r/blueteamsec

Reducing manual CISA KEV analysis with automation

I built an automation pipeline to turn added CISA Known Exploited Vulnerabilities into actionable detections with little manual work.

The workflow does the following:

  • Checks the CISA KEV catalog for vulnerabilities
  • Gets the CVEs
  • Uses Google Gemini to create Sigma detection rules
  • Maps detections to the MITRE ATT&CK framework
  • Sends results to Google Sheets, Slack, email and a SIEM for analysts to review

My goal was to save time on tracking KEV updates and writing detections while still having an analyst validate the results.

I documented the process, including the workflow, prompts, integrations and implementation details. If you work in detection engineering, threat hunting or threat intelligence I'd love to hear how you use CISA KEV in your environment. If you've automated any part of it.

Blog link in the comments.

reddit.com
u/manishrawat21 — 5 days ago

Anonymous researcher drops “Exploitarium” : 109 files, 15 targets, zero vendor notice. I built 44 KQL detections to cover it.

A researcher going by ‘bikini’ has published a personal archive called Exploitarium - 15 vulnerability targets across 109 tracked files, dropped with no coordinated disclosure and no vendor notification.

This isn’t a polished toolkit. It reads like a personal research dump. Some of it is noise that the community has already dismissed. But not all of it.

Two findings stand out and have been independently verified:

libssh2 pre-auth heap write - CVSS 9.2. Pre-authentication. Actively exploited.

Gitea default Docker auth bypass - Also independently confirmed, also being exploited in the wild.

If you’re running either of these in your environment, treat this as live.

What I built in response:
44 KQL detection rules covering the full Exploitarium scope: 18 product folders, 6 CVEs, cross-platform (Windows, Linux, macOS, Container, Network, SaaS).
Rules for:
libssh2, Splunk, RustDesk, 7-Zip, VLC, AnyDesk, OpenVPN, c-ares and more.

All rules are live on detections.ai with language translation available for non-KQL stacks. The full repo is structured by product on GitHub.
Full intel report + IOCs in the links below.

GitHub repo: https://github.com/Ethan-Andrews/Exploitarium-Detections

Exploitarium breakdown: Threat Intel

Drop questions below, happy to walk through anything.

u/3eandrews3 — 7 days ago
▲ 14 r/blueteamsec+5 crossposts

Introducing FortiBleed!

The SOCRadar Threat Research team just uncovered a staggering, active hacking campaign exposing over 30,000 verified Fortinet firewall credentials.

Here is the damage report:

🌍 Global Reach: 194 countries affected, with the US sitting at the #2 most targeted spot.

🏦 High-Value Targets: The victim roster includes major banks, telecom giants, and government agencies.

🛠️Full Visibility: We tracked the entire operation—the attacker infrastructure, the tools, and the complete victim list.

⚠️ Status: STILL active as of this publication.

Don't wait for an incident to react. Dive into the full discovery, grab the IoCs, and take immediate steps to mitigate the risk and strengthen your posture.

Read the full FortiBleed breakdown here: https://socradar.io/blog/fortibleed-fortinet-firewalls-compromised/

#ThreatIntelligence #Fortinet #CyberSecurity #InfoSec #SOCRadar

u/socradario — 6 days ago
▲ 50 r/blueteamsec+3 crossposts

Tracking 3,900+ C2 servers, across 302 Eastern Europe providers

Over a three-month window Hunt.io mapped malicious infrastructure across 10 Eastern European countries and tracked more than 3,900 active C2 servers across 302 hosting providers.

A single Bulgarian host, Friendhosting, was running 2,100 of them, roughly 53.5% of the regional total. We also linked specific infrastructure to Cloud Atlas, ShinyHunters' PeopleSoft exploitation, and Nemesys ransomware sharing the same provider networks.

Read the full story: https://hunt.io/blog/eastern-europe-malicious-infrastructure-report

hunt.io
u/Straight-Practice-99 — 11 days ago
▲ 27 r/blueteamsec+1 crossposts

I made a blog that ranks log sources

I wrote down how I think about onboarding order. Basically I ranked sources by how much they actually help an investigation, not by what's easiest to ingest. For each one I went through what you need to collect, how painful the parsing is, what retention makes sense, and what you can realistically detect once it's in.

blog.sentry.security
u/Equal-Painting-1553 — 13 days ago