Author
Ruben Groenewoud
Security Research Engineer, Elastic
Articles
Declawing PUMAKIT
PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.
Cups Overflow: When your printer spills more than Ink
Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.
Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse
The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.
Linux Detection Engineering - A Sequel on Persistence Mechanisms
In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.
Linux Detection Engineering - A primer on persistence mechanisms
In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.
Linux detection engineering with Auditd
In this article, learn more about using Auditd and Auditd Manager for detection engineering.
An Elastic approach to large-scale dynamic malware analysis
This research reveals insights into some of the large-scale malware analysis performed by Elastic Security Labs, and complements research related to the Detonate framework.