Savagery vs Science

Savagery is sort of the opposite of science, in that it's a kind of impulsive readiness to believe or disbelieve with absolute certainty, often followed by false religious zeal or dogma.

Clock Drift

When people think about clocks, they might know about how old analog clocks functioned and also suffered from the problem of clock drift. But even with the advent of digital clocks, we also find the same problem once more.

Euler's Continued Fraction in Lisp

In 1748, Leonhard Euler published a formula describing an identity that connected and generalized an infinite series and infinite continued fraction.

Notes on Compilers

Lately I've been revisiting compilers and linguistics. It reminded me of Herbert Gross' lectures on calculus.

Agent Tesla Spearphishing

More .NET malware analysis. In this post, we'll be analyzing another spearphishing email, this time masquerading as a mathematics paper exploiting CVE-2017-11882. And we'll generate some Yara rules for detecting it.

Sysmon Custom Templates for Event Tracing

A few days ago I learned it's possible to modify Window's Sysmon to enable tailored Windows Event Tracing. By simply providing Sysmon with an XML ruleset, we can generate custom alerts and automatically filter for and tag particular events. For example, the following rule would alert us of proxy code execution using .NET's C# compiler, csc.exe:

<!-- MITRE ATT&CK TECHNIQUE: Obfuscated Files or Information: Compile After Delivery -->
<Rule name="Attack= T1127.001,Technique=Trusted Developer Utilities Proxy Execution ,Tactic=Defnse Evasion,DS=Process: Process Creation,Level=4,Alert=CSC Suspicious Location,Risk=60" groupRelation="and">
<Image condition="image">csc.exe</Image>
<CommandLine condition="contains any">\AppData\;\Windows\Temp\</CommandLine>

The above is a snippet from the default template published by @SwiftOnSecurity. But various orgs have made their own forks. And it can be further modified per use-case. A super useful customization for malware analysis, forensics, and anything involving Windows.

Linear Sweeping vs Recursive Disassembly

Objdump's linear sweep

While objdump's linear algorithm makes it fast, there are tradeoffs. For example, if we construct a Linux executable, we find we can insert strings into various headers which objdump will, to no surprise, blindly misinterpret.