Let me be the first to welcome Mika Ayenson to Elastic Security Labs, the most enthusiastic detection engineer I know: elastic.co/security-labs/… Which tools do detection engineers use? Now ya know!

Had some fun with this - exploiting the Process Explorer driver for kernel code execution. Will msft ever add to their own blocklist? 🤔 elastic.co/security-labs/…

Check out REF2731 research - a 1, 2, 3...4...5 stage(!) intrusion set for two PARALLAX + NETWIRE campaigns. Malware & campaign analysis and an open-source payload extractor. Collab w/Daniel Stepanic SolidSnake Seth Enjoy, it's a journey. elastic.co/security-labs/…

We have just pushed #Elastic lab to our #CertifiedCyberDefender course 👉cyberdefenders.org/blueteam-train… Real dataset, fiddle around with #Kibana queries/dashboards, enroll elastic #EDR into endpoints (formally known as Endgame) & write #MITRE-mapped #SIEM use cases. #DFIR #BlueTeam

Amazing write-up on a dynamic emotet config extractor by RemcoS. He uses a combination of YARA, the SMDA decompiler, Unicorn Engine, lief-project and more to get the job done. Read it! And then read it again. And maybe again. elastic.co/security-labs/….

Happy Friday, Twitter! If you don't know Terrance DeJesus let me correct that-- Terrance is a member of the Threat Research and Detection Engineering team Elastic. His most recent publication to Elastic Security Labs is part one of three on Google Workspaces: elastic.co/google-workspa…

Our team had tons of fun participating in this year’s #FlareOn9 Challenge. Check out our write-up on how we solved them! Thanks Mandiant (part of Google Cloud) for all your effort putting it together. elastic.co/flare-on-9-sol…

We’re proud of the #ElasticSecurityLabs team and the incredible amount of work that went into creating the 2022 Elastic Global Threat Report. Mark Dufresne shares a behind-the-scenes look into how the report was built. Read more here: go.es.io/3OxutUd

#ElasticSecurityLabs is tracking an active intrusion by multiple threat actors into the Foreign Affairs office of an Association of Southeast Asian Nations (ASEAN) member. Find out more in this post: go.es.io/3FXCb7j

Our team has been observing an intrusion in Southeast Asia over the last few weeks. We have seen bunch of TTP's including: - Malicious IIS Modules (#DoorMe update) - Webshell usage - Exfiltrating mailboxes - New .NET malware #SiestaGraph - Dropping vulnerable drivers

New SentinelLabs Research on WIP26 - s1.ai/WIP26 🟣 New actor targeting telco in the Middle East 🟣 Abuses Microsoft 365 Mail, Google Firebase, and Dropbox for C2 🟣 Targeted WhatsApp msgs -> Dropbox -> loader -> backdoors Aleksandar Milenkoski Collin Farr 91 QGroup IT-Security

We’ve been working at breakneck pace to release IOCs for ongoing software supply chain campaign that we call SmoothOperator. Attackers trojanized installers for #3CX PBX software. We’ve blocked thousands of attempted infections as of March 22nd. Details 👇🏻 s1.ai/smoothoperator

Back in 2021, the Babuk source code leaks fascinated me. At the time, it was unprecedented ransomware drama. 🍿 Like any self-respecting malware archivist, I grabbed the zip file and threw away the key for a few years. 1/?

⚔️ Here are the top threats our WatchTower team observed and investigated in 2023—and a look ahead to the 2024 threat landscape. From the top bad actors, to the top vulnerabilities exploited, to the top threats by OS, and more. Read the report: sentinelone.com/resources/watc…

Our analysis on the intriguing #liblzma supply chain case 🔥 By following all the interactions we provided an interesting angle on the TA's motivations and plan to Inject Further Vulnerabilities. It was a pleasure to work with @vx__notduck1e on this!! sentinelone.com/blog/xz-utils-…

Yesterday I learned that SentinelOne blocks the Windows application white listing and digital signature bypass that I’ve been using for 10 years. Now I’ll need to find a new way to digitally sign any binary as Microsoft (on S1 customers). Well done SentinelOne.

Excited to share my latest research about FIN7 🔥 The discovery of a new abuse for the Windows built-in driver ProcLaunchMon.sys (TTD Monitor driver) to tamper with EDRs has been an interesting surprise. Enjoy the read 👇 sentinelone.com/labs/fin7-rebo…

if you can somehow watch this and walk away from it saying something like “yup that’s my guy that’s who i’m gonna vote for” then i want you to know that you are just a full-on idiot