Welcome to BlueTeamCoolTeam

So this is a thing now.

BlueTeamCoolTeam is a personal blog where I’ll be publishing hands-on write-ups of real malware samples and incidents — the kind that show up on a Monday morning when somebody clicked a thing they shouldn’t have. Each post walks through the attack chain, picks out the load-bearing techniques with real code, and — the part I actually care about — turns each technique into something a defender or sysadmin can act on.

Every write-up is mapped to:

• The ASD Essential Eight — what mitigation actually applies, and at what maturity level.
• MITRE ATT&CK — tactic + technique, so you can pivot into your detection coverage.
• Detection opportunities — log source, event ID, behaviour, query. Whatever lets you spot the thing if prevention fails.
• ASD/ACSC hardening references — pulled from the actual guidance, not paraphrased.

The point isn’t to write the most exhaustive analysis on the internet. The point is that if you finish a post here, you can walk back to your environment the same afternoon and do something — implement a control, write a hunt, file a ticket. If a post doesn’t pass that test, it’s not ready.

A few ground rules I’m going to stick to:

• No vendor pitch. I don’t represent anyone. Advice is peer-to-peer.
• Attribution stays honest. If I can’t prove who’s behind something, I won’t pretend I can. Anchoring everything in observed behaviour and code keeps the post useful and keeps me out of trouble.
• Code over screenshots. Real snippets you can read, copy, and grep for. Not blurry PNGs.

If something here helps you catch a thing, harden a thing, or sleep slightly better, I’ve done the job.

Posts will go up on X (@btcoolteam) and Instagram (@blueteamcoolteam) as they land. Corrections, war stories, and “you missed a thing” — DMs are open on either.

Stay curious.

— Luke