Detection and Response

  • Detection and Response: Cross-platform file analysis framework, breaking a crypter with Z3, Linux distro for investigations and OSINT, making data-driven incident response decisions, free malware analysis course from the University of Cincinnati

0xsha / florentino
A cross-platform file analysis framework useful for extracting static resources from malware and unknown file analysis.

Breaking TA505’s Crypter with an SMT Solver
“We know the output for the first iteration being a compressed binary will be ‘M8Z\x90’ so we can construct our problem in Z3 and let it solve what the XOR key should be. After solving for the XOR key we just decode the data and write out the decompressed file.”

Meet CSI Linux: A Linux Distro For Cyber Investigation And OSINT A part of me read this title and immediately thought CSI Cyber, a modern CBS classic in which computer security is represented accurately and never over-hyped, a show devastingly canceled after only 2 seasons. See CSI Linux’s full tool list here.

How to Make Data-Based Decisions During Incident Response: OODA for DFIR 2020
The talk focuses on the “D” in OODA, and presents some nice ideas around having the right framework and mental model for making decisions. Lately I’ve been really appreciating “teaching you how to fish” posts like this, as they help you generalize, rather than posts that are, “I did X and got Y result.”

CS6038/CS5138 Malware Analysis
As someone who mostly grew up in Cincinnati, it’s neat to see the University of Cincinnati releasing some cool security curriculum for free online. This class aims to introduce attendees to malware concepts, types of malware, common attack recipes, and black-box reverse engineering techniques.