Agent Tesla Spearphishing

More .NET malware analysis. In this post, we'll be analyzing another spearphishing email, this time masquerading as a mathematics paper exploiting CVE-2017-11882. And we'll generate some Yara rules for detecting it.

Sysmon Custom Templates for Event Tracing

A few days ago I learned it's possible to modify Window's Sysmon to enable tailored Windows Event Tracing. By simply providing Sysmon with an XML ruleset, we can generate custom alerts and automatically filter for and tag particular events. For example, the following rule would alert us of proxy code execution using .NET's C# compiler, csc.exe:

<!-- MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery -->
<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
<Image condition="image">csc.exe</Image>
<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>

The above is a snippet from the default template published by @SwiftOnSecurity. But various orgs have made their own forks. And it can be further modified per use-case. A super useful customization for malware analysis, forensics, and anything involving Windows.

Linear Sweeping vs Recursive Disassembly

Objdump's linear sweep

While objdump's linear algorithm makes it fast, there are tradeoffs. For example, if we construct a Linux executable, we find we can insert strings into various headers which objdump will, to no surprise, blindly misinterpret.

Use xargs

Get out of the habit of using while read as an idiom and instead use xargs to process arguments when you're doing batch compute stuff.

Mm .. Malware Analysis

TL;DR: Analysis of malspam potentially targeting an organization. C#/.NET binary using KoiVM, process hollowing, and abusing vulnerable procexp152.sys driver.

Cannabis vs Cognition

Searching through papers this morning curious about evidence-based studies on cannabis (and synthetic cannabis^[1][2]) in relation to psychosis, schizophrenia, and general effects on cognition.

FrodoPIR

This morning I'm currently staring down a stack of research papers on my desk. But I just saw a headline from Hacker News that Brave, a privacy-preserving browser I'm a fan of, published a paper and code for an improved private information retrieval system.