All blog articles published on this website were written by me. Below you can find links to conferences I’ve presented at. I will also update this page with a most recent list of articles I published at my current employer.
Conferences
2023-10/BlueHat
Title: All Killer, No Filler: Exploring the current state of EDR killers
Recording: https://youtu.be/w7wy9QX_pJ4?si=4UpEhweGurb84Ydg
2023-10/BlueHat
Title: Signed, Sealed, Delivered: The Rise of Signed Malicious Drivers
Recording: https://youtu.be/1l45-Y48Zf0?si=K_5UvkIq6ikve9D8
2020-12/BotConf
Title: A detailed look into the Mozi P2P IoT botnet
Recording: https://youtu.be/HGYpymyXvio?si=OGdJOMPj6sFmHe-M
2018/DO!Hack 2018
Title: Malware in the internet of things sector
Recording: https://youtu.be/90IFnG2aUzM?si=YS85EK_cR7KwzT3O
Articles Released At Sophos X-Ops Blog
2023-04
Title: ‘AuKill’ EDR killer malware abuses Process Explorer driver
Description: Analysis of an EDR killer dubbed AuKill that abuses a vulnerable version of Process Explorer driver to disable EDR products
Link: https://news.sophos.com/en-us/2023/04/19/aukill-edr-killer-malware-abuses-process-explorer-driver/
2022-12
Title: Signed driver malware moves up the software trust chain
Description: Discovered how threat actors managed to compromise Microsoft’s signing process
Link: https://news.sophos.com/en-us/2022/12/13/signed-driver-malware-moves-up-the-software-trust-chain/
2022-10
Title: Remove All The Callbacks – BlackByte Ransomware Disables EDR Via RTCore64.sys Abuse
Description: Analysis of how BlackByte disables EDR products via abuse of the legitimate vulnerable driver RTCore64.sys
Link: https://news.sophos.com/en-us/2022/10/04/blackbyte-ransomware-returns/
2022-04
Title: Attacking Emotet’s Control Flow Flattening
Description: Deobfuscation of Emotet’s Control Flow Flattening
Link: https://news.sophos.com/en-us/2022/05/04/attacking-emotets-control-flow-flattening/