/var/log/messages

Like all good researchers, we publish our findings for everyone’s benefit. The articles here evidence our commitment to technical excellence and the breadth of the disciplines we cover.

Detecting Exposed Cobalt Strike DNS Redirectors

By Riccardo Ancarani and Giulio Ginesi on 9 April 2021

Cobalt Strike is a well known framework used to perform adversary simulation exercises by offensive security professionals. Its flexibility and broad feature set have made it the de facto framework for red team operations.Cobalt Strike's implant,...

Read more

Attack Detection Fundamentals 2021: Windows - Lab #4

By Alfie Champion and Riccardo Ancarani on 7 April 2021

In the first part of F-Secure Consulting's Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.

Read more

Attack Detection Fundamentals 2021: Windows - Lab #3

By Alfie Champion and Riccardo Ancarani on 7 April 2021

In the first part of F-Secure Consulting's Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.

Read more

Attack Detection Fundamentals 2021: Windows - Lab #2

By Alfie Champion and Riccardo Ancarani on 7 April 2021

In the first part of F-Secure Consulting's Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.

Read more

Attack Detection Fundamentals 2021: Windows - Lab #1

By Alfie Champion and Riccardo Ancarani on 7 April 2021

In the first part of F-Secure Consulting's Attack Detection Fundamentals workshop series for 2021, we covered advanced defense evasion and credential access techniques targeting Windows endpoints.

Read more

Click here for free TV! - Chaining bugs to takeover Wind Vision accounts

By Leonidas Tsaousis on 30 March 2021

A malicious application could also trick users into setting itself as the “Preferred" handler, disabling all future prompts... Historical incidents have shown that relying on users for security decisions can be a bad practice and...

Read more

Sniff, there leaks my BitLocker key

By Henri Nurmi on 21 December 2020

Source: [7] and [8]Sniffing SPI busSerial Peripheral Interface (SPI) is a synchronous serial communication protocol supporting full-duplex communication with high-speed clock frequencies. It uses master-slave architecture, where the master device always initiates the communication.

Read more

sysdiag-who?

By Harry Senior on 1 December 2020

sysdiagnose is a utility on most macOS and iOS devices that can be used to gather system-wide diagnostic information. Currently on version 3.0, sysdiagnose collects a large amount of data from a wide array of locations...

Read more

Detecting Cobalt Strike Default Modules via Named Pipe Analysis

By Riccardo Ancarani on 20 November 2020

During recent years, the Cobalt Strike framework has gained significant popularity amongst red teamers and threat actors alike. Its functionality, flexibility and stability make it the state of the art when it comes to commercially available...

Read more

Using and detecting C2 printer pivoting

By Alfie Champion and James Coote on 2 November 2020

IntroductionThis post introduces the novel concept of Command & Control (C2) using print jobs, and demonstrates how this can be achieved using C3's Print channel.

Read more

Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two

By Guillaume Couchard, Qimin Wang and Thiam Loong Siew on 23 October 2020

In this second blog post, we will continue to share actionable detection insights for blue teams to defend their organization against the Advanced Persistent Threat (APT) group – Lazarus Group.

Read more

Samsung S20 - RCE via Samsung Galaxy Store App

By Ken Gannon on 23 October 2020

F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An exploit chain was found for version 4.5.19.13 of the Galaxy Store application that could have allowed an attacker to install any application on...

Read more