Adam Chester 🏴‍☠️🎃 @_xpn_ Twitter profile

Pinned Tweet

Adam Chester 🏴‍☠️🎃

22 days

New tool published which is proving to be useful. Cred1py allows execution of the CRED-1 SCCM attack published by @Raiona_ZA over SOCKS5 UDP by wrapping the awesome from @0xcsandker . Enjoy :)

GitHub - SpecterOps/cred1py: A Python POC for CRED1 over SOCKS5

A Python POC for CRED1 over SOCKS5. Contribute to SpecterOps/cred1py development by creating an account on GitHub.

github.com

5

163

425

Last Seen Profiles

@abocanervosa

@prettyylili_

@yuan_lian61592

@xiobi88767545

@RepMax1890

@SAINTMAXIMIN00

@CursedAni

@faexbabe

@sakurafk1314

@jonas_vandis

@LCG0215

@kuro_blospo

@tdrauae

@bishoplad1

@FajarSatritam11

@VmaniakJ

@gobchang91890

@yafhbdoih

@BinorRaja

@killa_kilkenny

@mistermatt79

@515Weston

@Memz_art

@NoTrueFact

@OussPl

@Lulunilx

@vmsuarez88

@najedelee

@BinorRaja

@510njpw

@ya71742

@stwmaniax

@jiawen_cai

@Ignafn

@Proud_Milfs

@babybeoni

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.

Okta for Red Teamers

www.trustedsec.com

25

389

951

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Want to stop ETW from giving up your loaded .NET assemblies to that pesky EDR, but can't be bothered patching memory? Just pass COMPlus_ETWEnabled=0 as an environment variable during your CreateProcess call 😂

35

373

890

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

A quick blog post looking at how Sysmon DNS monitoring works, and how this can potentially be evaded during an engagement.

@_xpn_ - Evading Sysmon DNS Monitoring

blog.xpnsec.com

11

381

784

Adam Chester 🏴��☠️🎃

@_xpn_

2 years

Woah this is amazing!! I will not use this for malware… I will not use this for malware… I will not

Mariatta 🤦

@mariatta

3 years

#PyConUS2022 @pwang Keynote: Announcing Py-script!!! It's Python! inside HTML!!! 🤯

318

2K

10K

24

120

709

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

Just pushed a new blog post documenting the process of creating an exploit for a Windows 10 kernel vulnerability. Hopefully useful for anyone looking at kernel exploitation

9

442

677

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post looking at how Cobalt Strike’s “blockdlls” command works, how to recreate it in our own payloads, and a quick look at Arbitrary Code Guard.

@_xpn_ - Protecting Your Malware with blockdlls and ACG

blog.xpnsec.com

14

315

550

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post is up starting a series of looking at just how Mimikatz achieves its magic, beginning with WDigest (and ending with a bit of lsass DLL loading fun).

@_xpn_ - Exploring Mimikatz - Part 1 - WDigest

blog.xpnsec.com

11

297

555

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

New blog post added showing how to exploit CVE-2018-1038 aka #TotalMeltdown for privilege escalation

@_xpn_ - Exploiting CVE-2018-1038 - Total Meltdown

blog.xpnsec.com

5

380

539

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

Had a bit of fun looking at weird ways to run unmanaged code in .NET. One for anyone who likes .NET internals.

@_xpn_ - Weird Ways to Run Unmanaged Code in .NET

blog.xpnsec.com

14

259

539

Adam Chester 🏴‍☠️🎃

@_xpn_

7 months

@nyxgeek Work/life balance mate, it’s Apples way of telling you to take a break.

33

9

523

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post exploring Windows RPC internals, reversing with Ghidra, and how we can use Neo4j to find interesting call paths.

