Instructor
2015
CS407 Forensics III / Memory Forensics - 10 week course at Southern Oregon University Spring Quarter (March - June)
Topics included: Windows Kernel structures, malware techniques, malware analysis, shellcode construction, and parsing several key elements out of memory for digital forensics and incident response utilizing Volatility.
Breaking .NET(C#) Applications: Hands-On Attack Scenario Class - NDC Oslo
This class covered attack techniques against .NET applications with a focus on Reverse Engineering and memory Hijacking. Hands-On scenarios were conducted allowing students to modify applications at Runtime and on Disk. Students left with the building blocks of developing .NET attacks.
Presentations, Publications and Community Involvement
2015
CS 346 Computer Forensics - Memory Forensics 101 - Southern Oregon University April 27th and 28th.
Guest talk for an introduction to forensics class at SOU.
Hijacking Arbitrary .NET Application Control Flow - DEF CON 23 / BSidesPDX / SecTor
This speech will demonstrate attacking .NET applications at runtime. I will show how to modify running applications with advanced .NET and assembly level attacks that alter the control flow of any .NET application. New attack techniques and tools will be released to allow penetration testers and attackers to carry out advanced post exploitation attacks
This presentation gives an overview of how to use these tools in a real attack sequence and gives a view into the .NET hacker space.
- Acquiring .NET Objects From the Managed Heap
- Hijacking Arbitrary .NET Application Control Flow
- Slides
- Tools
- DEF CON 23 Video && SecTor Video
2016
BSidesPDX CTF
Ran the annual Capture the Flag (CTF) at BSidesPDX. Wrote challenges, coordinated other challenge writers, managed the infrastructure, and ensured integrity of the event.
Reverse Engineering and Attacking .NET Applications - ToorCamp
This talk will demonstrate reverse engineering and attacking .NET applications. I will start by discussing reverse engineering as it pertains to .NET and show how to get a glimpse into a binaries code base. Moving forward I will show how to modify running applications with advanced .NET and assembly level attacks using open source tools I developed. By discussing internal framework structures you will leave understanding why and how these attacks work. You will also be able to implement defense and attack scenarios in test cases.
You will leave with an overview of how to use reverse engineering to discover weaknesses in .NET applications and how to leverage those as an attacker.
2017
BSidesPDX CTF
Ran the annual Capture the Flag (CTF) at BSidesPDX. Wrote challenges, coordinated other challenge writers, managed the infrastructure, and ensured integrity of the event.
The Trials and Tribulations of Building Your Own CTF and Shooting Gallery - BSidesPDX
It is said that “the best defense is a good offense” which means organizations and defenders need to think offensively in order to detect and evade threats. A good method for instilling an offensive mindset into defenders is to place them in offensive scenarios. This is where the CTF and Shooting Gallery concepts comes into play. By creating an internal shooting gallery in your organization, you can have an isolated playground for anyone to practice offensive security techniques. Furthermore, Capture The Flag (CTF) events are becoming increasingly popular at security conferences and inside of organizations. Unfortunately, there is a barrier of entry for those that have never played CTF before and occasionally individuals feel overwhelmed with all there is to know about participating, creating or hosting one. Over the last 2 years Topher has put together several CTF events - each being hosted in a drastically different way. This talk will cover the basics of building a shooting gallery, CTF challenges along with hosting and deploying them in order to increase organizational effectiveness and knowledge.
Trusted Platform Modules and Their Applicability to Hardware and Software Security Mitigations - IEEE HOST
This tutorial seeks to showcase the use of Trusted Platform Modules (TPM) and Trusted Execution Environments (TEE) as they pertain to providing isolated security environments and metrics usable by every major component of a platform. Hardware security implementations, modern operating systems including some of their software and firmware utilize measurements from TPMs to ensure the reliability of platforms. We will discuss Intel technologies such as Intel Trusted Execution Technology (TXT) and how it uses TPMs to measure platform components. We will also showcase how BIOS platforms utilize TPMs to ensure the SPI flash has not been tampered with and explain Intel boot guard technology. Furthermore, modern operating systems have dependencies on TPMs and we will discuss how Windows 10 uses them to ensure Virtualization Based Security (VBS) has not been tampered with. Lastly we will also discuss modern TEEs such as ARM TrustZone, and Intel SGX and how those can be used to provide secure code isolation. We will engage with the audience to showcase the usage of TPMs and TEEs by going over their history, their applicability and showing how both are used in hardware, platform firmware and on operating system security features.
