infrastructure,

Parse and analyze Cobalt Strike Malleable C2 profiles using dissect.cobaltstrike and pyMalleableC2 to extract

'Analyzes malware command-and-control (C2) communication protocols to understand beacon patterns, command structures,

'Analyzes intrusion activity against the Lockheed Martin Cyber Kill Chain framework to identify which phases

Perform comprehensive forensic analysis of disk images using Autopsy to recover files, examine artifacts, and

'Analyzes DNS query logs to detect data exfiltration via DNS tunneling, DGA domain communication, and covert

Investigate compromised Docker containers by analyzing images, layers, volumes, logs, and runtime artifacts to

Parse and analyze email headers to trace the origin of phishing emails, verify sender authenticity, and identify

Perform static and symbolic analysis of Solidity smart contracts using Slither and Mythril to detect reentrancy,

Reverse engineer Go-compiled malware using Ghidra with specialized scripts for function recovery, string extraction,

Detect and analyze heap spray attacks in memory dumps using Volatility3 plugins to identify NOP sled patterns,

'Analyzes indicators of compromise (IOCs) including IP addresses, domains, file hashes, URLs, and email artifacts

'Performs runtime mobile security exploration of iOS applications using Objection, a Frida-powered toolkit that

'Parses Kubernetes API server audit logs (JSON lines) to detect exec-into-pod, secret access, RBAC modifications,

'Uses the Linux Audit framework (auditd) with ausearch and aureport utilities to detect intrusion attempts, unauthorized

'Analyzes malicious Linux ELF (Executable and Linkable Format) binaries including botnets, cryptominers, ransomware,

Detect kernel-level rootkits in Linux memory dumps using Volatility3 linux plugins (check_syscall, lsmod, hidden_modules),

Examine Linux system artifacts including auth logs, cron jobs, shell history, and system configuration to uncover

Analyze Windows LNK shortcut files and Jump List artifacts to establish evidence of file access, program execution,

'Analyzes malicious VBA macros embedded in Microsoft Office documents (Word, Excel, PowerPoint) to identify download

Perform static analysis of malicious PDF documents using peepdf, pdfid, and pdf-parser to extract embedded JavaScript,

URLScan.io is a free service for scanning and analyzing suspicious URLs. It captures screenshots, DOM content,

'Executes malware samples in Cuckoo Sandbox to observe runtime behavior including process creation, file system

Use the Malpedia platform and API to research malware family relationships, track variant evolution, link families

Use Sysinternals Autoruns to systematically identify and analyze malware persistence mechanisms across registry

Detect sandbox evasion techniques in malware samples by analyzing timing checks, VM artifact queries, user interaction

'Analyzes RAM memory dumps from compromised systems using the Volatility framework to identify malicious processes,

'Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility

Analyze the NTFS Master File Table ($MFT) to recover metadata and content of deleted files by examining MFT record

Detect and analyze covert communication channels used by malware including DNS tunneling, ICMP exfiltration,

Parse NetFlow v9 and IPFIX records to detect volumetric anomalies, port scanning, data exfiltration, and C2 beaconing

Craft, send, sniff, and dissect network packets using Scapy for protocol analysis, network reconnaissance, and

'Analyzes network traffic captures and flow data to identify adversary activity during security incidents, including

'Analyzes network traffic generated by malware during sandbox execution or live incident response to identify

'Captures and analyzes network packet data using Wireshark and tshark to identify malicious traffic patterns,

Parse Office 365 Unified Audit Logs via Microsoft Graph API to detect email forwarding rule creation, inbox delegation,

Analyze Microsoft Outlook PST and OST files for email forensic evidence including message content, headers, attachments,

'Identifies and unpacks UPX-packed and other packed malware samples to expose the original executable code for

'Analyzes malicious PDF files using PDFiD, pdf-parser, and peepdf to identify embedded JavaScript, shellcode,

Detect and analyze Linux persistence mechanisms including crontab entries, systemd service units, LD_PRELOAD

Detect PowerShell Empire framework artifacts in Windows event logs by identifying Base64 encoded launcher patterns,

Parse Windows PowerShell Script Block Logs (Event ID 4104) from EVTX files to detect obfuscated commands, encoded

Parse Windows Prefetch files to determine program execution history including run counts, timestamps, and referenced

'Analyzes encryption algorithms, key management, and file encryption routines used by ransomware families to

Monitor and analyze ransomware group data leak sites (DLS) to track victim postings, extract threat intelligence

Identify ransomware network indicators including C2 beaconing patterns, TOR exit node connections, data exfiltration

'Traces ransomware cryptocurrency payment flows using blockchain analysis tools such as Chainalysis Reactor,