blueteamsec

Masquerading Original filename does not match current filename https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day11_different_filename_and_originalfilename_ttp.md

Masquerading - renamed system utility https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day12_renamed_sys_utilities.md

Vulnerability Ni8mare CVE-2026-21858 https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day13_ni8mare_cve-2026-21858_vuln.md

DDoSIA Config Threat Feed Rule https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day14_cti_ddosiaconfig.md

Query to identify internet facing devices and then find those running the MongoDB service with a version impacted by the MongoBleed vulnerability https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day10_mongobleed_vuln.md

Creation of .proj file in suspicious location eventually used to to bypass AV detection with msbuild.exe use. https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day9_suspicious_filecreation_msbuild_ttp.md

Detects Industroyer malware based on the count of specific PE Rich header Prod IDs https://github.com/RustyNoob-619/100-Days-of-YARA-2026/blob/main/Rules/Day8.yara

Detects Paper Werewolf (GOFFEE) EchoGather backdoor https://github.com/t3ft3lb/2026-100DaysofYARA/blob/main/day_8.yara

Detects Blue noroff MACOS initial access script https://github.com/Squiblydoo/100DaysofYARA/blob/main/Squiblydoo/Day9.yara

Detects NukeSped used by various DPRK APTs based on PE Rich header properties https://github.com/RustyNoob-619/100-Days-of-YARA-2026/blob/main/Rules/Day9.yara

Detects PE+ZIP polyglot files (T1036.008) https://github.com/t3ft3lb/2026-100DaysofYARA/blob/main/day_9.yara

Detects Watch Wolf (Hive0117) DarkWatchman JS loader https://github.com/t3ft3lb/2026-100DaysofYARA/blob/main/day_10.yara