Author

Elastic Security Labs

Subscribe

Articles

Investigating a Mysteriously Malformed Authenticode Signature

Investigating a Mysteriously Malformed Authenticode Signature

An in-depth investigation tracing a Windows Authenticode validation failure from vague error codes to undocumented kernel routines.

MaaS Appeal: An Infostealer Rises From The Ashes

MaaS Appeal: An Infostealer Rises From The Ashes

NOVABLIGHT is a NodeJS infostealer developed and sold as a MaaS offering; it is used primarily to steal credentials and compromise cryptowallets.

WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables

WinVisor – A hypervisor-based emulator for Windows x64 user-mode executables

WinVisor is a hypervisor-based emulator for Windows x64 user-mode executables that leverages the Windows Hypervisor Platform API to provide a virtualized environment for logging syscalls and enabling memory introspection.

Beyond the wail: deconstructing the BANSHEE infostealer

Beyond the wail: deconstructing the BANSHEE infostealer

The BANSHEE malware is a macOS-based infostealer that targets system information, browser data, and cryptocurrency wallets.

NETWIRE Configuration Extractor

NETWIRE Configuration Extractor

Python script to extract the configuration from NETWIRE samples.

BLISTER Configuration Extractor

BLISTER Configuration Extractor

Python script to extract the configuration and payload from BLISTER samples.

BPFDoor Configuration Extractor

BPFDoor Configuration Extractor

Configuration extractor to dump out hardcoded passwords with BPFDoor.

BPFDoor Scanner

BPFDoor Scanner

Python script to identify hosts infected with the BPFDoor malware.

Cobalt Strike Beacon Extractor

Cobalt Strike Beacon Extractor

Python script that collects Cobalt Strike memory data generated by security events from an Elasticsearch cluster, extracts the configuration from the CS beacon, and writes the data back to Elasticsearch.

EMOTET Configuration Extractor

EMOTET Configuration Extractor

Python script to extract the configuration from EMOTET samples.

ICEDID Configuration Extractor

ICEDID Configuration Extractor

Python script to extract the configuration from ICEDID samples.

PARALLAX Payload Extractor

PARALLAX Payload Extractor

Python script to extract the payload from PARALLAX samples.

QBOT Configuration Extractor

QBOT Configuration Extractor

Python script to extract the configuration from QBOT samples.

Sneak Peek: Elastic’s 2022 Global Threat Report

Sneak Peek: Elastic’s 2022 Global Threat Report

Elastic Security Labs has compiled the 2022 Global Threat Report to share trends and tactics adversaries and attack groups use, as observed by our threat research team and broader user community over the past year.