Category
Tools
WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.

STIXy Situations: ECSaping your threat data
Structured threat data is commonly formatted using STIX. To help get this data into Elasticsearch, we’re releasing a Python script that converts STIX to an ECS format to be ingested into your stack.

Dancing the night away with named pipes - PIPEDANCE client release
In this publication, we will walk through this client application’s functionality and how to get started with the tool.

Click, Click… Boom! Automating Protections Testing with Detonate
To automate this process and test our protections at scale, we built Detonate, a system that is used by security research engineers to measure the efficacy of our Elastic Security solution in an automated fashion.

Unpacking ICEDID
ICEDID is known to pack its payloads using custom file formats and a custom encryption scheme. We are releasing a set of tools to automate the unpacking process and help analysts and the community respond to ICEDID.

The Elastic Container Project for Security Research
The Elastic Container Project provides a single shell script that will allow you to stand up and manage an entire Elastic Stack using Docker. This open source project enables rapid deployment for testing use cases.

NETWIRE Dynamic Configuration Extraction
Elastic Security Labs discusses the NETWIRE trojan and is releasing a tool to dynamically extract configuration files.

NETWIRE Configuration Extractor
Python script to extract the configuration from NETWIRE samples.

BLISTER Configuration Extractor
Python script to extract the configuration and payload from BLISTER samples.

BPFDoor Configuration Extractor
Configuration extractor to dump out hardcoded passwords with BPFDoor.

BPFDoor Scanner
Python script to identify hosts infected with the BPFDoor malware.

Cobalt Strike Beacon Extractor
Python script that collects Cobalt Strike memory data generated by security events from an Elasticsearch cluster, extracts the configuration from the CS beacon, and writes the data back to Elasticsearch.

EMOTET Configuration Extractor
Python script to extract the configuration from EMOTET samples.

ICEDID Configuration Extractor
Python script to extract the configuration from ICEDID samples.

PARALLAX Payload Extractor
Python script to extract the payload from PARALLAX samples.

QBOT Configuration Extractor
Python script to extract the configuration from QBOT samples.

EMOTET Dynamic Configuration Extraction
Elastic Security Labs discusses the EMOTET trojan and is releasing a tool to dynamically extract configuration files using code emulators.

Extracting Cobalt Strike Beacon Configurations
Part 2 - Extracting configurations from Cobalt Strike implant beacons.