Like all good researchers, we publish our findings for everyone’s benefit. The articles here evidence our commitment to technical excellence and the breadth of the disciplines we cover.

Detecting Cobalt Strike Default Modules via Named Pipe Analysis

By Riccardo Ancarani on 20 November 2020

During recent years, the Cobalt Strike framework has gained significant popularity amongst red teamers and threat actors alike. Its functionality, flexibility and stability make it the state of the art when it comes to commercially available...

Read more

Using and detecting C2 printer pivoting

By Alfie Champion and James Coote on 2 November 2020

IntroductionThis post introduces the novel concept of Command & Control (C2) using print jobs, and demonstrates how this can be achieved using C3's Print channel.

Read more

Catching Lazarus: Threat Intelligence to Real Detection Logic - Part Two

By Guillaume Couchard, Qimin Wang and Thiam Loong Siew on 23 October 2020

In this second blog post, we will continue to share actionable detection insights for blue teams to defend their organization against the Advanced Persistent Threat (APT) group – Lazarus Group.

Read more

Samsung S20 - RCE via Samsung Galaxy Store App

By Ken Gannon on 23 October 2020

F-Secure looked into exploiting the Samsung S20 device for Tokyo Pwn2Own 2020. An exploit chain was found for version of the Galaxy Store application that could have allowed an attacker to install any application on...

Read more

GWTMap - Reverse Engineering Google Web Toolkit Applications

By Oliver Simonnet on 21 October 2020

GWTMap is a new tool to help map the attack surface of Google Web Toolkit (GWT) based applications. The purpose of this tool is to facilitate the extraction of any service method endpoints buried within a...

Read more

Operationalising Calendar Alerts: Persistence on macOS

By Luke Roberts on 16 October 2020

Throughout the following blog post we provide insights into calendar alerts, a method of persisting on macOS. Building on the work of Andy Grant over at NCC (https://research.nccgroup.com/2020/05/05/exploring-macos-calendar-alerts-part-1-attempting-to-execute-code/), this post takes deeper look into weaponising the...

Read more

How to attack distributed machine learning via online training

By Alexey Kirichenko, David Karpuk and Samuel Marchal on 6 October 2020

As in many other domains, Machine Learning (ML) techniques, which power a large share of modern Artificial Intelligence (AI) systems, were originally designed to be used in benign and controlled environments.

Read more

Introducing LDAP C2 for C3

By James Coote on 6 October 2020

F-Secure are pleased to announce that C3 now supports C2 over LDAP, adding a much-needed internal channel to C3’s arsenal.

Read more

Application-level Purple Teaming: A case study

By William Jardine on 29 September 2020

Attack-aware applications have been discussed in AppSec for over a decade - the concept that an application can detect that it is being attacked and fight back.

Read more

Catching Lazarus: Threat Intelligence to Real Detection Logic - Part One

By Guillaume Couchard, Qimin Wang and Thiam Loong Siew on 25 September 2020

It can be challenging to detect malicious documents as the embedded code is often obfuscated to evade detection from anti-virus and static file analysis.

Read more

Securing AEM With Dispatcher

By Robert Russell on 7 September 2020

Adobe Experience Manager (AEM) is a popular Content Management System (CMS) that is used by a large and active user base to develop and deploy web applications.

Read more


N1QL Injection: Kind of SQL Injection in a NoSQL Database

By Krzysztof Pranczk on 2 September 2020

Nowadays, databases support various query languages, the most popular being SQL and NoSQL. These query languages are designed to provide clients with an efficient communication interface with the databases.

Read more