2018
BSidesPDX CFP Review Board
Co-chair of the review board for the annual BSidesPDX conference.
BSidesPDX Presents OMSI CTF
Invited to run a CTF at the OMSI Maker Faire
BSidesPDX CTF
Ran the annual Capture the Flag (CTF) at BSidesPDX. Wrote challenges, coordinated other challenge writers, managed the infrastructure, and ensured integrity of the event.
Playing With Your Food (Red Vs Blue) - Red Team Summit
This presentation will cover the Red Blue Games program that the Red Team has built. Attendees will learn about the program and the various benefits it provides to the blue and red teams including increased organizational effectiveness, prioritized focused areas, and security infrastructure enhancements.
2019
Attack Infrastructure for the Modern Red-Team - CanSecWest
While active hacking is the sexy part of red teaming, everybody knows that there is a lot of unsexy prep work prior to an engagement. A robust attack infrastructure is a complicated, yet critical, part of that prep work. . As Red Teams continue to grow in maturity, a successful engagement relies on infrastructure that is suitable for covert activities such as attack modeling and adversarial emulation while also being suitable for overt games. High quality attacks require high quality infrastructure. A single opsec failure could set an operation back days or even weeks, and in some cases might result in having to scrap the op entirely (or worse). Needing a repeatable, modular, auditable, secure and automatic infrastructure for Red Team engagements, the authors have created an easy to use deployment system with recipes so you, too, can have robustness without being tied down by deployment readiness! This presentation will provide all the tooling and automation to make these deployments simple and repeatable. Your Red Team will now be able to deploy infrastructure per engagement, providing you with opsec safety to keep your engagement rolling before the blue team hunts you down. Learn it, love it, live it.
A History of the BSidesPDX CTF - HackBoatPDX
The Capture The Flag (CTF) competition has become a cornerstone of BSidesPDX, challenging and inspiring both seasoned professionals and newcomers to test their CTF skills. This talk delves into the history of the BSidesPDX CTF, exploring its origins, growth, and evolving design.
BSidesPDX CTF Framework
Framework published to the BSidesPDX GitHub repo to streamline CTF challenge creation as well as passing the torch of leadership over to the next individuals.
BSidesPDX CFP Review Board
Chair of the review board for the annual BSidesPDX conference.
EDR Is Coming; Hide Yo Sh!t - DEF CON 27 / ToorCon 21
There’s a new, largely unaddressed threat in the security industry today, Endpoint Detection and Response (EDR), which aims to stop threat actors in their tracks. The scenario plays out like this... At first your campaign is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time. You may feel this is just fear mongering, but we assure you, the risk is real.Fortunately, we have a few new tricks up our sleeves to keep this nightmare scenario at bay. While many would have you believe that we live in a measured and signed boot Utopia on modern systems, we will show you the seedy underbelly of this Brave New World. By abusing early boot mechanisms and UEFI platform firmware, we are able to evade common detection. By showing up early to the fight, we sucker punch EDR, leaving it in a daze unable to see our malicious activities. We put a new twist on old code injection techniques and maintain persistence in UEFI firmware, making an effective invisibility cloak. By leveraging these two techniques, you and the analyst can have a happy and relaxing evening. From that point on - the good ol’ days are back again! Plunder away!
Red Team Infrastructure Panel (Panelist) - Red Team Summit
The discussion will begin with an exploration of the initial stages of infrastructure development, emphasizing the importance of creating versatile and realistic environments that can mimic a variety of threat actors and attack scenarios. Panelists will share their experiences and best practices in setting up infrastructure that not only challenges existing security measures but also adheres to legal and ethical standards. Panelists will discuss the challenges of keeping the infrastructure covert and resilient against defensive measures, while also ensuring it remains effective and relevant to current threat landscapes. This panel is not just an informative session, but a catalyst for dialogue among red teams. It aims to foster a deeper understanding of the strategic and operational aspects of red team infrastructure. Attendees will leave with valuable insights and practical knowledge to enhance their organizations' red team operations.
2020
BSidesPDX CFP Review Board
Member of the review board for the annual BSidesPDX conference.
