Security Research

Nimbuspwn: Leveraging vulnerabilities to exploit Linux via Privilege Escalation

Microsoft 365 Defender team released a post detailing several identified vulnerabilities. These vulnerabilities allow adversarial groups to escalate privileges on Linux systems, allowing for deployment of payloads, ransomware, or other attacks.

Detect Credential Access with Elastic Security

Elastic Endpoint Security provides events that enable defenders with visibility on techniques and procedures which are commonly leveraged to access sensitive files and registry objects.

Elastic's response to the Spring4Shell vulnerability (CVE-2022-22965)

Provide executive-level details about CVE-2022-22965, a recently-disclosed remote code execution (RCE) vulnerability also known as “Spring4Shell”.


Detecting and responding to Dirty Pipe with Elastic

Elastic Security is releasing detection logic for the Dirty Pipe exploit.


Exploring Windows UAC Bypasses: Techniques and Detection Strategies

In this research article, we will take a look at a collection of UAC bypasses, investigate some of the key primitives they depend on, and explore detection opportunities.


Sandboxing Antimalware Products for Fun and Profit

This article demonstrates a flaw that allows attackers to bypass a Windows security mechanism which protects anti-malware products from various forms of attack.


Analysis of Log4Shell vulnerability & CVE-2021-45046

In this post, we cover next steps the Elastic Security team is taking for users to continue to protect themselves against CVE-2021-44228, or Log4Shell.


Detecting Exploitation of CVE-2021-44228 (Log4j2) with Elastic Security

This blog post provides a summary of CVE-2021-44228 and provides Elastic Security users with detections to find active exploitation of the vulnerability in their environment. Further updates will be provided to this post as we learn more.


Detection and response for the actively exploited ProxyShell vulnerabilities

In the last week, Elastic Security has observed the exploitation of Microsoft Exchange vulnerabilities associated with ProxyShell. Review the post to find newly released details about this activity.


Collecting and operationalizing threat data from the Mozi botnet

The Mozi botnet is an ongoing malware campaign targeting unsecured and vulnerable networking devices. This post will showcase the analyst journey of collecting, analyzing, and operationalizing threat data from the Mozi botnet.


Ingesting threat data with the Threat Intel Filebeat module

Tutorial that walks through setting up Filebeat to push threat intelligence feeds into your Elastic Stack.


Hunting for Lateral Movement using Event Query Language

Elastic Event Query Language (EQL) correlation capabilities enable practitioners to capture complex behavior for adversary Lateral Movement techniques. Learn how to detect a variety of such techniques in this blog post.