@_xpn_ - Analysing RPC With Ghidra and Neo4j

blog.xpnsec.com

8

268

529

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

Spent a bit of time this weekend looking at Azure AD Connect and how this can be leveraged by RedTeam during an engagement

@_xpn_ - Azure AD Connect for Red Teamers

blog.xpnsec.com

21

289

517

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Quick POC this evening looking at how LAPS (v2) passwords are stored and decrypted on Active Directory (tl;dr, msLAPS-EncryptedPassword attr and NCryptStreamUpdate for crypto)

10

190

511

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post up which shows just how we build our ActiveBreach Adversary Simulation Lab using Terraform, DSC, InSpec, AWS Systems Manager, and Gitlab CI/CD pipelines.

22

185

484

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post is up showing how Mimilib and memssp work to harvest credentials.

@_xpn_ - Exploring Mimikatz - Part 2 - SSP

blog.xpnsec.com

3

212

433

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post looking at how we can use AWS Lambda as a redirector for Cobalt Strike.

@_xpn_ - AWS Lambda Redirector

blog.xpnsec.com

14

187

399

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Quick blog post after spending the weekend looking at how Azure auth tokens are loaded into Office, how we can recover them from the Token Broker cache, and some MSA authentication RPC internals thrown in for good measure.

@_xpn_ - WAM BAM - Recovering Web Tokens From Office

blog.xpnsec.com

12

180

393

Adam Chester 🏴‍☠️🎃

@_xpn_

7 months

New blog post is up... Identity Providers for RedTeamers. This follows my #SOCON2024 talk, and provides the technicals behind the presentation, looking at other IdP's and what techniques are effective beyond Okta.

@_xpn_ - Identity Providers for RedTeamers

blog.xpnsec.com

13

155

384

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

New blog post looking at an alternative way to execute .NET code within managed processes, focusing on the debugger API. Been wanting to look at this for a while, hopefully useful for anyone who has wondered how the .NET debugging framework works.

@_xpn_ - Debugging into .NET

blog.xpnsec.com

19

180

388

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

Added a new blog post showing a few alternative methods of grabbing SYSTEM access, hopefully useful if "getsystem" isn't an option

3

243

370

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Man I’m calling it, bye bye Cobalt Strike, hello Sliver! Not had to use CS on an engagement for a while but when you don’t wanna burn your internal stuff and need to use public tools, the pain involved around evasion for simple tasks in CS is horrible… time for something new.

22

52

382

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

New blog post showing how to escape the sandbox used by Microsoft Office for MacOS. Hopefully useful for redteams targeting MacOS endpoints

12

212

375

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

If you need an alternative way to spawn your payload rather than VBA Shell or CreateObject.., try an OLE object which both auto-open and auto-confirm’s itself. Nice when combined with ACCDE technique shown by @424f424f

2

174

370

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

I'm pretty sure that I spend a large percentage of Red Team engagements just reading internal documentation... One day I will tell tales to my grandchildren of the many Wiki's that I've seen... small Wiki's, big Wiki's, multiple Wiki's, Wiki's trying not to be Wiki's.

27

38

372

Adam Chester 🏴‍☠️🎃

@_xpn_

8 months

First con talk done. Was scarier than I thought, but in a good way! Looking forward to doing it again! Also excited that I’ll be joining @SpecterOps in April. This is a team that I’ve wanted to work with ever since the company started. I’ve used so many of their revolutionary

50

17

373

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Taking a look at SCCM on this lazy Sunday evening? Of course you are, what else is there to do?! One of the things that's likely to draw your interest are just how all those user accounts are stored. Check out the SC_UserAccount table in the SQL DB.

4

97

372

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

If you're on an engagement, keep an eye out for the SPN HTTP/<company>.kerberos.okta.com. It provides delegated auth to Okta for a compromised AD user (and usually doesn't require MFA when proxied). -spn HTTP/company.kerberos.okta.com.

4

118

361

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

It's the weekend, so you know what that means... SCCM lab time! New blog post is up looking at some SCCM internals, how Network Access Accounts are retrieved by new clients and how we can "unobfuscate" them.

@_xpn_ - Exploring SCCM by Unobfuscating Network Access Accounts

blog.xpnsec.com

12

122

354

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

New blog post is up looking at how .NET DLL exports work behind the scenes, and how we can use the portal created to invoke managed code.

