DefSecSentinel

Jamf Protect + Elastic Security = macOS XDR done right. Ingest Jamf Protect telemetry, normalize it to ECS, and investigate with AI — all without leaving Elastic. What's included: - Prebuilt Jamf Protect detection rules - AI Assistant for alert explainability & response plans - Timeline & Analyzer for full attack reconstruction See how it works go.es.io/4bjFOnF

New blog: Hooked on Linux — Rootkit Taxonomy, Hooking Techniques and Tradecraft Part 1 of our Linux rootkit series exploring kernel & userland rootkits and the hooking techniques they use (syscall/function hooks, ftrace, eBPF, inline patching). 🔗elastic.co/security-labs/…

**OFFICIAL** EDR Tier List for 2026! Based on nothing but the people in chat, vibes, guests, opinions and limited experience. Thanks to @EmericNasi @ShitSecure @_JohnHammond and @domchell for jumping in a guests to help me out this time around!

My new site for learning macOS malware reverse engineering: l0psec.github.io/Malware_RE_Blo… I got my start in RE by using @patrickwardle's awesome blog. I would download samples and follow along. So I created this to complement that with dives into specific code from recent samples.

All Python spin for the Elastic Container Project is available if anyone wants to kick the tires. Probably going to archive the Bash version at the end of 2025(ish) #elasticcontainerproject github.com/peasead/elasti…

New from the developer of #FINALDRAFT: Meet #NANOREMOTE, a newly-discovered Windows backdoor that leverages the Google Drive API for data theft and payload staging. Get the full analysis and defense strategies: ela.st/nanoremote

26% more EDR behavior protections in #Elastic Defend this year - ~250 new detections across Windows, Linux & macOS. Coverage keeps growing defenders keep winning! 🚀 Big props to @RFGroenewoud @DefSecSentinel Shashank K S and team 💪 github.com/elastic/protec…

The #OBTS community is simply incredible!! 😍 From trainers & speakers to students & attendees, you made this the best #OBTS yet 🙏🏽 Photos, recordings & slides coming soon!

Another awesome #OBTS 🌴🏖️☀️in the books. It was an honor to speak again this year and share my research with this incredible community 🍎. Such a blast spending time with newcomers and old friends. There is truly no other conference like it. Huge shout out and thank you to both @andyrozen and @patrickwardle for all the hard work you put in ❤️.

@osint_barbie Same!

@DefSecSentinel Looking forward to seeing you irl!

Heading to my 3rd #OBTS 🌴☀️🌊today! Best conference out there. Honored to be speaking again this year alongside so many other incredible #Apple 🍎 security researchers. It’s gonna be a blast, can’t wait to see everyone! Pumped to get to share my research into using and abusing containers as payloads in “BYOB: Bring your own Blackbox - Isolated Defense Evasion on MacOS” 💪

#ElasticSecurityLabs has kept tabs on #WARMCOOKIE, a backdoor we disclosed in June 2024 that used employment-related phishing lures to infect victims. Learn how this threat’s evolving: go.es.io/46O8pOo

Research & PoC: FlipSwitch Rootkit A syscall-table hooking technique that works on modern Linux (6.9+), researched for and presented at @virusbtn by @rsprooten and me. Revives syscall hooking by patching x64_sys_call call sites instead of table entries. elastic.co/security-labs/…

Linux syscall hooks were forever changed with kernel 6.9, check out this article from #ElasticSecurityLabs describing #FlipSwitch– the latest in Linux hooking: go.es.io/4nSrCW3

A chat and demo with James Spiteri to see just how easy it is now to spin up Elastic -- and with several options completely free! youtu.be/7Z2zObdhN-Q

#OBTS v8 is very close to selling out (only ~10 or so tickets left) 🫣 Get your ticket before they are gone: objectivebythesea.org/v8/attending.h…

nice technique! #Elastic EDR (Elastic Defend) is not affected + we do have an existing behavior protection rule that will terminate WerFaultSecure.exe (to protect other processes) #L9" target="_blank" rel="nofollow noopener">github.com/elastic/protec…

@osint_barbie @elastic ❤️ Love to see it 😎

Love it! @elastic solo on detections 🔥 @DefSecSentinel 😎

macOS Tahoe ships with a 0day ...based on a bug disclosed 8(!) years ago at #OBTS v1.0 🫣 New post: "From Spotlight to Apple Intelligence: Abusing an 0day to steal the data that fuels macOS AI": objective-see.org/blog/blog_0x81… ...with open-source PoC! Takeaway? Always attend #OBTS 😄

Excited to share our research on ChillyHell, a modular macOS backdoor targeting officials in Ukraine. Check out our write-up for more details. jamf.com/blog/chillyhel…