Writing Custom Wazuh Rules

Thu, Jan 22, 2026
Wazuh is a powerful open-source security monitoring platform that acts as a SIEM/XDR solution. Though it has some shortcomings, it has tons of strengths, my favorite ones being; its customizability and its open-source nature. This article will be more or less a tutorial on how to write a simple custom wazuh rule to detect potential port scans on a monitored host. The setup is as follows: Wazuh manager (4.14.1) running on a Linux VM.

Safety in Zig: How Debug Allocator Works

Tue, Jan 6, 2026
Zig is not a memory-safe language. It, however, provides some tools to help avoid some memory safety issues. One of the key tools that help achieve this is the debug allocator. The debug allocator is a special memory allocator that tracks memory allocations and deallocations, helping identify memory leaks and other memory-related issues during development. Since zig isn’t a GC language and does not have a borrow checker, partly due to its design goals, the debug allocator plays a crucial role in helping avoid some memory safety issues.

Painless Guide to Linux in-Memory Execution

Thu, Dec 4, 2025
In-memory execution, a technique that allows programs to be run directly from memory without being written to disk. Over the past few weeks, I’ve been attempting to learn and understand this concept better. In a previous post, I explained my reasoning behind choosing ZYRA for obfuscation and packing. The key reason behind I could take it to whichever direction I wanted, should need arise. Safe to say, need did arise. So in this post, we’ll modify ZYRA to support in-memory execution.

Zig as a drop-in replacement for C build systems

Tue, Oct 21, 2025
A while back I wrote a small neofetch-like program in Zig as a way to learn the language. I always knew Zig could interoperate with C, as I had earlier written a yara rules parser using treesitter and Zig. Now I wanted to test my neofetch-like program in various environments, and one of those was st. St is a simple terminal emulator, part of the suckless tools. It is written in C, minimalistic and I generally liked using it.

Pack to the Future:obfuscating My C2 Agent

Tue, Sep 9, 2025
This is a follow up on my previous article. It is generally about my journey in searching for a relatively unknown and easy to understand packer to obfuscate my custom zig C2 agent. If you are generally looking for a tutorial on how to pack binaries, this is not it. I will not go into the details of how packers work, but rather share what led me to the final solution.

Reflections on Writing a Mythic C2 Agent in Zig

Mon, Jul 14, 2025
Over the past couple of months, I’ve been writing a mythic C2 implant in zig. “Why?”, you ask. Well, it’s all part of my learning process. I also wanted to understand how C2 frameworks work and how zig can be used for offensive tooling. There are lots of C2 frameworks out there and each has its own quirks and uniqueness. I happened to settle on Mythic. Mythic supports agents written in any language.

Writing a Yara Parser

Wed, Jun 18, 2025
It’s been a while since I wrote yara rules. In fact, the last time I did, I was still using vscode. I needed now to write one. So I chose to look at one of my local yara rules repo. Opened it in nvim and … no syntax highlighting. Easy fix though. Treesitter is what provides highlighting for my setup, so I did :TSInstall yara. Damn!! No yara parser. That meant I had to write a custom one.

Chaos Cryptography

Tue, May 27, 2025

hero

This article was originally published on section.io, May 2022

Chaos theory is a branch of mathematics that deals with studying non-linear dynamical systems that exhibit sensitivity to initial conditions. Chaotic conditions exist in nature. A decent and typical example of such is the weather.

Quantum Key Distribution

Fri, May 23, 2025

hero

This article was originally published on section.io, February 2022

Quantum key distribution (QKD) is an advanced sub-disciplines of quantum information technology. It aims at coming up with novel and sophisticated methods of securely exchanging cryptographic keys by use of basic quantum mechanical concepts such as entanglement and measurement.

