When people think about clocks, they might know about how old analog clocks functioned and also suffered from the problem of clock drift. But even with the advent of digital clocks, we also find the same problem once more.
Tuesday, July 04, 2023
Monday, July 03, 2023
Euler's Continued Fraction in Lisp
In 1748, Leonhard Euler published a formula describing an identity that connected and generalized an infinite series and infinite continued fraction.
Sunday, July 02, 2023
Notes on Compilers
Lately I've been revisiting compilers and linguistics. It reminded me of Herbert Gross' lectures on calculus.
Labels:
c,
compilers,
grammar,
linguistics,
parsing,
programming,
syntax
Thursday, June 22, 2023
Agent Tesla Spearphishing
More .NET malware analysis. In this post, we'll be analyzing another spearphishing email, this time masquerading as a mathematics paper exploiting CVE-2017-11882. And we'll generate some Yara rules for detecting it.
Labels:
agent tesla,
analysis,
dfir,
dotnet,
malware,
research,
rtf,
spearphishing,
windows,
yara
Sunday, June 11, 2023
Sysmon Custom Templates for Event Tracing
A few days ago I learned it's possible to modify Window's Sysmon to enable tailored Windows Event Tracing. By simply providing Sysmon with an XML ruleset, we can generate custom alerts and automatically filter for and tag particular events. For example, the following rule would alert us of proxy code execution using .NET's C# compiler, csc.exe:
<!-- MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery -->
<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
<Image condition="image">csc.exe</Image>
<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>The above is a snippet from the default template published by @SwiftOnSecurity. But various orgs have made their own forks. And it can be further modified per use-case. A super useful customization for malware analysis, forensics, and anything involving Windows.
Labels:
detection engineering,
dfir,
etw,
forensics,
malware analysis,
mitre,
sysmon,
tracing,
windows
Wednesday, March 01, 2023
Linear Sweeping vs Recursive Disassembly
Objdump's linear sweep
While objdump's linear algorithm makes it fast, there are tradeoffs. For example, if we construct a Linux executable, we find we can insert strings into various headers which objdump will, to no surprise, blindly misinterpret.
Sunday, February 26, 2023
Use xargs
Get out of the habit of using while read as an idiom and instead use xargs to process arguments when you're doing batch compute stuff.
Subscribe to:
Comments (Atom)
Using Python To Access archive.today, July 2025
It seems like a lot of the previous software wrappers to interact with archive.today (and archive.is, archive.ph, etc) via the command-line ...
-
Latin1 was the early default character set for encoding documents delivered via HTTP for MIME types beginning with /text . Today, only ...
-
From "Overfitting and the strong version of Goodhart's law" : Increased efficiency can sometimes, counterintuitively, lead to ...
-
Playing around with writing malware proof-of-concepts, running red and blue team simulations in my computer lab against Windows Home edition...