CS407 Forensics III / Memory Forensics - 10 week course at Southern Oregon University Spring Quarter (March - June)
Topics included: Windows Kernel structures, malware techniques, malware analysis, shellcode construction, and parsing several key elements out of memory for digital forensics and incident response utilizing Volatility.
Breaking .NET(C#) Applications: Hands-On Attack Scenario Class - NDC Oslo
This class covered attack techniques against .NET applications with a focus on Reverse Engineering and memory Hijacking. Hands-On scenarios were conducted allowing students to modify applications at Runtime and on Disk. Students left with the building blocks of developing .NET attacks.
Presentations, Publications and Community Involvement
CS 346 Computer Forensics - Memory Forensics 101 - Southern Oregon University April 27th and 28th.
Guest talk for an introduction to forensics class at SOU.
Hijacking Arbitrary .NET Application Control Flow - DEF CON 23 / BSidesPDX / SecTor
This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks
This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space.
- Acquiring .NET Objects From the Managed Heap
- Hijacking Arbitrary .NET Application Control Flow
- DEF CON 23 Video && SecTor Video
Reverse Engineering and Attacking .NET Applications - ToorCamp
This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.
You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.
The Trials and Tribulations of Building Your Own CTF and Shooting Gallery - BSidesPDX
It is said that “the best defense is a good offense” which means organizations and defenders need to think offensively in order to detect and evade threats. A good method for instilling an offensive mindset into defenders is to place them in offensive scenarios. This is where the CTF and Shooting Gallery concepts comes into play. By creating an internal shooting gallery in your organization, you can have an isolated playground for anyone to practice offensive security techniques. Furthermore, Capture The Flag (CTF) events are becoming increasingly popular at security conferences and inside of organizations. Unfortunately, there is a barrier of entry for those that have never played CTF before and occasionally individuals feel overwhelmed with all there is to know about participating, creating or hosting one. Over the last 2 years Topher has put together several CTF events - each being hosted in a drastically different way. This talk will cover the basics of building a shooting gallery, CTF challenges along with hosting and deploying them in order to increase organizational effectiveness and knowledge.
Trusted Platform Modules and Their Applicability to Hardware and Software Security Mitigations - IEEE HOST
This tutorial seeks to showcase the use of Trusted Platform Modules (TPM) and Trusted Execution Environments (TEE) as they pertain to providing isolated security environments and metrics usable by every major component of a platform. Hardware security implementations, modern operating systems including some of their software and firmware utilize measurements from TPMs to ensure the reliability of platforms. We will discuss Intel technologies such as Intel Trusted Execution Technology (TXT) and how it uses TPMs to measure platform components. We will also showcase how BIOS platforms utilize TPMs to ensure the SPI flash has not been tampered with and explain Intel boot guard technology. Furthermore, modern operating systems have dependencies on TPMs and we will discuss how Windows 10 uses them to ensure Virtualization Based Security (VBS) has not been tampered with. Lastly we will also discuss modern TEEs such as ARM TrustZone, and Intel SGX and how those can be used to provide secure code isolation. We will engage with the audience to showcase the usage of TPMs and TEEs by going over their history, their applicability and showing how both are used in hardware, platform firmware and on operating system security features.
BSidesPDX Presents OMSI CTF
Invited to run a CTF at the OMSI Maker Faire
While active hacking is the sexy part of red teaming, everybody knows that there is a lot of unsexy prep work prior to an engagement. A robust attack infrastructure is a complicated, yet critical, part of that prep work. . As Red Teams continue to grow in maturity, a successful engagement relies on infrastructure that is suitable for covert activities such as attack modeling and adversarial emulation while also being suitable for overt games. High quality attacks require high quality infrastructure. A single opsec failure could set an operation back days or even weeks, and in some cases might result in having to scrap the op entirely (or worse). Needing a repeatable, modular, auditable, secure and automatic infrastructure for Red Team engagements, the authors have created an easy to use deployment system with recipes so you, too, can have robustness without being tied down by deployment readiness! This presentation will provide all the tooling and automation to make these deployments simple and repeatable. Your Red Team will now be able to deploy infrastructure per engagement, providing you with opsec safety to keep your engagement rolling before the blue team hunts you down. Learn it, love it, live it.
A History of the BSidesPDX CTF - HackBoatPDX
EDR Is Coming; Hide Yo Sh!t - DEF CON 27 / ToorCon 21
There’s a new, largely unaddressed threat in the security industry today, Endpoint Detection and Response (EDR), which aims to stop threat actors in their tracks. The scenario plays out like this... At first your campaign is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time. You may feel this is just fear mongering, but we assure you, the risk is real.Fortunately, we have a few new tricks up our sleeves to keep this nightmare scenario at bay. While many would have you believe that we live in a measured and signed boot Utopia on modern systems, we will show you the seedy underbelly of this Brave New World. By abusing early boot mechanisms and UEFI platform firmware, we are able to evade common detection. By showing up early to the fight, we sucker punch EDR, leaving it in a daze unable to see our malicious activities. We put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak. By leveraging these two techniques, you and the analyst can have a happy and relaxing evening. From that point on - the good ol’ days are back again! Plunder away!
C# attack platform and supporting tooling.
Automation to support a CTF in the style of PWK developed for Intel as part of a Shooting Gallery for offensive security practice.
Repeatable, modular, auditable, secure and automatic infrastructure for Red Team engagements.