The FireEye FLARE team’s newest contribution to the malware analysis community, FLOSS, is an open-source tool to automatically detect, extract, and decode obfuscated strings in Windows Portable Executable files. FLOSS helps fight against malware authors who commonly obfuscate strings in their programs to deter static and dynamic analysis, and can extract strings that are deobfuscated by decoding routines, while recovering stackstrings and obtaining all static strings.Read more...
Entries filed under 'William Ballenthin'
Threat Research Blog
The FireEye Labs team posts blog entries under threat research to present and discuss cyber attacks and threat intelligence from a technical perspective. They cover the full spectrum of exploits and vulnerabilities, including advanced malware and targeted threats.
Automatically Extracting Obfuscated Strings from Malware using the FireEye Labs Obfuscated String Solver (FLOSS)June 23, 2016 9:00 AM By Moritz Raabe, William Ballenthin | Threat Research, Advanced Malware
August 8, 2015 2:45 PM By William Ballenthin, Matthew Graeber, Claudiu Teodorescu | Threat Research
FireEye has recently seen a surge in attacker use of Windows Management Instrumentation (WMI) to carry out objectives such as system reconnaissance, remote code execution, persistence, lateral movement, covert data storage, and VM detection.Read more...
October 10, 2012 6:55 PM By William Ballenthin
September 18, 2012 7:23 PM By William Ballenthin
July 21, 2011 12:05 AM By William Ballenthin
Recently, I wanted to dig deep into a forensic artifact resident in the Windows Registry. To make the task more interesting, I challenged myself to use only tools native to my favorite operating system: Linux. I was quickly disappointed, however, as there are few open and cross-platform tools for Windows Registry forensics beyond Perl's Win32::Registry. So, I wrote a tool to fill this void using Python - my favorite programming language. Python-registry is the result of this effort, and provides convenient access to Windows Registry files. Since it is pure Python, it can be used on all major operating systems.Read more...