In the fifth and final part of the Linux Persistence Detection Engineering series, we bring the journey to its grand finale by exploring some of the most obscure, creative, and complex persistence mechanisms. Building on the foundational concepts covered in previous publications, this final installment focuses on …

Read More

In the fourth part of the Linux Persistence Detection Engineering series, I continue exploring advanced Linux persistence techniques, expanding on the foundation set in previous publications. This latest installment delves into additional creative and complex methods adversaries use to maintain persistence on Linux …

Read More

In the third part of the Linux Persistence Detection Engineering series, I continue exploring advanced Linux persistence techniques, expanding on the foundation set in previous publications. This latest installment dives into more creative and complex persistence methods, providing security researchers and defenders …

Read More

At Elastic Security Labs, we uncovered PUMAKIT, a sophisticated multi-stage Linux malware with advanced rootkit capabilities. Initially identified through routine threat hunting on VirusTotal, PUMAKIT consists of a dropper (cron), two memory-resident executables, an LKM rootkit module, and a userland shared object (SO) …

Read More

At Elastic, we recognize the critical need for securing containerized applications in Kubernetes and cloud environments. To enhance runtime security, we’ve integrated Falco—an open-source cloud-native security tool—directly with Elastic Security. Falco leverages Linux kernel events and plugins to detect abnormal …

Read More

At Elastic Security Labs, we analyzed a critical set of vulnerabilities in the CUPS printing system, disclosed by security researcher Simone Margaritelli (@evilsocket) on September 26, 2024. These flaws, affecting CUPS versions ≤ 2.0.1, enable unauthenticated remote attackers to achieve remote code execution (RCE) via …

Read More

At Elastic Security Labs, we uncovered a sophisticated Linux malware campaign exploiting Apache2 servers since March 2024. Attackers used multiple malware families, including KAIJI (DDoS) and RUDEDEVIL (crypto miner), along with custom tools for persistence and control. They leveraged C2 channels disguised as kernel …

Read More

In this second part of the Linux Persistence Detection Engineering series, I explore the world of more advanced Linux persistence techniques. This part builds upon the knowledge obtained from the previous persistence blog dubbed "Linux Detection Engineering - A Primer on Persistence Mechanisms". This sequel …

Read More

In this first installment of the Linux Persistence Detection Engineering series, I delve into Linux persistence mechanisms, exploring both common and complex techniques to enhance the knowledge of defenders and security researchers. I examine how these persistence methods operate, how to set them up, and most …

Read More

In this article, I explore how to effectively use Auditd and Auditd Manager for detection engineering. I’ll demonstrate Auditd's powerful features, guide you through the setup process, and show you how to create and modify rules to capture specific behaviors. You'll also learn how to interpret the logs and discover how …

Read More