Author
John Uhlmann
Senior Security Research Engineer, Elastic
Articles
Kernel ETW is the best ETW
This research focuses on the importance of native audit logs in secure-by-design software, emphasizing the need for kernel-level ETW logging over user-mode hooks to enhance anti-tamper protections.
Doubling Down: Detecting In-Memory Threats with Kernel ETW Call Stacks
With Elastic Security 8.11, we added further kernel telemetry call stack-based detections to increase efficacy against in-memory threats.
Effective Parenting - detecting LRPC-based parent PID spoofing
Using process creation as a case study, this research will outline the evasion-detection arms race to date, describe the weaknesses in some current detection approaches and then follow the quest for a generic approach to LRPC-based evasion.
Get-InjectedThreadEx – Detecting Thread Creation Trampolines
In this blog, we will demonstrate how to detect each of four classes of process trampolining and release an updated PowerShell detection script – Get-InjectedThreadEx