blueteamsec

627 readers

40 users here now

For [Blue|Purple] Teams in Cyber Defence - covering discovery, detection, response, threat intelligence, malware, offensive tradecraft and tooling, deception, reverse engineering etc.

founded 2 years ago

MODERATORS

digicat

100 Days of KQL 2026: Various rules from days 9 and 10 (self.blueteamsec)

submitted 1 month ago* (last edited 1 month ago) by digicat to c/blueteamsec

0 comments fedilink hide all child comments

Query to identify internet facing devices and then find those running the MongoDB service with a version impacted by the MongoBleed vulnerability https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day10_mongobleed_vuln.md

Creation of .proj file in suspicious location eventually used to to bypass AV detection with msbuild.exe use. https://github.com/m4nbat/100_days_of_kql_2026/blob/main/day9_suspicious_filecreation_msbuild_ttp.md

no comments (yet)

sorted by: hot top controversial new old

there doesn't seem to be anything here