@_xpn_ - The .NET Export Portal

blog.xpnsec.com

8

137

328

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

Using Defender to host your warez ;)

14

33

312

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

New blog post is up which looks at an unpatched vulnerability in macOS which allows us to hijack entitlements from signed binaries.. aka.. DirtyNIB.

@_xpn_ - MacOS "DirtyNIB" Vulnerability

blog.xpnsec.com

12

129

317

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Had a bit of PTO this week so we know what that means.. Research Time! Let's briefly explore the new Enhanced Phishing Protection feature released in 22H2. 🧵

7

73

316

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

I quit... I'm off to become a farmer, computers suck!

29

22

306

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Excited to announce that today I'm joining the talented people at #TrustedSec as part of the Targeted Operations Team... this is gonna be fun!!

35

20

309

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

Started playing around with @tiraniddo awesome Kerberos Relay research. This is just a quick Responder LLMNR patch and a very simple Python script to relay in a lab, works like a charm. Now to continue with some of the other goodies in this post🤘

2

110

307

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

New blog post is up looking at how we can craft a memory loader for Mach-O bundles on macOS.

@_xpn_ - Building a Custom Mach-O Memory Loader for macOS - Part 1

blog.xpnsec.com

15

93

300

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

New post is up on the @trustedsec blog, this time looking at how to use ProcessDeviceMap to load arbitrary DLL's into a process on start.

Object Overloading: A Novel Approach to Sneaking Malicious DLLs into…

www.trustedsec.com

7

156

301

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

Happy Guy Fawkes day. New blog post is up showing how we can export .NET methods from a DLL, aka, rundll32 your .NET.

5

167

292

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Oh man this is why I've always loved the hacking scene, really isn't a "typical hacker" type outside of the movies... 55 year old cardiologist spinning out ransomware in his downtime 🤣🤣🤣

vx-underground

@vxunderground

2 years

The United States Department of Justice has charged a 55-year-old Cardiologist from Venezuela as the developer of Jigsaw Ransomware and Thanos Ransomware. Thanos Ransomware Builder is available for download on vx-underground. More info:

18

162

403

19

58

287

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

New post up on the @trustedsec blog looking at how we can patch Cobalt Strike beacon on target, blend in a little better with generated user-agents, and set C2 destinations dynamically.

11

140

287

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

Just found another Microsoft Office sandbox escape for MacOS🍏 This one is instant as well, fire and escape 😈

10

68

284

Adam Chester 🏴‍☠️🎃

@_xpn_

4 months

My first talk finally landed on YouTube from @SpecterOps #socon24 , looking forward to doing it again on a new topic (but can’t bring myself to watch it back 😂)

Identity Providers for Red Teamers - Adam Chester [SO-CON 2024]

It’s rare to find organisations who haven’t dipped their toe into the world of cloud-based Identity Providers. Whether it’s Okta, Ping, Entra ID, or the myri...

www.youtube.com

3

91

288

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

I've dumped a quick script to show how IIS decrypts AppPool credentials. Uses iisCngWasKey stored in C:\ProgramData\Microsoft\Crypto\Keys, derives a key and decrypts with BCryptDecrypt. Crypto logic is in inetsrv\nativerd.dll.

3

115

282

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

Published a new blog post looking at the awesome Get-InjectedThread powershell tool, and reviewing potential ways we can evade detection during an assessment:

@_xpn_ - Understanding and Evading Get-InjectedThread

blog.xpnsec.com

3

133

281

Adam Chester 🏴‍☠️🎃

@_xpn_

3 months

To all you newbies out there getting into this industry and being worried about not knowing enough.. Unfortunately I'm here to tell you that imposter syndrome never stops! Enjoy what you do and stay humble, because you'll always doubt your skillz... That is all.

9

43

282

Adam Chester 🏴‍☠️🎃

@_xpn_

8 months

On top of moving house, this week I handed in my notice with @TrustedSec after 3 and a half years of Red Teaming. It’s been a wild ride with an amazing group of people ( @curi0usJack , @HackingLZ and @cantcomputer are pioneers and always have your back! TargetedOps team, I’ve

41

4

274

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

New blog post is up looking at how SMB over QUIC works in Windows 11/2022 and looking at how easy it is to repurpose existing tooling.

