Author

Ruben Groenewoud

Security Research Engineer, Elastic


Articles

Declawing PUMAKIT

Declawing PUMAKIT

PUMAKIT is a sophisticated loadable kernel module (LKM) rootkit that employs advanced stealth mechanisms to hide its presence and maintain communication with command-and-control servers.

Cups Overflow: When your printer spills more than Ink

Cups Overflow: When your printer spills more than Ink

Elastic Security Labs discusses detection and mitigation strategies for vulnerabilities in the CUPS printing system, which allow unauthenticated attackers to exploit the system via IPP and mDNS, resulting in remote code execution (RCE) on UNIX-based systems such as Linux, macOS, BSDs, ChromeOS, and Solaris.

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

Betting on Bots: Investigating Linux malware, crypto mining, and gambling API abuse

The REF6138 campaign involved cryptomining, DDoS attacks, and potential money laundering via gambling APIs, highlighting the attackers' use of evolving malware and stealthy communication channels.

Linux Detection Engineering - A Sequel on Persistence Mechanisms

Linux Detection Engineering - A Sequel on Persistence Mechanisms

In this final part of this Linux persistence series, we'll continue exploring persistence mechanisms on Linux systems, focusing on more advanced techniques and how to detect them.

Linux Detection Engineering - A primer on persistence mechanisms

Linux Detection Engineering - A primer on persistence mechanisms

In this second part of the Linux Detection Engineering series, we map multiple Linux persistence mechanisms to the MITRE ATT&CK framework, explain how they work, and how to detect them.

Linux detection engineering with Auditd

Linux detection engineering with Auditd

In this article, learn more about using Auditd and Auditd Manager for detection engineering.

An Elastic approach to large-scale dynamic malware analysis

An Elastic approach to large-scale dynamic malware analysis

This research reveals insights into some of the large-scale malware analysis performed by Elastic Security Labs, and complements research related to the Detonate framework.