All Articles


Washington D.C

CDI SANS Cyber Defense Initiative (CDI) is held in DC each year, and it’s usually the last big SANS event of the year. I truly wished that I had more time to explore this place! However, getting up at 7am, sitting in class ‘til 5/6pm, and then attending the night talks, and participating in Netwars pretty much took up the full day (everyday) during my entire week. Despite that, I did get to explore on the very last day with a few of my old coworkers from Target! We went on a little tour of DC and it was a blast! :)


This class was one of my favorite class that I have ever taken. It was very content heavy, and I felt like I’ve learned a tons EACH day after class. The demographic was pretty diversified…from professional reverse engineers, to hobbyist, to complete beginner. The week went something like this:

Day 1 was an intro to malware analysis. We were taught static malware analysis through analyzing the PE headers, and behavioral analysis through tools like ProcMon, ProcDot, Process Hacker, reg shot…etc. Essentially, seeing what type of network does a malware make once it run, what additional files does it download, what does it add to the registry, what information does it tries to collect or send. FOR610

Day 2 was ALL assembly. We went over the stack, all the registers, how data are stored, different instructions, control flow, and how to use and navigate around IDA and x32/64dbg. Honestly, I ended the day feeling like my brain was going to explode :’). FOR610

Day 3 was on analyzing malicious documents such as word docs, pdfs, rtf, and Javascript. FOR610

Day 4 was in-depth malware analysis. We went over how to recognize packed malware, how to unpack malware, how to use a debugger to dump running process memory to read strings and produce the unpacked malware. We went over code injection, API hooking, and also malware memory forensics. FOR610

Day 5 was on self-defending malware and how they hide. It was pretty interesting to see how they can detect whether or not if they are currently running in a sandbox and stay dormant if so, or exhibit different behaviors to make it difficult to be analyzed. They do this through enumerating through the process list, expect some type of click, calculate the time it’s going from one instruction to the next (tick time) because if it’s taking too long then it’s being debugged…etc. FOR610

Day 6 was a CTF to tie together all of the concepts learned in class over the past week!

I learned SO much this week, and would absolutely recommend this class to anyone who’s interested. I understand a lot more about how to read API’s documentation to see what values are being passed around (bless MSDN), how malware hook into different API, how it inject code into different processes and tries to avoid detection. I took away the ability to correlate and understand how some EDR tools work. It made me realized how some EDR platform would alert on false positives on some benign software as they probably have some wrapper around sensitive processes that often get hooked into (lsass, smss, mshta, etc…) and fire an alert if it detect a program that does that (although, it could just be people writing bad software! :))

Netwars - Tournament of Champions

For those who have won a Netwars CORE event before, this is THE event where SANS invite all the winners together to compete for the very top spot! Right before the event, they held a little happy hour/social event for all the invited players to network and form groups. I was stuck in my malware class until 5:30pm, so I only got to snuck out for 5 mins to check in and grab my stuffs. Look at ALL this swags I got from this event… CDI

Overall, super fun trip! My brain is pretty darn fried and I need to take a nap for the next 10 days or so.