Articles

Call Stacks: No More Free Passes For Malware
We explore the immense value that call stacks bring to malware detection and why Elastic considers them to be vital Windows endpoint telemetry despite the architectural limitations.

Misbehaving Modalities: Detecting Tools, Not Techniques
We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

Kernel ETW is the best ETW
This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks
With Elastic Security 8.11, we added further kernel telemetry call stack-based detections to increase efficacy against in-memory threats.

Effective Parenting - detecting LRPC-based parent PID spoofing
Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.

Get-InjectedThreadEx – Detecting Thread Creation Trampolines
In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx