Category

Internals

Subscribe

FlipSwitch offers a fresh look at bypassing Linux kernel defenses, revealing a new technique in the ongoing battle between cyber attackers and defenders.

placeholder image
Investigating a Mysteriously Malformed Authenticode Signature

Investigating a Mysteriously Malformed Authenticode Signature

An in-depth investigation tracing a Windows Authenticode validation failure from vague error codes to undocumented kernel routines.

Call Stacks: No More Free Passes For Malware

Call Stacks: No More Free Passes For Malware

We explore the immense value that call stacks bring to malware detection and why Elastic considers them to be vital Windows endpoint telemetry despite the architectural limitations.

Misbehaving Modalities: Detecting Tools, Not Techniques

Misbehaving Modalities: Detecting Tools, Not Techniques

We explore the concept of Execution Modality and how modality-focused detections can complement behaviour-focused ones.

Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure

Detecting Hotkey-Based Keyloggers Using an Undocumented Kernel Data Structure

In this article, we explore what hotkey-based keyloggers are and how to detect them. Specifically, we explain how these keyloggers intercept keystrokes, then present a detection technique that leverages an undocumented hotkey table in kernel space.

未公開のカーネルデータ構造を使ったホットキー型キーロガーの検知

未公開のカーネルデータ構造を使ったホットキー型キーロガーの検知

本記事では、ホットキー型キーロガーとは何かについてと、その検知方法について紹介します。具体的には、ホットキー型キーロガーがどのようにしてキー入力を盗み取るのかを解説した後、カーネルレベルに存在する未公開(Undocumented)のホットキーテーブルを活用した検知手法について説明します。

Dismantling Smart App Control

Dismantling Smart App Control

This article will explore Windows Smart App Control and SmartScreen as a case study for researching bypasses to reputation-based systems, then demonstrate detections to cover those weaknesses.

Introducing a New Vulnerability Class: False File Immutability

Introducing a New Vulnerability Class: False File Immutability

This article introduces a previously-unnamed class of Windows vulnerability that demonstrates the dangers of assumption and describes some unintended security consequences.

GrimResource - Microsoft Management Console for initial access and evasion

GrimResource - Microsoft Management Console for initial access and evasion

Elastic researchers uncovered a new technique, GrimResource, which allows full code execution via specially crafted MSC files. It underscores a trend of well-resourced attackers favoring innovative initial access methods to evade defenses.

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks

Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks

With Elastic Security 8.11, we added further kernel telemetry call stack-based detections to increase efficacy against in-memory threats.

Inside Microsoft's plan to kill PPLFault

Inside Microsoft's plan to kill PPLFault

In this research publication, we'll learn about upcoming improvements to the Windows Code Integrity subsystem that will make it harder for malware to tamper with Anti-Malware processes and other important security features.

Peeling back the curtain with call stacks

Peeling back the curtain with call stacks

In this article, we'll show you how we contextualize rules and events, and how you can leverage call stacks to better understand any alerts you encounter in your environment.

Upping the Ante: Detecting In-Memory Threats with Kernel Call Stacks

Upping the Ante: Detecting In-Memory Threats with Kernel Call Stacks

We aim to out-innovate adversaries and maintain protections against the cutting edge of attacker tradecraft. With Elastic Security 8.8, we added new kernel call stack based detections which provide us with improved efficacy against in-memory threats.

Effective Parenting - detecting LRPC-based parent PID spoofing

Effective Parenting - detecting LRPC-based parent PID spoofing

Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.

Stopping Vulnerable Driver Attacks

Stopping Vulnerable Driver Attacks

This post includes a primer on kernel mode attacks, along with Elastic’s recommendations for securing users from kernel attacks leveraging vulnerable drivers.

Sandboxing Antimalware Products for Fun and Profit

Sandboxing Antimalware Products for Fun and Profit

This article demonstrates a flaw that allows attackers to bypass a Windows security mechanism which protects anti-malware products from various forms of attack.

Finding Truth in the Shadows

Finding Truth in the Shadows

Let's discuss three benefits that Hardware Stack Protections brings beyond the intended exploit mitigation capability, and explain some limitations.

Get-InjectedThreadEx – Detecting Thread Creation Trampolines

Get-InjectedThreadEx – Detecting Thread Creation Trampolines

In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx

Deep dive into the TTD ecosystem

Deep dive into the TTD ecosystem

This is the first in a series focused on the Time Travel Debugging (TTD) technology developed by Microsoft that was explored in detail during a recent independent research period.

Hunting For In-Memory .NET Attacks

Hunting For In-Memory .NET Attacks

As a follow up to my DerbyCon presentation, this post will investigate an emerging trend of adversaries using .NET-based in-memory techniques to evade detection