// portfolio metrics

Lab Portfolio Stats

Generated 2026-04-12 · 119 files scanned · auto-generated from Obsidian vault

// About this page
This is an auto-generated snapshot from my Obsidian vault — not an exhaustive inventory. It surfaces patterns across 115 labs and 82 SOC alerts. Every number links back to a documented investigation. Full writeups live at /blue-team/labs — this page exists so you don't have to read all of them.

115

Labs Completed

97.5%

Completion Rate

BTLO Labs

CyberDefenders

MITRE Tactics Hit

Malware Families

Platform & Difficulty

Platform Split

BTLO

CyberDefenders

Other

Difficulty Breakdown

Easy

Medium

Hard

Hard: First Week · Insider Threat · Secure Shell · You're Hired

Categories & Tools

Top Categories

Incident Response

Endpoint Forensics

Network Forensics

Threat Intelligence

Cloud Forensics

Malware Analysis

Detection Eng.

Most Used Tools

Wireshark

PowerShell

VirusTotal

OSINT techniques

Sysmon

CyberChef

Volatility v2/v3

Splunk

MITRE ATT&CK Coverage

Tactics by Lab Count

Execution32

Defense Evasion30

Persistence25

Credential Access21

Command & Control21

Privilege Escalation19

Initial Access16

Exfiltration10

Lateral Movement9

Top Techniques

T1059.001 · PowerShell T1105 · Ingress Tool Transfer T1190 · Exploit Public-Facing App T1566.001 · Spearphishing Link T1505.003 · Web Shells T1547.001 · Boot/Logon Autostart T1027 · Obfuscated Files T1036.005 · Masquerading

Full coverage mapped on the ATT&CK Heatmap →

Malware Families Investigated

Confirmed Families — 10 Total

DanaBotBanking Trojan

IcedIDBanking Trojan

XWormRAT

XLMRatMacro-based RAT

NerisBotBanking Trojan

AmadeyTrojan / Stealer

AndromedaBot / Loader

RamnitBanking Worm

REvilRansomware

LummaStealerCredential Stealer

Notable Specialty Labs

APT / Nation-State

Gothic Panda series · andromeda-bot-unc4210 · revil_gold

Cloud Forensics

awsraid · azurehunt · rogueazure · spilledbucket

Supply Chain

3cxsupplychain · npm_supply_chain_attack

Memory Forensics

amadey · latent · firstweek · volatilitytraces

Ransomware IR

raasunfold · revil_gold · maranhao · ramnit

Unique Scenarios

containerbreak (escape) · androidbreach (mobile)

Technologies Covered

Platforms

Windows Linux macOS Android · ALEAPP Docker / Containers

Active Directory — Investigated Attacks

Mimikatz / Credential Dumping DCSync Pass-the-Hash Kerberoasting LDAP Enumeration NTLM Relay Privilege Escalation via AD

Cloud & Protocols

Azure AWS Office 365 HTTP/S SSH RDP FTP SMB

LetsDefend — SOC Alert Triage

Alerts Investigated

82.9%

True Positive Rate

Critical Severity

CVEs Investigated

MITRE Techniques

Alert Categories

Phishing / Social Eng.

Web App / CVE Abuse

Malware Execution

LOLBin / Binary Abuse

Proxy / Suspicious URL

Brute Force / Auth

Persistence

C2 / RAT / Backdoor

Data Exfiltration

Ransomware

Severity Split

Critical

High

Medium

Low

Outcome

True Positive

False Positive

FP causes: WinRAR/Google Update downloads, authorised pentest activity, legitimate domains flagged by keyword match

CVEs Investigated — 10 Total

CVE-2025-53770 · SharePoint ToolShellCritical · TP

CVE-2024-3400 · PAN-OS RCECritical · TP

CVE-2023-29357 · SharePoint Auth BypassCritical · TP

CVE-2025-21298 · Windows OLE RCEMedium · TP

CVE-2024-49138 · Windows PrivescMedium · TP

CVE-2024-24919 · Check Point GatewayHigh · TP

CVE-2023-46214 · Splunk RCEHigh · TP

CVE-2023-22515 · Confluence RCEHigh · TP

CVE-2022-41082 · ProxyNotShellHigh · TP

CVE-2022-30190 · Follina MSDTMedium · TP

Notable Threat Actors & Malware

APT35 / Charming KittenNation-state · HyperScrape

EmotetBanking Trojan / Loader ×4

Cobalt StrikeOffensive C2

Lumma StealerCredential Stealer

AsyncRATRemote Access Trojan

MazeRansomware

Impacket / wmiexecPost-exploitation

JuicyPotatoPrivilege Escalation

Recurring Attacker TTP Patterns

01 · Phishing → macro/exploit → PowerShell → payload download (~12 cases — Emotet, Maze, AsyncRAT, LummaStealer)

02 · CVE exploitation → web shell → privilege escalation (SharePoint ×2, Confluence, Splunk, PAN-OS)

03 · LOLBin proxy execution to bypass controls (mshta, certutil, rundll32, wscript, regsvr32)

04 · Brute force exposed service → valid account → RDP/VPN lateral access

05 · Living-off-the-land post-compromise (wmiexec, JuicyPotato, LinEnum, certutil, BloodHound)

⚡

Active growth area: Cloud forensics currently represents 4 of 115 labs. AWS CloudTrail/S3, Azure Sentinel, and Microsoft Defender for Cloud investigations are in active rotation — this number is moving.