Detection Engineering

Taking SHELLTER: a commercial evasion framework abused in-the-wild

Elastic Security Labs detected the recent emergence of infostealers using an illicitly acquired version of the commercial evasion framework, SHELLTER, to deploy post-exploitation payloads.

Microsoft Entra ID OAuth Phishing and Detections

This article explores OAuth phishing and token-based abuse in Microsoft Entra ID. Through emulation and analysis of tokens, scope, and device behavior during sign-in activity, we surface high-fidelity signals defenders can use to detect and hunt for OAuth misuse.

Misbehaving Modalities: Detecting Tools, Not Techniques

We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

Bit ByBit - emulation of the DPRK's largest cryptocurrency heist

A high-fidelity emulation of the DPRK's largest cryptocurrency heist via a compromised macOS developer and AWS pivots.

Now available: the 2025 State of Detection Engineering at Elastic

The 2025 State of Detection Engineering at Elastic explores how we create, maintain, and assess our SIEM and EDR rulesets.

AWS SNS Abuse: Data Exfiltration and Phishing

During a recent internal collaboration, we dug into publicly known SNS abuse attempts and our knowledge of the data source to develop detection capabilities.

Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure

In this article, we explore what hotkey-based keyloggers are and how to detect them. Specifically, we explain how these keyloggers intercept keystrokes, then present a detection technique that leverages an undocumented hotkey table in kernel space.

Linux Detection Engineering - The Grand Finale on Linux Persistence

By the end of this series, you'll have a robust knowledge of both common and rare Linux persistence techniques; and you'll understand how to effectively engineer detections for common and advanced adversary capabilities.

Emulating AWS S3 SSE-C Ransom for Threat Detection

In this article, we’ll explore how threat actors leverage Amazon S3’s Server-Side Encryption with Customer-Provided Keys (SSE-C) for ransom/extortion operations.

Linux Detection Engineering - Approaching the Summit on Persistence Mechanisms

Building on foundational concepts and techniques explored in the previous publications, this post discusses some creative and/or complex persistence mechanisms.

未公開のカーネルデータ構造を使ったホットキー型キーロガーの検知

本記事では、ホットキー型キーロガーとは何かについてと、その検知方法について紹介します。具体的には、ホットキー型キーロガーがどのようにしてキー入力を盗み取るのかを解説した後、カーネルレベルに存在する未公開(Undocumented)のホットキーテーブルを活用した検知手法について説明します。

Announcing the Elastic Bounty Program for Behavior Rule Protections

Elastic is launching an expansion of its security bounty program, inviting researchers to test its SIEM and EDR rules for evasion and bypass techniques, starting with Windows endpoints. This initiative strengthens collaboration with the security community, ensuring Elastic’s defenses remain robust against evolving threats.

Linux Detection Engineering - A Continuation on Persistence Mechanisms

This document continues the exploration of Linux detection engineering, emphasizing advancements in monitoring persistence mechanisms. By building on past practices and insights, it provides a roadmap for improving detection strategies in complex environments.

Detonating Beacons to Illuminate Detection Gaps

Learn how Elastic Security leveraged open-source BOFs to achieve detection engineering goals during our most recent ON week.

Exploring AWS STS AssumeRoot

Explore AWS STS AssumeRoot, its risks, detection strategies, and practical scenarios to secure against privilege escalation and account compromise using Elastic's SIEM and CloudTrail data.

Streamlining Security: Integrating Amazon Bedrock with Elastic

This article will guide you through the process of setting up the Amazon Bedrock integration and enabling Elastic's prebuilt detection rules to streamline your security operations.

Elevate Your Threat Hunting with Elastic

Elastic is releasing a threat hunting package designed to aid defenders with proactive detection queries to identify actor-agnostic intrusions.

Cups Overflow: When your printer spills more than Ink

Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.

Elastic releases the Detection Engineering Behavior Maturity Model

Using this maturity model, security teams can make structured, measurable, and iteritive improvements to their detection engineering teams..

Linux Detection Engineering - A Sequel on Persistence Mechanisms

In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.

Linux Detection Engineering - A primer on persistence mechanisms

In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.

Now in beta: New Detection as Code capabilities

情報窃取から端末を守る

本記事ではElastic Securityにおいて、エンドポイント保護を担っているElastic Defendに今年(バージョン8.12より)新たに追加された、キーロガーおよびキーロギング検出機能について紹介します。

Protecting your devices from information theft

In this article, we will introduce the keylogger and keylogging detection features added this year to Elastic Defend (starting from version 8.12), which is responsible for endpoint protection in Elastic Security.