Making SMB Accessible with NTLMquic

www.trustedsec.com

5

116

267

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

One for you folks who like a bit of .NET but want to reduce your chances of tripping ETW monitoring

15

118

263

Adam Chester 🏴‍☠️🎃

@_xpn_

3 months

I mean… you can’t say Crowdstrike go in half-arsed 😂

42

20

260

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

New blog post looking at Azure Application Proxy, how it works, how we can create our own connector and of course how we can use it for C2... one for you Service Bus fans ;)

Azure Application Proxy C2

www.trustedsec.com

4

133

262

Adam Chester 🏴‍☠️🎃

@_xpn_

7 months

Finally made it to the team member page on @SpecterOps "About Us" page. Yes my picture looks like I work at Asda and am about to offer to carry your bags to your car... but still classing this as my win for the month 🤣

17

9

258

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

Second blog post to finish out the week. Expanding on a previous tweet to look at how LAPS 2.0 crypto works, how the PowerShell Get-LAPSADPassword cmdlet works, and provided a quick BOF to do pull and decrypt msLAPS-EncryptedPassword

@_xpn_ - LAPS 2.0 Internals

blog.xpnsec.com

2

124

259

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

ASR rule to harden LSASS is being turned on by default, but remember that this isn't a silver bullet, plenty of ways around this... this has to be one of my favourites 😂

6

86

255

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

For those who were asking how this was found and how it works, I've posted a quick rundown here:

@_xpn_ - Hiding your .NET - COMPlus_ETWEnabled

blog.xpnsec.com

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Want to stop ETW from giving up your loaded .NET assemblies to that pesky EDR, but can't be bothered patching memory? Just pass COMPlus_ETWEnabled=0 as an environment variable during your CreateProcess call 😂

35

373

890

1

114

251

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

New blog post is up which looks at how we can build a CI pipeline with Gitlab, Molecule and InSpec to test our RedTeam infrastructure during development.

12

103

250

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Created a quick POC to spoof environment variables by swapping them out on launch 😈 (similar practice to argument spoofing). Might be useful for anyone looking to test detection of COMPlus_ETWEnabled.

2

80

234

Adam Chester 🏴‍☠️🎃

@_xpn_

11 months

When you work in infosec and realise… we’re no longer the cool kids 🥲

Marc Benioff

@Benioff

11 months

Salesforce will match any OpenAI researcher who has tendered their resignation full cash & equity OTE to immediately join our Salesforce Einstein Trusted AI research team under Silvio Savarese. Send me your cv directly to ceo @salesforce .com. Einstein is the most successful

600

2K

11K

17

20

239

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

Just published a blog post looking at privacy alerts in MacOS, and a potential way to subvert this using Apple signed binaries

@_xpn_ - Bypassing MacOS Privacy Controls

blog.xpnsec.com

3

100

231

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

Quick POC to spawn a process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON using VBA.

2

84

230

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

A quick post to finish out the year, looking at using the Virtualization framework on ARM64 macOS to spin up a small Linux VM for pivoting. Happy New Year!

@_xpn_ - Bring Your Own VM - Mac Edition

blog.xpnsec.com

4

83

226

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

Continuing with the macOS security series, just published a new blog post showing how to disable macOS SIP via a code exec vulnerability in VirtualBox's vboxdrv.kext driver

1

111

223

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

New blog post added looking at how to spoof arguments like Cobalt Strike’s “argue” command, and a weird bug which can stop ProcessExplorer from giving the game away.

@_xpn_ - How to Argue like Cobalt Strike

blog.xpnsec.com

2

122

222

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

New blog post looking at MacOS MACL (User-Intent) internals and how this led to CVE-2020-9968.

