Welcome — What to Expect (RE, Malware Analysis, Blue Team, DFIR)
What you’ll find here: reverse engineering, malware analysis, detection engineering/blue team, and DFIR — with defender-ready outputs.
This space is where I (0xFR0STY) publish hands-on notes and write-ups from my labs. You’ll find reverse engineering, malware analysis, detection engineering / blue team, and DFIR content aimed at practical defense. I’ll be digging deeper into the blue-team realm as I go.
Certifications & Education
Education: see the About page for degree details and ongoing study.
- CompTIA Security+ (SY0-601) — 10/2023
- GIAC Reverse Engineering Malware (GREM) // SANS FOR610 — 11/2024
- GIAC Certified Forensic Analyst (GCFA) // SANS FOR508 — 07/2025
What you’ll see here
Malware Analysis
- Static triage: file metadata, packing/obfuscation clues, strings/imports, config-extraction approaches, and IOCs.
- Dynamic behavior: process tree, persistence, registry/artifacts, filesystem impact, and network activity.
- Threat mapping: relating behaviors to MITRE ATT&CK techniques and families/campaigns when appropriate.
- Takeaways for defenders: detection ideas, containment tips, and what actually matters in production.
Reverse Engineering (RE)
- Disassembly/decompilation workflows (Ghidra/IDA), function discovery, API usage, and control-flow reasoning.
- Unpacking/deobfuscation at a high level (when legal/ethical/safe), focused on analysis—not enabling misuse.
- Protocol/config understanding: C2 formats, crypto usage, and data structures for better detections.
- Small tooling: helper scripts/snippets that accelerate analysis or artifact parsing for blue-team tasks.
Blue Team & Detection Engineering
- Detections: Sigma rules, Splunk/KQL queries, and Sysmon coverage (with event IDs, fields, and rationale).
- Telemetry strategy: what to log, where to enrich, and how to reduce noise while keeping high signal.
- Validation: how I test rules (benign simulations, replay, or lab detonation) and measure detection quality.
- Hunt notes: pivots that worked, mistakes to avoid, and what I’d operationalize.
DFIR (Digital Forensics & Incident Response)
- Triage playbooks: quick decisions, scoping, and containment checklists.
- Forensics: timeline building (e.g., bodyfile/plaso), memory basics (Volatility-style thinking), and artifact parsing.
- Case structure: notes templates, evidence handling, and reporting that’s useful to stakeholders.
- Lessons learned: what I’d change next time to shorten dwell time or improve recovery.
How I work (tools & approach)
- Tooling: Ghidra/IDA, x64dbg, Sysmon, Sigma, Splunk, YARA, and small Python utilities for parsing/analysis.
- Focus: clear reasoning, annotated screenshots/snippets, and defender-ready outputs (queries/rules/IOCs).
- Repeatability: I outline environment assumptions and provide hashes/behavioral summaries so you can reproduce safely.
Safety, scope, and ethics
- No weaponization: I don’t publish step-by-step instructions to create or deploy malware.
- Sample handling: hashes and redacted links only; do not execute samples outside an isolated lab.
- Defender-first: content is written to improve defense, detection, and response—not misuse.
Navigation & tagging
Posts will carry tags like reverse-engineering, malware-analysis, dfir, detection-engineering, sysmon, yara, splunk, etc., so you can filter by interest. I’ll also maintain an Archives page and an About tab with quick links to popular series.
What’s next
- A short RE note walking through static → dynamic triage of a recent sample and turning that into a Sigma rule.
- A DFIR mini-playbook for workstation triage with artifact hints and a Splunk search bundle.
- A YARA rationale post: when to write it, where to deploy it, and how to avoid brittle rules.
If there’s something you want prioritized—specific families, telemetry questions, or detection gaps—reach out and I’ll queue it up. Stay frosty. 🧊