Interested in securing the lifecycle of your LLM? The newest article from Mika Ayenson details his research into native protections against the OWASP® Foundation Top Ten with ES|QL. Check it out: go.es.io/3Qht7i9

#ElasticSecurityLabs #GenerativeAI #LLM #securityresearch

In the first of three, Cyril F. gives an overview of the #REMCOS implant’s major capabilities. Tune in next week to gain new insights, learn detection strategies from @sbousseaden, and more! Read part 1 here: go.es.io/4aZrtcX #ElasticSecurityLabs #malware

github.com/elastic/protec…

github.com/elastic/detect…

.Samir‘s new article explores recent Windows zero-day attacks by analyzing in-the-wild LPE examples and outlining detections that can be run in Elastic Security. Check out the three cases: CLFS, DWM, and Activation Context: go.es.io/43vV8rC

#ElasticSecurityLabs

New blog post is up, unveiling malware behavior trends (TTPs) from a dataset of more than 100K malware samples using Elastic behavior detections (mapped to MITRE) and ES|QL for the analysis.

elastic.co/security-labs/…

samples gist.github.com/Samirbous/eebe…

Our new article from Samir explores a dataset of 100,000 malicious files that we gathered from Detonate. Check out the behavior breakdown: go.es.io/3TqmdIn

#ElasticSecurityLabs #Malware #Malware Analysis

I love when memory yara signature get combined with behavior detection (confirms suspicion + save time for tool identification) e.g. for SharpRDP signature + Suspicious RDP Client behavior triggering on same process 😍

github.com/elastic/protec…

github.com/elastic/protec…

#ElasticSecurityLabs researchers SolidSnake and Daniel Stepanic share new details about an emerging #PikaBot campaign using obfuscation to evade defenses and deploy a variety of malware payloads. Read more at elastic.co/security-labs/…

Wrote a blog on monitoring Okta threats with Elastic Security. This is a step-by-step guide on getting started with a FREE trial. More to come on #threatdetection and #threathunting very soon! Thanks for reading.

go.es.io/3V5ujZx

useful forensics artifacts for #CVE_2024_21412 : .url file in the WebDav cache folder

C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\TfsStore\Tfs_DAV\*.url

I am releasing my kernel fuzzer 'SimpleNTSyscallFuzzer' for public use. With the help of this generic fuzzer, i managed to have more than 15 CVEs. Enjoy!

github.com/waleedassar/Si…

likely testing sample/poc implementing TI ETW (vm read/write targeting lsass) bypass via NtSetInformationProcess (Win10-)

riskinsight-wavestone.com/en/2023/10/a-u…

9269e4e628e652daaadea0106c2427a64c3b3b15ed9fec46a35bed9720782d49

More APIs + more call stacks = more detection.

I've blogged about some of the tradeoffs necessary in providing visibility of highly verbose Windows APIs at EDR scale.

TL;DR - fingerprints to dedup, and let users opt-in to the full firehose.

elastic.co/security-labs/…

Congratulations to John U and Samir on this, our 100th publication and first of 2024!

In this follow up from his article in May, Samir digs deeper into call stacks! See how Elastic Security 8.11 further increases efficacy against in-memory threats: go.es.io/47vnlPZ

Over the same period, on the SIEM side, we also increased the rule count by ~625 new rules to over 1300 rules.

Thats ~2k total rules across the 2 features! 🎉🎉

Looking forward to us enhancing coverage even more in 2024 🍻!

github.com/elastic/detect…

in a year period we almost doubled our rules using #Elastic Defend behavior protection (600+):

github.com/elastic/protec…

h/t Mika Ayenson DefSecSentinel w0rk3r Ruben Groenewoud Joe Desimone Gabriel Landau John U Justin Ibarra Terrance DeJesus & ofc the entire team

Analyzing data for threats can be an incredibly daunting task. Luckily, Terrance DeJesus and Eric Forte — two major contributors for the Global Threat Report — have laid out their step-by-step process of data analysis with Google Cloud: go.es.io/48iNjXO

#ElasticSecurityLabs

if used to dump lsass and you have 4688 (process creation) enabled you can use it to identify traces of this technique
twitter.com/SBousseaden/st…