Elastic Advances LLM Security with Standardized Fields and Integrations

Discover Elastic’s latest advancements in LLM security, focusing on standardized field integrations and enhanced detection capabilities. Learn how adopting these standards can safeguard your systems.

Embedding Security in LLM Workflows: Elastic's Proactive Approach

Dive into Elastic's exploration of embedding security directly within Large Language Models (LLMs). Discover our strategies for detecting and mitigating several of the top OWASP vulnerabilities in LLM applications, ensuring safer and more secure AI-driven applications.

Linux detection engineering with Auditd

In this article, learn more about using Auditd and Auditd Manager for detection engineering.

In-the-Wild Windows LPE 0-days: Insights & Detection Strategies

This article will evaluate detection methods for Windows local privilege escalation techniques based on dynamic behaviors analysis using Elastic Defend features.

Unlocking Power Safely: Privilege Escalation via Linux Process Capabilities

Organizations need to understand how Linux features contribute to their attack surface via privilege escalation and how to effectively monitor intrusion attempts using free and open detection capabilities.

Unveiling malware behavior trends

An analysis of a diverse dataset of Windows malware extracted from more than 100,000 samples revealing insights into the most prevalent tactics, techniques, and procedures.

Monitoring Okta threats with Elastic Security

This article guides readers through establishing an Okta threat detection lab, emphasizing the importance of securing SaaS platforms like Okta. It details creating a lab environment with the Elastic Stack, integrating SIEM solutions, and Okta.

Ransomware in the honeypot: how we capture keys with sticky canary files

This article describes the process of capturing encryption keys from ransomware using Elastic Defend ransomware protection.

Starter guide to understanding Okta

This article delves into Okta's architecture and services, laying a solid foundation for threat research and detection engineering. Essential reading for those aiming to master threat hunting and detection in Okta environments.

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks

With Elastic Security 8.11, we added further kernel telemetry call stack-based detections to increase efficacy against in-memory threats.

Google Cloud for Cyber Data Analytics

This article explains how we conduct comprehensive cyber threat data analysis using Google Cloud, from data extraction and preprocessing to trend analysis and presentation. It emphasizes the value of BigQuery, Python, and Google Sheets - showcasing how to refine and visualize data for insightful cybersecurity analysis.

Signaling from within: how eBPF interacts with signals

This article explores some of the semantics of UNIX signals when generated from an eBPF program.

Streamlining ES|QL Query and Rule Validation: Integrating with GitHub CI

ES|QL is Elastic's new piped query language. Taking full advantage of this new feature, Elastic Security Labs walks through how to run validation of ES|QL rules for the Detection Engine.

Accelerating Elastic detection tradecraft with LLMs

Learn more about how Elastic Security Labs has been focused on accelerating our detection engineering workflows by tapping into more generative AI capabilities.

Using LLMs and ESRE to find similar user sessions

In our previous article, we explored using the GPT-4 Large Language Model (LLM) to condense Linux user sessions. In the context of the same experiment, we dedicated some time to examine sessions that shared similarities. These similar sessions can subsequently aid the analysts in identifying related suspicious activities.

Peeling back the curtain with call stacks

In this article, we'll show you how we contextualize rules and events, and how you can leverage call stacks to better understand any alerts you encounter in your environment.

Using LLMs to summarize user sessions

In this publication, we will talk about lessons learned and key takeaways from our experiments using GPT-4 to summarize user sessions.

Into The Weeds: How We Run Detonate

Explore the technical implementation of the Detonate system, including sandbox creation, the supporting technology, telemetry collection, and how to blow stuff up.

Upping the Ante: Detecting In-Memory Threats with Kernel Call Stacks

We aim to out-innovate adversaries and maintain protections against the cutting edge of attacker tradecraft. With Elastic Security 8.8, we added new kernel call stack based detections which provide us with improved efficacy against in-memory threats.

Detect domain generation algorithm (DGA) activity with new Kibana integration

We have added a DGA detection package to the Integrations app in Kibana. In a single click, you can install and start using the DGA model and associated assets, including ingest pipeline configurations, anomaly detection jobs, and detection rules.

Exploring Windows UAC Bypasses: Techniques and Detection Strategies

In this research article, we will take a look at a collection of UAC bypasses, investigate some of the key primitives they depend on, and explore detection opportunities.

Click, Click… Boom! Automating Protections Testing with Detonate

To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.

Hunting for Suspicious Windows Libraries for Execution and Defense Evasion

Learn more about discovering threats by hunting through DLL load events, one way to reveal the presence of known and unknown malware in noisy process event data.

Detect Credential Access with Elastic Security

Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.

Detecting Living-off-the-land attacks with new Elastic Integration

We added a Living off the land (LotL) detection package to the Integrations app in Kibana. In a single click, you can install and start using the ProblemChild model and associated assets including anomaly detection configurations and detection rules.

