Co-authored with Mandiant's Nick Carr (@ItsReallyNick).

This blog post highlights several incremental obfuscation techniques our team observed threat actors FIN7, FIN8 and APT32 using in the wild during the first half of 2017.

Release Date: 2017-06-30

Link: https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html


Co-authored with Microsoft's Lee Holmes (@Lee_Holmes).

This blog post and white paper outline the research methodology and data science techniques that Lee and I applied as we developed the Revoke-Obfuscation framework, the first AST-based (Abstract Syntax Tree) PowerShell obfuscation detection framework which we released at Black Hat USA 2017 (video) and DEF CON 25 (video).

Release Date: 2017-07-27

Link: https://www.fireeye.com/blog/threat-research/2017/07/revoke-obfuscation-powershell.html


This blog post and white paper outline the research methodology and detection development approaches that I applied during the DOSfuscation research. This is the research and white paper that I released at Black Hat Asia 2018 along with the Invoke-DOSfuscation framework.

Release Date: 2018-03-23

Link: https://www.fireeye.com/blog/threat-research/2018/03/dosfuscation-exploring-obfuscation-and-detection-techniques.html