2021
Remote Red Teaming Panel (Panel Moderator) - Red Team Summit
The global pandemic forced rapid and unprecedented shifts in how Red Team engagements are performed, accelerating the adoption of remote red teaming. This panel explores the challenges, innovations, and lessons learned from conducting red team operations in a fully remote environment. Industry experts will discuss evolving threat landscapes, operational security, collaboration across distributed teams, and tooling adaptations.
2022
Red Team Reporting and Remediation Panel (Panel Moderator) - Red Team Summit
There are few discussions within Red Teams across the industry that come up time and time again; how to conduct reporting, obtain engagement buy-in, and the handling of findings. This panel serves to showcase how 5 different organizations, ranging from newly formed to mature, handle these program related areas.
BSidesPDX CFP Review Board
Member of the review board for the annual BSidesPDX conference.
2023
When EDR Is Stupid; You Don’t Need to be Smart - HushCon / Red Team Summit
The majority of Red Teams are now going up against Endpoint Detection and Response (EDR) tooling which aims to stop threat actors in their tracks. The scenario plays out like this... At first your engagement is going well and your attacker objectives are being met. Then, your lovingly crafted payloads become analyst samples, you’re evicted from the environment and you lose your persistence. You and the analyst are now having a bad time.
What if I told you there were numerous ways that EDR is significantly lacking and you don't need to worry about it? Having looked at several EDR platforms in the last year, many succumb to the same limitations, lack of detective capability, and blatantly ignore off the shelf TTPs! In this talk I will go over several ways that EDR completely falls apart, how to bypass it, and how you can avoid your payload becoming an analysts sample.
2024
Red Team Infrastructure Panel (Panelist) - Red Team Summit
The discussion will begin with an exploration of the initial stages of infrastructure development, emphasizing the importance of creating versatile and realistic environments that can mimic a variety of threat actors and attack scenarios. Panelists will share their experiences and best practices in setting up infrastructure that not only challenges existing security measures but also adheres to legal and ethical standards. Panelists will discuss the challenges of keeping the infrastructure covert and resilient against defensive measures, while also ensuring it remains effective and relevant to current threat landscapes. This panel is not just an informative session, but a catalyst for dialogue among red teams. It aims to foster a deeper understanding of the strategic and operational aspects of red team infrastructure. Attendees will leave with valuable insights and practical knowledge to enhance their organizations' red team operations.
Keeping the Red Team Mission on Track Panel (Panel Moderator) - Red Team Summit
Institutionalization is the antithesis of Red Teaming - a Red Team needs to be able to conduct their mission without being swallowed whole by the organization. This panel will discuss how Red Teams across the industry keep their mission, or fail to keep it, on track with an ever growing list of demands from an organization. All Red Teams are at the behest of their organization and their organizations needs/demands, but often times a Red Team needs to be enabled to choose their own path for engagements and workload. Panelists will share their experiences leading Red Teams and how they handle balancing business demand against the team choosing their adventure.
2025
Turning Sh*t Burgers into Gold Nuggets - Red Team Summit
What do you do when your executive leadership comes to your team and asks you to do what seems like an impossible task, in a tight timeframe, or a task that is not necessarily within your teams limited, but always expanding scope? Well, you say yes of course, and you eat that burger. It happens all at once, the layers of crud just keep piling on up, and you're just gonna have to eat it. While Sh!t Burgers may seem like a curse, they often have tremendous value for the organization.
This talk will discuss the dynamic between Red Teams and organizational priorities, and discuss engagements that shed light on how a Red Team can be impactful after organizational shifts, while telling the story of empowerment, change in ICs mindsets as a result of listening, and being a force for change.
Organizational Involvement
BSidesPDX 501(c)3 Board
Treasurer of the BSides Portland 501(c)3 board from 2018-2022.
Projects
Gray Kernel
C# attack platform and supporting tooling.
Shooting Gallery
Automation to support a CTF in the style of PWK developed for Intel as part of a Shooting Gallery for offensive security practice.
Red Team Attack Infrastructure
Repeatable, modular, auditable, secure and automatic infrastructure for Red Team engagements.
Course Work
SANS SEC760: Advanced Exploit Development for Penetration Testers
Completed in July 2021
SpecterOps Adversary Tactics: Red Team Operations
Completed in 2018