Hunting for Lateral Movement using Event Query Language

Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.

Identifying beaconing malware using Elastic

In this blog, we walk users through identifying beaconing malware in their environment using our beaconing identification framework.

Ingesting threat data with the Threat Intel Filebeat module

Tutorial that walks through setting up Filebeat to push threat intelligence feeds into your Elastic Stack.

Stopping Vulnerable Driver Attacks

This post includes a primer on kernel mode attacks, along with Elastic’s recommendations for securing users from kernel attacks leveraging vulnerable drivers.

The Elastic Container Project for Security Research

The Elastic Container Project provides a single shell script that will allow you to stand up and manage an entire Elastic Stack using Docker. This open source project enables rapid deployment for testing use cases.

Google Workspace Attack Surface

During this multipart series, we’ll help you understand what GW is and some of the common risks to be aware of, while encouraging you to take control of your enterprise resources.

Google Workspace Attack Surface

During part two of this multipart series, we’ll help you understand how to setup a GW lab for threat detection and research.

Get-InjectedThreadEx – Detecting Thread Creation Trampolines

In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx

Analysis of Log4Shell vulnerability & CVE-2021-45046

In this post, we cover next steps the Elastic Security team is taking for users to continue to protect themselves against CVE-2021-44228, or Log4Shell.

Security operations: Cloud monitoring and detection with Elastic Security

As companies migrate to cloud, so too do opportunist adversaries. That's why our Elastic Security team members have created free detection rules for protecting users' cloud platforms like AWS and Okta. Learn more in this blog post.

KNOTWEED Assessment Summary

KNOTWEED deploys the Subzero spyware through the use of 0-day exploits for Adobe Reader and the Windows operating system. Once initial access is gained, it uses different sections of Subzero to maintain persistence and perform actions on the host.

Detecting Exploitation of CVE-2021-44228 (Log4j2) with Elastic Security

This blog post provides a summary of CVE-2021-44228 and provides Elastic Security users with detections to find active exploitation of the vulnerability in their environment. Further updates will be provided to this post as we learn more.

Detection rules for SIGRed vulnerability

The SIGRed vulnerability impacts all systems leveraging the Windows DNS server service (Windows 2003+). To defend your environment, we recommend implementing the detection logic included in this blog post using technology like Elastic Security.

Elastic's response to the Spring4Shell vulnerability (CVE-2022-22965)

Provide executive-level details about CVE-2022-22965, a recently-disclosed remote code execution (RCE) vulnerability also known as “Spring4Shell”.

Handy Elastic Tools for the Enthusiastic Detection Engineer

Tools like the EQLPlaygound, RTAs, and detection-rules CLI are great resources for getting started with EQL, threat hunting, and detection engineering respectively.

Detecting and responding to Dirty Pipe with Elastic

Elastic Security is releasing detection logic for the Dirty Pipe exploit.

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 2)

Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.

Hunting For In-Memory .NET Attacks

As a follow up to my DerbyCon presentation, this post will investigate an emerging trend of adversaries using .NET-based in-memory techniques to evade detection

Hunting In Memory

Threat Hunters are charged with the difficult task of sifting through vast sources of diverse data to pinpoint adversarial activity at any stage in the attack.

Nimbuspwn: Leveraging vulnerabilities to exploit Linux via Privilege Escalation

Microsoft 365 Defender team released a post detailing several identified vulnerabilities. These vulnerabilities allow adversarial groups to escalate privileges on Linux systems, allowing for deployment of payloads, ransomware, or other attacks.

Testing your Okta visibility and detection with Dorothy and Elastic Security

Dorothy is a tool for security teams to test their visibility and detection capabilities for their Okta environment. IAM solutions are frequently targeted by adversaries but poorly monitored. Learn how to get started with Dorothy in this post.

Embracing offensive tooling: Building detections against Koadic using EQL

Find new ways to build behavioral detections against post-exploitation frameworks such as Koadic using Event Query Language (EQL).

Adversary tradecraft 101: Hunting for persistence using Elastic Security (Part 1)

Learn how Elastic Endpoint Security and Elastic SIEM can be used to hunt for and detect malicious persistence techniques at scale.

Practical security engineering: Stateful detection

By formalizing stateful detection in your rules, as well as your engineering process, you increase your detection coverage over future and past matches. In this blog post, learn why stateful detection is an important concept to implement.

Elastic Security opens public detection rules repo

Elastic Security has opened its detection rules repository to the world. We will develop rules in the open alongside the community, and we’re welcoming your community-driven detections. This is an opportunity to share collective security knowledge.