signed pseudo/non-ms lolbin (similar to rundll32)

virustotal.com/gui/file/453e2…

Spoiler, it's Elastic virustotal.com/gui/file/4429f…

Based on additional research, we expanded the logic of our 'CVE-2023-4911: Looney Tunables' detection and endpoint rules to account for exploiting other dl tunables and other SUID/GUID binaries. Update available in github.com/elastic/detect…!

Glad to see our Linux detection rule set already (unintendedly) detected CVE-2023-4911 (Looney Tunables) through github.com/elastic/detect….

Made sure we have more specific detections in place however, new endpoint and detection rules coming up!

github.com/elastic/detect… CVE-2023-4911

so many funny screenshot to show 100% coverage in 2023 mitre eval for things like data obfuscation/ encoding/decoding, traffic encryption and masquerading :D

There are many example but if you want to check urself 3.A.3 - Encrypted Channel(T1573)

attackevals.mitre-engenuity.org/results/enterp…

Explore how Mika Ayenson and Jess Daubner have used #AI to increase #threatdetection in this new blog from #ElasticSecurityLabs : go.es.io/45caDUX

Watch me drop some still-unpatched Windows exploits at BlackHat:
✅ Bypass LSASS RunAsPPL
✅ Modify kernel memory
💥 Zero vulnerable drivers

Article: tiny.cc/FVDX
Article #2: tiny.cc/KillingPPLFault
Code: github.com/gabriellandau/…
Talk: 👇 youtu.be/5xteW8Tm410

Happy we can finally talk about this one. Some EPIC work has gone in to this release from modexp Peter Winter-Smith x86matthew batsec 🔥🔥🔥🌶️🌶️🌶️

this samples includes a good set of unit tests :) almost AtomicRedTeam

thanks for sharing the DreamLand (LUA malware) samples

Elastic Defend logs process mitigation policies in process creation events

blog.xpnsec.com/protecting-you…

👇 Check out my new Windows internals article detailing how Microsoft plans to kill ☠ PPLFault (some day). #NotASecurityBoundary

elastic.co/security-labs/…

not sure if there are normal matches to this behv (unelevated logon token creating windows services) but should match on EoP leveraging token manip and winsvc to execute elevated cmds

gist.github.com/Samirbous/e2b3…

example of match on github.com/antonioCoco/Ss…

Excited to share my hardest research about UAC 🤯

'Bypassing UAC with SSPI Datagram Contexts' 🔥

Enjoy the read! 👇

splintercod3.blogspot.com/p/bypassing-ua…

Check out this new article from Samir that explores call stacks. Understand what they are and how they can be used for detections. Learn more: go.es.io/3ZgMpHM

github.com/elastic/protec…

github.com/elastic/protec…