Carrie Roberts

Red Team Distinguished Engineer, Walmart Global Tech

Twitter: @OrOneEqualsOne, Location: Idaho

Summary:

Programmer, Web Developer, Penetration Tester, Senior Red Team Engineer, Enterprise Technical Expert Defense Engineer. Passionate about learning and giving back to the community. Course author and instructor for cybersecurity classes.

Education:

2015 MS Information Security Engineering, SANS Technology Institute

2006 MS Computer Science with Distinction, California State University, Chico

1998 BS Mechanical Engineering, Oregon State University

Information Security Certifications:

• GIAC Security Expert (GSE)
• GIAC Security Professional (GSP)
• GIAC Experienced Cyber Security (GX-CS)
• GIAC Experienced Intrusion Analyst (GX-IA)
• GIAC Experienced Incident Handler (GX-IH)
• GIAC Reverse Engineering Malware (GREM)
• GIAC Certified Windows Security Administrator (GCWM)
• GIAC Certified Penetration Tester (GPEN)
• GIAC Certified Incident Handler (GCIH)
• GIAC Certified Intrusion Analyst (GCIA Gold)
• GIAC Web Application Penetration Tester (GWAPT)
• GIAC Certified Project Manager (GCPM)
• GIAC Security Essentials (GSEC Gold)
• GIAC Information Security Fundamentals (GISF)
• GIAC Mobile Device Analyst (GMOB)
• GIAC Certified Forensic Analyst (GCFA)
• CompTIA (Security+)

Work Experience:

April 2024 – Present Red Team Engineer: Distinguished Engineer, Walmart

• Red Teaming focused on e-commerce and AI platforms

2020 – Present Instructor: Attack Emulation Tools, and PowerShell for InfoSec courses, Antisyphon Training

• Course author and instructor for 16-hr Attack Emulation Tools course covering MITRE ATT&CK, Atomic Red Team, CALDERA, VECTR and more.
• Course author and instructor for 16-hr PowerShell for InfoSec course covering logging, remoting, secure administration, attack tools, bypasses, obfuscation and more.

Feb 2019 – Mar 2024 Defense Engineer: Enterprise Technical Expert, Walmart

• Defense Research and Implementation based on MITRE ATT&CK using the Atomic Red Team library of scripted attacks.
• Author detections in various security products.
• Mentor and train SOC Analysts on attack emulation and detection creation.

June 2017 – Feb 2019 Senior Red Team Engineer, Walmart

• Sophisticated Red Team campaign execution against multiple targets.
• Developed and advanced security research on topics including password spraying and VBA Stomped Office documents (as presented at DerbyCon).
• Encouraged and Participated in Joint Red/Blue Team Exercises
• Contribute to Greater Community Through Presentations, Blog Posts and Open-Source Tools

2014 – June 2017 Penetration Tester, Black Hills Information Security

• Performed a variety of Penetration Tests including detailed reporting for customers with high satisfaction rates.
• Internal, External, Web App, Physical, Social Engineering, Command & Control, Pivot, Mobile, POS
• Teaching Assistant for SANS

2011-2014 Web Application Developer with Focus on Security (Hewlett-Packard)

• Developed and maintained Ruby on Rails web applications.
• Defined web application security architecture.

2006-2010 Software Development Engineer (Hewlett-Packard)

• Developed PC software (C#), an iPhone app (Objective-C) and printer firmware (C).

1998-2005 Hardware Design Engineer (Hewlett-Packard)

Personally Developed Open-Source Tools:

• SlackExtract (PowerShell) – Download all data a slack user has access to
• Domain Password Audit Tool (Python) – Audit password usage in a domain environment
• GatherContacts (Java) - A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results
• Detect-SSLmitm (PowerShell) – Determine if internet connection is being SSL decrypted
• G-chimp (Google Apps Script) – Phishing automation via Gsuite
• Commentator (PowerShell) – Hide payloads in MS Office documents
• CookieCrimesJS (JavaScript) - A cross-platform one-liner to steal a user's cookies from Chrome
• ChromeShot (JavaScript) – Automated Web Screenshots
• OpenSSL Server Reverse Shell from Windows Client

Contributor to Open-Source Tools:

• Maintainer and #1 Contributor to the Atomic Red Team library of scripted attacks (pull requests)
• Significant Contributor to EvilClippy – a malicious document generation tool (pull requests)
• Added Resource Files and AutoRuns to PowerShell Empire (pull requests)

Personally Developed Private Tools:

• Custom Python Script for rotating attack source IPs through cloud provider to avoid password spray detection
• Custom password spraying scripts to handle custom two step login forms
• PowerShell script to allow red team to enroll a user in two-factor authentication using our own devices
• Post to Slack – A script to post a malicious attachment to a slack channel using an API token

Recent Industry Presentations:

• Continuous End-to-End Detection Validation (Sp4rkcon 2023)
• Advanced Malware VBA Stomping - What's New in 2019 (Sp4rkcon 2019)
• VBA Stomping – Advanced Malware Techniques (DerbyCon 2018)
• Extracting Data From Slack: Hackers Will, You Should Too! (Wild West Hackin’ Fest 2018, Boise Bsides 2018)
• Domain Password Audit Tool (Wild West Hackin’ Fest 2017, Boise Bsides 2019)

Blog Posts and Other Research:

• Delivered new research on VBA Stomping and related techniques (see vbastomp.com for details)
• Many blog posts on Black Hills Information Security, WalmartLabs Medium, and Tripwire
• Examples:
• VBA Stomping — Advanced Maldoc Techniques
• VBA Project Locked; Project is Unviewable
• Pesky Old-Style Macro Popups — Advanced Maldoc Techniques
• OpenSSL Server Reverse Shell from Windows Client
• SSHazam: Hide Your C2 Inside of SSH
• The RDP Through SSH Encyclopedia
• How to Bypass Anti-Virus to Run Mimikatz
• How to Crack Passwords for Password Protected MS Office Documents
• Empire Resource Files and Auto Runs
• Webcasts with Black Hills Information Security and Security Weekly
• A Hands-on XML External Entity Vulnerability Training Module SANS Whitepaper

Tools and Languages:

• Burp, Wireshark, Metasploit, Cobalt Strike, PowerShell Empire, Mimikatz, Nessus, Nmap, Volatility, Bloodhound, PowerView, Sysinternals, Kali Linux
• PowerShell, Python, Regex, C#, SQL, KQL, Bash, Visual Basic, Yara, Java, Javascript, HTML, XML, Ruby
• Proficient with Windows, Mac and Linux Operating Systems

Other 40+ hour training courses:

• Industrial Control Systems Cybersecurity Training and Red/Blue Exercise (ICS Cybersecurity 301)
• Team-Based Training - Blue Team and Red Team Dynamic Workshop (SANS TBT570)
• Advanced Network Forensics: Threat Hunting, Analysis, and Incident Response (SANS FOR572)
• Purple Team Tactics – Adversary Emulation for Breach Prevention & Detection (SANS SEC699)
• Secure Coding (SANS - no longer offered)
• Rastalabs "Hack The Box” Pro Lab (completed all the challenges)