https://igortkanov.com/computers/network-forensics/Recent content in Network Forensics on {IT}Hugoen-usCopyright © 2026 {IT}. All rights reserved. Unless otherwise stated, all text, images, diagrams, and other original content on this blog may not be reproduced, distributed, or used without prior written permission.Sun, 24 Aug 2025 11:34:34 +0000https://igortkanov.com/solving-the-openfire-lab-blue-team-challenge/Sun, 24 Aug 2025 11:34:34 +0000https://igortkanov.com/solving-the-openfire-lab-blue-team-challenge/<p>Today we&rsquo;re reviewing a vulnerability in <strong><a href="https://en.wikipedia.org/wiki/Openfire" target="_blank" rel="noopener noreferrer">Openfire</a></strong>. It is a self-hosted alternative to Slack/Teams: you run it on your own infrastructure, control the data, and extend it with plugins.</p> <blockquote> <p>As a cybersecurity analyst, you are tasked with investigating a data breach targeting your organization&rsquo;s Openfire messaging server.</p> <p>Attackers have exploited a vulnerability in the server, compromising sensitive communications and potentially exposing critical data.</p> <p>Your task is to analyze the provided network capture files using Wireshark. Identify evidence of the exploitation, trace the attacker&rsquo;s actions, and uncover indicators of compromise.</p>https://igortkanov.com/solving-the-shadowcitadel-lab-blue-team-challenge/Sun, 10 Aug 2025 19:33:14 +0000https://igortkanov.com/solving-the-shadowcitadel-lab-blue-team-challenge/<p>Today, we dive into a host-based forensics investigation − a curious case of a breach inside the enterprise environment of a company called <em>TechSynergy</em>:</p> <blockquote> <p>A leading tech firm, TechSynergy, has detected an anomaly after an employee engaged with an unexpected email attachment. This triggered a series of covert operations within the network, including unusual account activity and system alterations.</p> <p>Security alerts indicate potential access to sensitive infrastructure, with suspicious outbound traffic raising red flags. The incident response team fears a sophisticated attack may be underway, threatening critical data.</p>https://igortkanov.com/solving-the-xlmrat-blue-team-challenge/Sat, 28 Jun 2025 13:46:59 +0000https://igortkanov.com/solving-the-xlmrat-blue-team-challenge/<p>Today we&rsquo;re looking at the XLMRat malware. It is a remote access trojan (hence the RAT part) built to be small, sneaky, and stupidly persistent. It typically rides in via phishing or social engineering, often disguised as something mundane, like a JPG or TXT file. It targets Windows systems and speaks fluent PowerShell.</p> <p>It&rsquo;s popular among low-effort attackers looking for ready-made tools that still pack a punch. Especially in campaigns targeting individuals or small orgs where endpoint hygiene is weak. There&rsquo;s a block with more information at the end of this post ⬇️</p>https://igortkanov.com/solving-the-webstrike-blue-team-challenge/Sun, 17 Dec 2023 21:12:03 +0000https://igortkanov.com/solving-the-webstrike-blue-team-challenge/<h2 id="the-challenge">The challenge</h2> <p>In the intricate world of cybersecurity, every attack leaves behind digital footprints waiting to be deciphered. In this post, we embark on a brief journey to unravel a cyber threat, dissecting each element that reveals an attacker&rsquo;s origin, tactics, and motives. Let&rsquo;s dive in.</p> <p>The challenge is presented by CyberDefenders (<a href="https://cyberdefenders.org" target="_blank" rel="noopener noreferrer">https://cyberdefenders.org</a>) and can be found here: <a href="https://cyberdefenders.org/blueteam-ctf-challenges/webstrike/" target="_blank" rel="noopener noreferrer">https://cyberdefenders.org/blueteam-ctf-challenges/webstrike/</a>.</p> <p><em>Note: This post is not sponsored by or affiliated with CyberDefenders.</em></p>