Clearfake 2: We now have Lumma

Wed, Apr 9, 2025
I had previously written about my cutting up of clearfake which you can find here. Quick recap: We deobfuscated the powershell obtained from a fake browser update prompt. The code executed base64 encoded command with window style hidden option. The command downloaded a data.zip file. Now, the zip file is extracted, an exe is sought inside the contents and executed. Here is the code responsible for that: The zip file contains 4 files:

Security Slips: The Day I Ran Unknown Code

Fri, Mar 28, 2025
On March 25th 2025, Troy Hunt, haveibeenpwned’s author, published in his blog about how a sneaky phishing lure got hold of his mailing list. This interesting read made me reminisce about how, not so long ago, I almost fell for a similar thing, albeit mine was not so sophisticated. January 2nd 2025, 12 p.m EAT, I had just gotten home from a lengthy holiday. Being super tired I booted up my Latitude to check on a few things.

Secure Development in Neovim using Snyk

Wed, Mar 19, 2025
In my previous post I talked about how you can use snyk in your editor as you code and even added snyk-ls as a must have. I had a bit of a tough time finding the correct configuration to achieve this using Neovim. Perhaps you are, right now, on the same path as myself last year. Luckily for you, I gotchu. Before proceeding, make sure you have a snyk account and activate snyk code.

Nvim Dev

Mon, Mar 17, 2025
Here is a quick list of my Neovim setup for dev work. This includes plugins, LSPs and some handy keymaps. Plugins Telescope - Fuzzy find files quickly. No need for filetree with this one. Harpoon - Mark frequently visited files and get to them blazingly fast. Mason - This helps in installing language servers. Make sure you have mason-lspconfig.nvim and nvim-lspconfig. nvim-cmp - For completions. Make sure to also get Luasnip, cmp_luasnip, friendly-snippets and nvim-cmp-lsp.

Clearfake Malware Analysis

Mon, Mar 3, 2025
A while ago (around 7 months ago), I had obtained, through a friend, a sample of clearfake malware that was wrecking havoc in one of his friend’s servers. This post is about analysis I had done. I have been procrastinating a lot on writing it, so here it goes… Below is a screenshot of the infection method it uses, a notification to update your browser by running some powershell. I clicked copy and pasted it in Neovim.

Purplefox Analysis

Tue, Feb 25, 2025
Originally written Thu, Jun 15, 2023 A couple of months ago, I came across an intriguing .tmp file that was sent to me. The sender mentioned that their antivirus software had flagged and caught the file on their computer. Naturally, I decided to investigate further. Although the file was labeled as a .tmp file, running it through a file utility revealed that it was actually an MSI (Microsoft Software Installer) file.

About

Mon, Feb 24, 2025
Hey, I’m Ollie—a cybersecurity pro and dev diving deep into Zig, Lua, and Neovim. I tinker with low-level programming, build custom tooling, and explore malware analysis. This blog is where I share insights, experiments, and lessons learned—whether it’s writing an LSP, reverse-engineering binaries, or customizing Neovim for cybersecurity workflows. If you’re into efficient code, security research, or just making tools work your way, you’re in the right place. 🛠 Languages & Tools: Zig, Lua, Python, YARA, Sigma, Neovim

Posts

Mon, Feb 24, 2025
Writing Custom Wazuh Rules - Jan 22, 2026 Safety in Zig: How Debug Allocator Works - Jan 6, 2026 Painless Guide to Linux in-Memory Execution - Dec 4, 2025 Zig as a drop in C build systems replacement - Oct 21, 2025 Pack to the Future: Obfuscating My C2 Agent - Sep 9, 2025 Reflections on writing a mythic C2 agent in zig - Jul 14, 2025 Writing a yara parser - Jun 18, 2025 Chaos Cryptography - May 27, 2025 Quantum Key Distribution - May 23, 2025 clearfake 2: We now have lumma - Apr 9, 2025 Security slips: The day i ran unknown code - Mar 28, 2025 Secure development in nvim using snyk - Mar 19, 2025 Nvim for devs - Mar 17, 2025 Clearfake analysis pt 1 - Mar 3, 2025 Purplefox msi rootkit analysis - Feb 25, 2025