Elastic has launched a new chapter in its security bounty program on HackerOne to enhance its detection rules for SIEM and EDR by inviting the global security community to test and identify vulnerabilities. This initiative aims to improve the effectiveness of Elastic’s security offerings, especially focusing on the detection rules for Windows endpoints. Researchers are encouraged to explore evasion techniques to help strengthen Elastic’s defenses against evolving threats. Affected: SIEM, EDR, Windows, Elastic Security
Keypoints :
- Elastic has expanded its bounty program to include the testing of SIEM and EDR detection rules.
- Researchers can provide feedback and help identify vulnerabilities in Elastic’s security solutions.
- The new initiative emphasizes external validation of detection capabilities to bolster security resilience.
- Key areas of focus include telemetry evasion and privilege evasion techniques.
- The bounty program will reward submissions based on their impact and complexity in detecting evasion techniques.
- Submissions must provide reproducible results and significant documentation for validation.
- This program reflects Elastic’s commitment to open collaboration with the security research community.
MITRE Techniques :
- Technique: T1064 – SIPP – Process Injection: Bypassing detection rules related to process injection techniques.
- Technique: T1003 – Credential Dumping: Creative ways to bypass detection related to credential dumping.
- Technique: T1543 – Create or Modify System Process: Evasion techniques that target behavioral detection rules for system processes.
- Technique: T1075 – Pass the Hash: Exploring evasion methods for hashing credential systems.
- Technique: T1071 – Application Layer Protocol: Bypasses that manipulate application layer communication in a way that evades detection.
Full Story: https://www.elastic.co/security-labs/behavior-rule-bug-bounty