In this project, malware analysis system is built on a three-layer architecture designed to move beyond basic detection into deep behavioral interpretation and MITRE ATT&CK mapping. Each layer operates independently but remains tightly integrated, enabling the pipeline to progress from raw execution signals to high-level threat intelligence. This structure allows not only classification of malicious samples, but also the extraction of behavioral insights that support investigation, threat hunting, and automated TTP (Tactics, Techniques, Procedures) identification. image

When it comes to network security, one of the first things an attacker usually does is try to figure out what operating system you’re running. Tools like Nmap make this super easy with OS fingerprinting — it sends a bunch of weirdly crafted packets to your machine, and based on how your system responds, it can make a pretty good guess about your OS. In this post, I’ll show you how I used Snort in inline mode to block those sneaky Nmap probes. I captured some traffic, broke down how Nmap does its thing, and wrote a bunch of Snort rules to stop it in its tracks. It’s a hands-on walkthrough — perfect if you’re experimenting with intrusion detection systems or just want to level up your blue team skills.

Traditional antivirus solutions struggle against a new breed of cyber threats: Fileless malware, which operates entirely in system memory, leaving no trace on disk. These attacks bypass conventional detection methods, making them one of the most dangerous challenges in cybersecurity today. Facing this challenge, Argus, an advanced early-stage fileless malware detection system leveraging deep learning and the MITRE ATT&CK framework to identify threats before they escalate. By analyzing memory snapshots in real time, Argus can detect malicious activity in its pre-operational phase, preventing devastating data breaches. The proposed Argus system for early-stage fileless malware detection consists of two key architectural components: the Feature Explainer and the Early-Stage Detector. Its operational workflow involves these two phases working in tandem.

Tactics: Defense Evasion, Privilege Escalation Technique: Process Injection

Malware developers have continuously evolved their techniques to bypass antivirus systems. Their evasion strategies primarily fall into three categories: Transformation-based, Concealment-based, and Attack-based , as illustrated in the image below: Transformation-based Evasion Strategy To effectively counter these evasion strategies, it is crucial to understand how they work. For example, some malware variants insert excessive NOP instructions to increase their file size, helping them bypass size-based detection thresholds used by antivirus scanners.

Android malware poses a significant threat to mobile security, with attackers constantly evolving their techniques to evade detection. Traditional single-modality approaches often struggle to capture the diverse characteristics of malicious applications.

My notes for using Frida

Two forensics CTF challenges I’ve done