/var/log/messages

Like all good researchers, we publish our findings for everyone’s benefit. The articles here evidence our commitment to technical excellence and the breadth of the disciplines we cover.

Scheduled Task Tampering

By Riccardo Ancarani on May 4, 2022 at 11:49 PM

IntroductionMicrosoft recently published an article that documented how the HAFNIUM threat actor leveraged a flaw in how scheduled tasks are stored in the registry to hide their presence.

Read more

Faking Another Positive COVID Test

By Ken Gannon on April 21, 2022 at 12:41 PM

IntroductionWithSecure conducted research into the Cue Health Home COVID-19 Test with the intention of finding methods to create fraudulent COVID-19 test results.

Read more

Detecting Attacks against Azure DevOps

By Matthew Lucas on April 5, 2022 at 12:16 PM

This post will cover detection opportunities specific to the attack path discussed in the previous blog. In this path, a malicious Azure Active Directory application was registered from a low privileged foothold.

Read more

Performing and Preventing Attacks on Azure Cloud Environments through Azure DevOps

By Matthew Lucas on April 5, 2022 at 12:16 PM

Many organisations have recognised the risk of assigning cloud engineers with direct privileges to their production Azure Cloud resources.

Read more

Faking A Positive COVID Test

By Ken Gannon on December 21, 2021 at 12:42 PM

IntroductionF-Secure conducted research into the Ellume COVID-19 Home Test with the intention of finding methods to fake a COVID test result.

Read more

Blog

ESFang - Exploring the macOS Endpoint Security Framework (ESF) for Threat Detection

By Connor Morley on December 20, 2021 at 3:45 PM

Executive SummaryEndpoint Security Framework (ESF) is the new(ish) security auditing tool that Apple has introduced to provide the security industry with a one stop shop for all its telemetry needs. Released in MacOS version 10.

Read more

A bit of a Fixer Upper - Testing FIX-backed applications

By Oliver Simonnet on November 24, 2021 at 12:19 PM

TLDRI woke up one day and realized I didn't know much about the FIX protocol. So I spent a few days looking into it and then created a Burp extension to make my life easier.

Read more

Analysis of CVE-2021-1810 Gatekeeper bypass

By Rasmus Sten on October 1, 2021 at 2:25 PM

IntroductionIn my previous blog post, I wrote about how I found a Gatekeeper bypass vulnerability in how archive files are unpacked with Archive Utility. This post analyses the issue in more detail.

Read more

The discovery of Gatekeeper bypass CVE-2021-1810

By Rasmus Sten on October 1, 2021 at 2:25 PM

TL;DRWhen extracted by Archive Utility, file paths longer than 886 characters would fail to inherit the com. apple. quarantine extended attribute, making it possible to bypass Gatekeeper for those files.

Read more

Playing with PuTTY

By Tim Carrington on August 3, 2021 at 8:25 AM

IntroductionDuring adversarial simulation exercises we often have to solve complex problems with novel techniques. More often than not it is the solution to these problems that drives progress.

Read more

Blog

Prelude to Ransomware: SystemBC

By Callum Roxan and Sami Ruohonen on May 10, 2021 at 8:26 AM

IntroductionIn late February 2021, F-Secure’s Managed Detection and Response (MDR) service identified the execution of SystemBC malware as part of a hands on keyboard crimeware intrusion.

Read more

Attack Detection Fundamentals 2021: Azure - Lab #3

By Masande Mtintsilana on April 28, 2021 at 11:11 AM

In the previous lab, we learnt that with read-only permissions, we can still read Azure Logic App Workflow definitions to search for sensitive information.

Read more