Primary threat research from Elastic Security Labs
Elastic Security Labs uncovers a novel social engineering campaign that abuses the popular note-taking application, Obsidian's legitimate community plugin ecosystem. The campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram.
Featured
Detection Engineering
View all
Prioritizing Alerts Triage with Higher-Order Detection Rules
Scaling SOC efficiency through multi-signal correlation and higher-order detection patterns.
How we caught the Axios supply chain attack
Joe Desimone shares the story of how he caught the Axios supply chain attack with a proof of concept tool built in an afternoon.
Inside the Axios supply chain compromise - one RAT to rule them all
Elastic Security Labs analyzes a supply chain compromise of the axios npm package delivering a unified cross-platform RAT
Elastic releases detections for the Axios supply chain compromise
Hunting and detection rules for the Elastic-discovered Axios supply chain compromise.
Malware Analysis
View all
Phantom in the vault: Obsidian abused to deliver PhantomPulse RAT
Elastic Security Labs uncovers a novel social engineering campaign that abuses the popular note-taking application, Obsidian's legitimate community plugin ecosystem. The campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram.
Hooked on Linux: Rootkit Detection Engineering
In this second part of a two-part series, we explore Linux rootkit detection engineering, focusing on the limitations of static detection reliance, and the importance of rootkit behavioral detection.
Inside the Axios supply chain compromise - one RAT to rule them all
Elastic Security Labs analyzes a supply chain compromise of the axios npm package delivering a unified cross-platform RAT
Fake Installers to Monero: A Multi-Tool Mining Operation
Elastic Security Labs dissects a long-running operation deploying RATs, cryptominers, and CPA fraud through fake installer lures, tracking its evolution across campaigns and Monero payouts.
Internals
View allHooked on Linux: Rootkit Detection Engineering
In this second part of a two-part series, we explore Linux rootkit detection engineering, focusing on the limitations of static detection reliance, and the importance of rootkit behavioral detection.
Patch diff to SYSTEM
Leveraging LLMs and patch diffing, this research details a Use-After-Free vulnerability in Windows DWM, demonstrating a reliable exploit that achieves escalation from low-privileged user permissions to SYSTEM.
The Immutable Illusion: Pwning Your Kernel with Cloud Files
Threat actors can abuse a class of vulnerabilities to bypass security restrictions and break trust chains.
FlipSwitch: a Novel Syscall Hooking Technique
FlipSwitch offers a fresh look at bypassing Linux kernel defenses, revealing a new technique in the ongoing battle between cyber attackers and defenders.
Threat Intelligence
View allPhantom in the vault: Obsidian abused to deliver PhantomPulse RAT
Elastic Security Labs uncovers a novel social engineering campaign that abuses the popular note-taking application, Obsidian's legitimate community plugin ecosystem. The campaign, which we track as REF6598, targets individuals in the financial and cryptocurrency sectors through elaborate social engineering on LinkedIn and Telegram.
Inside the Axios supply chain compromise - one RAT to rule them all
Elastic Security Labs analyzes a supply chain compromise of the axios npm package delivering a unified cross-platform RAT
Elastic releases detections for the Axios supply chain compromise
Hunting and detection rules for the Elastic-discovered Axios supply chain compromise.
Fake Installers to Monero: A Multi-Tool Mining Operation
Elastic Security Labs dissects a long-running operation deploying RATs, cryptominers, and CPA fraud through fake installer lures, tracking its evolution across campaigns and Monero payouts.
Machine Learning
View all
Detect domain generation algorithm (DGA) activity with new Kibana integration
We have added a DGA detection package to the Integrations app in Kibana. In a single click, you can install and start using the DGA model and associated assets, including ingest pipeline configurations, anomaly detection jobs, and detection rules.
Automating the Security Protections rapid response to malware
See how we’ve been improving the processes that allow us to make updates quickly in response to new information and propagate those protections to our users, with the help of machine learning models.
Detecting Living-off-the-land attacks with new Elastic Integration
We added a Living off the land (LotL) detection package to the Integrations app in Kibana. In a single click, you can install and start using the ProblemChild model and associated assets including anomaly detection configurations and detection rules.
Identifying beaconing malware using Elastic
In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.
GenerativeAI
View all
Get started with Elastic Security from your AI agent
Go from zero to a fully populated Elastic Security environment without leaving your IDE, using open source Agent Skills.
MCP Tools: Attack Vectors and Defense Recommendations for Autonomous Agents
This research examines how Model Context Protocol (MCP) tools expand the attack surface for autonomous agents, detailing exploit vectors such as tool poisoning, orchestration injection, and rug-pull redefinitions alongside practical defense strategies.
Agentic Frameworks Summary
Agentic systems require security teams to balance autonomy with alignment, ensuring that AI agents can act independently while remaining goal-consistent and controllable .
Elastic Advances LLM Security with Standardized Fields and Integrations
Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.
Tools
View all
WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables
WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.
STIXy Situations: ECSaping your threat data
Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.
Dancing the night away with named pipes - PIPEDANCE client release
In this publication, we will walk through this client application’s functionality and how to get started with the tool.
Click, Click… Boom! Automating Protections Testing with Detonate
To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.