We just released our analysis of new technical details related to Lazarus targeting the cryptocurrency vertical (Macros not needed): labs.f-secure.com/publications/t…

I've released a new post on F-Secure Labs that considers persistence using calendar alerts on macOS. This builds on some awesome prior work by Andy Grant, and can now be executed using Cody Thomas 's Mythic framework.

Oh, you liked them Lazarus Detection Rules? See what happens when Incident Response and Threat Hunting really get along & make it to second base: labs.f-secure.com/blog/catching-…

My talk on detecting access token manipulation from last years Black Hat is now up. If you have ever been confused by the bigger picture of how access tokens/logon sessions/network auth all fit together you may find it a useful resource youtu.be/RMVyYvt0bLY

How do we spot the rotten Apples? Join Calum and Luke as they take us through the basics of macOS detection labs.f-secure.com/blog/attack-de… labs.f-secure.com/blog/attack-de… labs.f-secure.com/blog/attack-de…

labs.f-secure.com/blog/prelude-t… Write up of some analysis we did off the back of an incident a few months ago. Mapped to ATT&CK and with sigma rules for actionable takeaways

\o/ Looking forward to presenting this with Calum Hall in August at BlackHat USA 2021. It's going to be a good one!

I'm excited to release a tool that I wrote at F-Secure Countercept to help triage Windows event logs. Chainsaw is a RUST CLI tool to quickly search and hunt through event logs. It supports sigma detection rules to identify potential threats. More info here: github.com/countercept/ch…

Chainsaw log search tool by James D. labs.f-secure.com/tools/chainsaw/

Join @Lavi161 at AISA National as he discusses #UEFI variable runtime manipulation persistence techniques, and detection and monitoring methods. This is going to be a good one. Register to book your seat now >> cyberconference.com.au/program-virtua…

I just used github.com/countercept/ch… for a real IR. 😲 unbelievable! The best IR tool in my tool belt, bar none. Customer gave me 50 gigs of EVNT logs and I had answers in minutes. MINUTES!

Awesome research on macOS #ESF and some practical examples for threat detection by my colleague Connor labs.f-secure.com/blog/esfang-ex…

Ever wanted to make your sketchy sys calls look squeaky clean? I wrote a blog demonstrating a PoC which calls NtOpenProcess to grab a handle to lsass with an arbitrary/spoofed call stack: labs.withsecure.com/blog/spoofing-… PoC: github.com/countercept/Ca…

I'm happy to announce the release of Chainsaw v2! 🥳 Chainsaw allows users to rapidly search through Windows event logs and hunt for threats using sigma detection rules, all without a SIEM! Version 2 includes some exciting new features, info in 🧵 github.com/WithSecureLabs…

I wrote a PoC memory scanner for detecting timer-queue timers ala 5pider 's Ekko sleep obfuscation. Blog here: labs.withsecure.com/publications/h… PoC: github.com/WithSecureLabs…

New blog post: Cobalt Strike and YARA - Can I have your signature? cobaltstrike.com/blog/cobalt-st…

A new blog from Pieter Ceelen and me - Cobalt Strike and Outflank Security Tooling: Friends in Evasive Places cobaltstrike.com/blog/cobalt-st…

My #BlueHat talk "The new SaaS cyber kill chain" has finally dropped! If you didn't make it to Seattle last month, check it out on youtube along with all the talks. Microsoft BlueHat thanks again for having me! youtu.be/pdDzUTFVIZc?si…

New CS blog: Introducing the Mutator Kit - Creating Object File Monstrosities with Sleep Mask and LLVM cobaltstrike.com/blog/introduci…

New CS Blog - Revisiting the UDRL Part 3: cobaltstrike.com/blog/revisitin… If you like the idea of loading a custom c2 channel in your UDRL then this blog may be of interest 👀