cool alternative to clickfix, thanks for sharing! possible detection is to looks for process.parent.args :"--message-loop-type-ui" and process is a lolbin or a PE from downloads folder.

Deep dive into Azure OAuth phishing & detection! This article from Terrance DeJesus shows how rich telemetry is crucial for spotting identity-based attacks. Stop relying on static indicators & start: go.es.io/4k4A7LD #CloudSecurity #ThreatDetection #Azure

This overview of OAuth in Entra is fantastic! Highly recommended:

Did a write-up on OAuth phishing (offense and defense). It's based on phishing campaign's reported by Volexity earlier this year. - What are OAuth phishing links; what is the workflows behind them - How to emulate (examples) and use ROADtools for further compromise -

New research from our #ElasticSecurityLabs team: we dive into how infostealers are leveraging a stolen Shellter evasion tool to deploy data-stealing malware. Learn more & get our unpacker: go.es.io/4ldCM72 #malware #rhadamanthys #ghostpulse

Which vendors offer EDR-type security for Linux systems?

New backdoor alert: MystRodX, this stealthy C++ malware has evaded detection for 20+ months. Key twist: In passive mode, it lurks silently, waiting for ICMP pings or DNS queries to trigger C2 comms—no open ports needed. Active since Jan 2024. Details: blog.xlab.qianxin.com/mystrodx_cover…

incredible things are happening

nice technique! #Elastic EDR (Elastic Defend) is not affected + we do have an existing behavior protection rule that will terminate WerFaultSecure.exe (to protect other processes) github.com/elastic/protec…

Exciting opportunity - We are looking for a senior security researcher or practitioner to join our ML team to help build new ML and AI powered protections!

Linux syscall hooks were forever changed with kernel 6.9, check out this article from #ElasticSecurityLabs describing #FlipSwitch– the latest in Linux hooking: go.es.io/4nSrCW3

Research & PoC: FlipSwitch Rootkit A syscall-table hooking technique that works on modern Linux (6.9+), researched for and presented at Virus Bulletin by RemcoS and me. Revives syscall hooking by patching x64_sys_call call sites instead of table entries. elastic.co/security-labs/…

For anyone looking for detection rules/indicators for CVE-2025-32463 (the "sudo chroot" local privilege escalation), we just published two rules that cover it: github.com/elastic/detect…

#ElasticSecurityLabs has kept tabs on #WARMCOOKIE, a backdoor we disclosed in June 2024 that used employment-related phishing lures to infect victims. Learn how this threat’s evolving: go.es.io/46O8pOo

IDC just named Elastic a Leader in XDR. Why? Search-powered investigations, 400+ integrations, AI assistant, and a unified, transparent platform. Security teams get faster threat response without the tool sprawl. See the IDC excerpt: go.es.io/48fsQ9y

Heading to my 3rd #OBTS 🌴☀️🌊today! Best conference out there. Honored to be speaking again this year alongside so many other incredible #Apple 🍎 security researchers. It’s gonna be a blast, can’t wait to see everyone! Pumped to get to share my research into using and abusing

Elastic Security Labs publishes nightMARE, a Python library (v0.16) for malware analysis and for building configuration extractors. elastic.co/security-labs/…

Another awesome #OBTS 🌴🏖️☀️in the books. It was an honor to speak again this year and share my research with this incredible community 🍎. Such a blast spending time with newcomers and old friends. There is truly no other conference like it. Huge shout out and thank you to both

Texas A&M University System (TAMUS) Cybersecurity, in collaboration with Elastic Security Labs, discovered post-exploitation activity by a Chinese-speaking threat actor who installed a malicious IIS module - which the researchers dubbed TOLLBOOTH. elastic.co/security-labs/…

Just when you think you know your way around Linux.. binfmt_misc: Hold my beer. binfmt_misc provides a nifty way (once the attacker has gained root rights on the machine) to create a little backdoor to regain root access when the original access no longer works. This mechanism