elastic security labs logo
About
Vulnerability updatesReportsTools
SubscribeStart free trialContact sales
John Uhlmann

Author

John Uhlmann

Principal Security Research Engineer, Elastic

Subscribe

Articles

Misbehaving Modalities: Detecting Tools, Not Techniques
15 May 2025

Misbehaving Modalities: Detecting Tools, Not Techniques

We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

Kernel ETW is the best ETW
13 September 2024

Kernel ETW is the best ETW

This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks
9 January 2024

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks

With Elastic Security 8.11, we added further kernel telemetry call stack-based detections to increase efficacy against in-memory threats.

Effective Parenting - detecting LRPC-based parent PID spoofing
29 March 2023

Effective Parenting - detecting LRPC-based parent PID spoofing

Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.

Get-InjectedThreadEx – Detecting Thread Creation Trampolines
7 December 2022

Get-InjectedThreadEx – Detecting Thread Creation Trampolines

In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx

  • Sitemap
  • Elastic.co
  • @elasticseclabs

© 2025. Elasticsearch B.V. All Rights Reserved.