r/blueteamsec

탈취된 계정이 커뮤니티 스팸 투척기로 전락하는 현상, 단순한 보안 사고로만 치부할 수 있을까요? 정상적인 활동 이력이 있는 계정이 갑자기 광고 글을 쏟아내는 것은 보안 필터를 우회하기 위해 '계정 평판(Reputation)'을 악용하는 전형적인 계정 탈취(ATO) 공격 패턴입니다. 이는 스팸 방지 시스템이 신규 가입자보다 기존 활동 회원에게 낮은 탐지 임계치를 적용한다는 점을 노린 설계이며, 공격자는 봇넷을 통해 다수의 탈취 계정으로 분산 게시를 수행하여 탐지 로직을 무력화합니다. 보통은 평소와 다른 IP 대역에서의 접근이나 짧은 시간 내 대량 게시물 생성 패턴을 감지하여 세션을 즉시 만료시키고, 2단계 인증(2FA)을 강제하는 방식으로 계정의 제어권을 보호하곤 합니다. 여러분은 커뮤니티의 신뢰도를 지키기 위해 정상 계정의 '갑작스러운 행동 변화'를 어느 정도 수준의 가중치로 모니터링하고 계신가요? 실제 블루팀 운영 환경에서 경험해 보신 분들의 의견을 공유해 주시면 감사하겠습니다. 온카스터디에서 관련 계정 행동 분석 자료를 검토하면서 이 패턴이 커뮤니티 보호에 중요한 요소라는 점을 다시 확인했습니다.

Recently I've been analyzing an APT attack dataset. I encountered some advanced methods of how APTs get into a system, how they maintain persistence, perform lateral movement, and execute payloads.
While working on this dataset, it took me days to understand techniques that attackers can execute in seconds. So I thought, why not create Sigma detection rules for threats that look legitimate but carry malicious intent?
So, here am I with my first detection rule, "Suspicious Process Access to LSASS with Full Permissions."

What it does

- Detects Powershell.exe or cmd.exe accessing lsass.exe with full or near full access rights, indicating potential credential dumping activity.

Possible False Positive

- Security monitoring tools
- Administrative Powershell scripts performing legitimate system checks

What I did
- Created and validated the Sigma rule
- Converted it into SPL
- Tested it successfully

Rule Link
- You can find it on my github

I’ll be adding more detection rules soon.

Feedback
- If you have suggestions or improvements, I’d really like to hear them.
And if you’re working on similar detections, feel free to connect.

The Dangers of Reusing Protobuf Definitions: Critical Code Execution in protobuf.js (GHSA-xq3m-2v4x-88gg)

Vercel April 2026 security incident

Kazakh man arrested for ransomware attacks

Benchmarking Self-Hosted LLMs for Offensive Security

One Click(Fix) To Rule Them All, One Click(Fix) To Find Them

smokedmeat: A CI/CD Red Team Framework for demonstrating Build Pipeline security risks.

Cross‑tenant helpdesk impersonation to data exfiltration: A human-operated intrusion playbook

toastfix-demo: Proof-of-concept security demo illustrating how PowerShell can create trusted-looking Windows toast notifications chained together with ClickFix-style lure

CVE-2026-33829: Snipping Tool NTLM Leak

zettelforge: Agentic memory for CTI: STIX knowledge graphs, threat actor alias resolution, offline-first RAG — MCP server for Claude Code

The Mother of All AI Supply Chains: Critical, Systemic Vulnerability at the Core of Anthropic’s MCP - Anthropic design choice Exposes 150M+ Downloads and up to 200K Servers to complete takeover

탈취된 계정이 스팸 투척기로 전락하는 현상과 정상 계정 행동 변화 모니터링

Europol-supported global operation targets over 75 000 users engaged in DDoS attacks – Operation PowerOFF is a global effort aimed at dismantling criminal DDoS-for-hire infrastructure

NIST Updates NVD Operations to Address Record CVE Growth

My First Sigma Detection Rule: LSASS Access

Beyond the breach: inside a cargo theft actor’s post-compromise playbook

MAD Bugs: Even "cat readme.txt" is not safe

Exposing Russian Malicious Infrastructure: 1,250+ C2 Servers Mapped Across 165 Providers

Someone Bought 30 WordPress Plugins and Planted a Backdoor in All of Them.

ElastAlert is dead, long live Clickdetect - The Modern Alerting Alternative