This is really cool.

This new article from Joe Desimone reveals 4 attack techniques linked to SmartScreen and SmartAppControl. Check it out: go.es.io/4d5L2BR Will you be at #BHUSA? Stop by Elastic booth #2350 to chat with Joe or catch his lightning talk! #ElasticSecurityLabs #threattechnique

Dismantling Smart App Control (And SmartScreen) - 4 new initial access techniques with no security warnings or popups - including LNK mark-of-the-web bypass with over 5 years of ITW use Article: elastic.co/security-labs/… POC: github.com/joe-desimone/r… #rephijack #lnkstomping

Hoping to streamline rule management in Elastic Security? Today, we’re exploring DaC updates made in our detection rules repo. Eric Forte and Mika Ayenson highlight the new capabilities and how you can create a DaC strategy: go.es.io/3yqW85v #ElasticSecurityLabs

New stealer on the block 'Banshee' being sold and deployed against macOS. Thank you to Victor Kubashok who was kind enough to share the sample with me for analysis. I've detonated the sample against Elastic Defend. Lets break down the behavior #Banshee exhibits using the 'Elastic

#ElasticSecurityLabs is exposing Banshee Stealer — a brand new macOS infostealer with ties to browsers and cryptocurrency. This MaaS collects an immense amount of data, but you can get the details and protections here: go.es.io/3YNQeWY #malware #cryptocurrency #macos

In a follow up from his article on Auditd, Ruben Groenewoud dives deeply into Linux Persistence mechanisms. Become an expert with this new primer:go.es.io/3WKrpbu #ElasticSecurityLabs #Linux

🔍New Blog Post: "Linux Detection Engineering - A Primer on Persistence Mechanisms"🐧 Learn about the basics of Linux persistence: theory, setup, detection, and hunting. Plus, follow along and check out PANIX! 📖Blog: elastic.co/security-labs/… 🔗PANIX: github.com/Aegrah/PANIX

Beyond excited to be going back to my favorite conference #OBTS but this time as a speaker! Honored to have been chosen to speak along side all these other rock-stars. I will be going in depth into how powerful behavior detections can be, specifically for macOS, and how we,

Interesting research on malware leveraging udev rules for persistence. Udev, the Linux kernel's device management system, can trigger actions with specific device events. Sedexp uses this to persist by executing every time /dev/random is loaded. Definitely worth a read.

Linux turns 33 today!! 🐧 🥂

The #linux detection engineering saga continues! Breakdown persistence techniques both simple and complex in this new article from Ruben Groenewoud: go.es.io/3X6w7k9 #ElasticSecurityLabs #detectionengineering

Part 2 is out: "Linux Detection Engineering - A Sequel on Persistence Mechanisms" Learn about more advanced Linux persistence techniques: theory, setup, detection, and hunting. Plus, follow along and check out PANIX! Blog: elastic.co/security-labs/… PANIX: github.com/Aegrah/PANIX

Another banger. Second part of the series. Dense, but I’ve not seen all this assembled together in the past.

🚀 Warp Pipe Tester v2.0 is here! 🎉 github.com/MHaggis/notes/… (Yes, this is a rebrand that includes updates of the pipe utility the other day lol) ✨ New features: • 150+ test variations 🧪 • Multi-shell support (bash, sh, zsh, csh) 🐚 • Curl & wget testing 🌐 • Base64 &

EDRmetry - an Effective #Linux EDR/SIEM Detection Evaluation Playbook - Work in progress ✍️💪 edu.defensive-security.com/edrmetry-effec…

Another #macos #dropper #loader sample similar to a previous one I analyzed that downloads and executes an #infostealer which then collects and exfiltrates sensitive data. Lets take a look in detail at the entire execution chain with Elastic's 'Process Analyzer View' and

Detection engineering is complicated, but this new 5 tier maturity model from Mika Ayenson, Terrance DeJesus, and Samir provides guidance for security teams: go.es.io/3MySV7l #ElasticSecurityLabs #detectionengineering #maturitymodel

Auditing Windows can be a complicated task, but data that’s resistant to manipulation certainly helps. Check out the new article from John U and learn why Kernel ETW is the best: bit.ly/4d5xoOv #ElasticSecurityLabs #cybersecurity #Windows

Elastic Defend coverage for a fresh #Latrodectus sample 49ed597d3e71dee0ced6c17c9ecc5ee9 - 13 alerts! - oversized jscript - msi - InstallProduct from jscript + susp msiexec childproc - self-injection / shellcode - deletion of running executable - memory signature