blueteamsec

459 readers
42 users here now

For [Blue|Purple] Teams in Cyber Defence - covering discovery, detection, response, threat intelligence, malware, offensive tradecraft and tooling, deception, reverse engineering etc.

founded 2 years ago
MODERATORS
digicat
listing: all - local
376
1
Cyber Deception: State of the art, Trends and Open challenges (arxiv.org)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
377
6
theProtector: Linux Bash Script for the Paranoid Admin on a Budget - real-time monitoring and active threat response (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
378
1
An important update (and apology) on our PoisonSeed blog (expel.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
379
0
NachoVPN: Now With More VPN (And SYSTEM Shells) - Part 1 (blog.amberwolf.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
380
3
obfus.h: Macro-header for compile-time C obfuscation (tcc, win x86/x64) (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
1 comments fedilink
381
1
Under the Hood of AFD.sys Part 1: Investigating Undocumented Interfaces - "NtCreateFile to craft a raw TCP socket via AFD.sys on Windows 11, completely skipping Winsock" (leftarcode.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
382
2
Understanding Current CastleLoader Campaigns - "An emerging loader malware using phishing & fake GitHub repos to deploy RATs & stealers. Now targeting enterprise users via fake Zscaler Client & more." (catalyst.prodaft.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
383
33
Welcome to the new home of what was /r/Blueteamsec and how it works.. (self.blueteamsec)
submitted 3 weeks ago* (last edited 3 weeks ago) by digicat to c/blueteamsec
9 comments fedilink
 
 

Firstly, welcome - you have found us.

Secondly, the origin story - https://www.reddit.com/r/blueteamsec/comments/1mc3pza/reddit_managed_to_ban_the_mod_of_rblueteamsec_due/ of which the tl;dr is we were in /r/Blueteamsec since 2018 and then in July 2025 the mod account got banned.

Thirdly, settle in as this is going to be the permanent home. The only features missing from Lemmy really are:

  • the titles are a little shorter than we are used to
  • the ability to style some of the community
  • categories

but in short nothing material. The Jerboa mobile client is excellent.

Fourthly, how does this work? Broadly speaking

  • there are optimised sources across X, various sites, groups and lists etc.
  • they are reviewed generally once or twice a day (start / end)
  • content is ideally < 1 week old at time of posting
  • content is then reviewed / curated / titles edited and posted

the rough rule of thumb being:

  • link to the source where possible i.e. not a news article but the technical source
  • cyber security relevant and insightful to cyber defence across technology, adversarial tradecraft/techniques/tools, threat intelligence, policy or events

Finally, all community contributions welcome!

384
3
Stack Overflows, Heap Overflows, and Existential Dread (SonicWall SMA100 CVE-2025-40596, CVE-2025-40597 and CVE-2025-40598) (labs.watchtowr.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
385
6
Hackers Destroy Aeroflot’s IT Infrastructure, Causing Over 42 Flight Cancellations - "destroyed around 7,000 physical and virtual servers, exfiltrated over 22 terabytes of data" (militarnyi.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
386
3
RuleSetRAT: A curated collection of YARA rules and structured JSON reports designed to identify and analyze various malware builder variants, for educational and research purposes only. (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
387
2
EXEfromCER: PoC that downloads an executable from a public SSL certificate (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
388
2
WorkloadIdentityInfoXdr: Function to get summarized overview of application and workload identities from IdentityInfo and OAuthAppInfo table with API Permissions, Azure RBAC- and Entra ID roles etc. (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
389
4
Taming the Windows Module Loading for Stealthy Injection (youtu.be)
submitted 3 weeks ago by digicat to c/blueteamsec
1 comments fedilink
390
1
LOTS-Project-Rework: This folder acts as a "rework" of the original LOTS (Living Off Trusted Sites) Project - The LOTS-Project website never had a CSV and/or JSON (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
391
1
ysonet: Deserialization payload generator for a variety of .NET formatters - YSoNet is a fork and replacement of YSoSerial .Net - incs ysonet.exe -p sharepoint --cve=CVE-2025-49704 -var 2 -c "C:\temp (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
392
1
The Evolution of Threat Hunting: From IOC Whack-a-Mole to Hypothesis-Driven Sleuthing (medium.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
393
1
TAG Bulletin: Q2 2025 (blog.google)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
394
1
Fake Zoom Call Lures for Zoom Workplace Credentials (cofense.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
395
1
Malware in Panda Image Hides Persistent Linux Threat - "This technique isn’t steganography but rather polyglot file abuse or malicious file embedding. " - ignore the AI (www.aquasec.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
396
1
DFIR-IRIS: developed by Airbus CERT (France), is an open source solution designed to efficiently manage the entire incident response chain. (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
397
1
Ghosting the Sensor: Disrupting Defender for Identity Without Detection (cyberdom.blog)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
398
1
Detecting ADCS Privilege Escalation (www.blackhillsinfosec.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
399
1
Shutting the Door on Vishing-Driven Data Theft in Salesforce - "UNC6040’s phone-phishers lure employees into approving a fake dataloader[.]io app, hijacking Salesforce APIs to siphon customer data." (appomni.com)
submitted 3 weeks ago by digicat to c/blueteamsec
2 comments fedilink
400
1
Tracing Bugs Across Kernels: SMB Vulnerabilities in macOS and FreeBSD (github.com)
submitted 3 weeks ago by digicat to c/blueteamsec
0 comments fedilink
view more: ‹ prev next ›