@_xpn_ - We Need To Talk About MACL

blog.xpnsec.com

4

95

217

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

When someone drops you a message to let you know your blog post helped them in one way or another... that shit right there is why you publish your research 👊

10

19

218

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

Awesome talk from @Lee_Holmes on trolling the Redteam, with some very nice Powershell tips and a few "wait, where is this going, hash table internals... ooooh that's awesome" moments... Blueteam need to turn this into a sport 😝

Lee Holmes - HoneyBotting: Extracting confessions from client-side...

Conference Home Page: www.psconf.euConference Videos: powershell.videoConference Materials: https://github.com/psconfeu

www.youtube.com

1

82

213

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

Published a quick blog post on using Cobalt Strike’s ExternalC2 interface to create a custom C2 channel

@_xpn_ - Exploring Cobalt Strike's ExternalC2 framework

blog.xpnsec.com

3

119

211

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

Love these principals from @SEKTOR7net so much, I’ve pinned them to the top of my notebook :D

3

53

213

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

Wooo! Looks like I'm giving speaking a shot, time to push outside the comfort zone 🤘

Register for SO-CON 2025 | SpecterOps

SO-CON 2025: Secure your spot for the conference and training in Arlington, VA. Early bird tickets available until December 1. Register now and save!

specterops.io

19

22

211

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

Revisiting Azure AD Connect as the previous method of dumping the MSOL account password has changed. A few ways around this, but a fun one is to piggyback off the fact that the local sqlserver instance is running as "ADSync"... ;)

2

101

210

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

Quick blog post drafted while satisfying my curiosity of how PNG steganography works at the byte level to wrap payloads. Sharing in case anyone else finds this interesting too!

@_xpn_ - PNG Steganography from First Principles

blog.xpnsec.com

6

69

203

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

Second blog post up for the week, this time a look into Cylance Protect (and a very quick look at CyOptics) to see what tricks can be used to evade detection.

Silencing Cylance: A Case Study in Modern EDRs - MDSec

As red teamers regularly operating against mature organisations, we frequently come in to contact with a variety of Endpoint Detection & Response solutions. To better our chances of success in...

www.mdsec.co.uk

10

104

197

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

Today marks 3 years of working for @TrustedSec Targeted Operations team. Time flies when you’re having fun! Here’s to many more h4xx 🤘

14

5

197

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

First wave of phishing pretext generator… this is gonna be fun!!

GitHub - lucasmccabe/emailGPT: a quick and easy interface to generate emails with ChatGPT

a quick and easy interface to generate emails with ChatGPT - lucasmccabe/emailGPT

github.com

1

67

197

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

The new Azure AD LAPS functionality now up in public preview. A call to the Graph API with the scope DeviceLocalCredential[.]Read[.]All is used. No additional crypto like the AD counterpart. HTTP samples are at

2

73

196

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Stuxnet 2.0 👀... Waitin’ for those VT hashes!

11

36

188

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

Using EDR's built in IR response console to execute commands and meet your redteam objectives never gets old!

13

12

188

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

So today marks the end of my 2 and 1/2 years with @MDSecLabs . It’s been a wild ride, had the chance to work with some very talented people and learned a lot! Now to enjoy a weekend of R&R before starting the next stage of my journey, this is gonna be fun :)

31

1

181

Adam Chester 🏴‍☠️🎃

@_xpn_

6 months

My new favourite technical drawing tool is Excalidraw.. Just the right amount of unprofessionalism to keep the inner anarchist alive.

7

5

182

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

Oooh this is cool, MiniDumpWriteDump via rundll32

MiniDumpWriteDump via COM+ Services DLL

Introduction This will be a very quick code-oriented post about a DLL function exported by comsvcs.dll that I was unable to find any reference to online. UPDATE: Memory Dump Analysis Anthology Volu…

modexp.wordpress.com

3

62

179

Adam Chester 🏴‍☠️🎃

@_xpn_

11 months

RedTeamers, what are you favourite methods of "staying sharp" what your techniques.. how do you practice?

30

8

178

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

Few random bits I came across while looking at macOS phishing, hopefully useful for someones redteam gig

@_xpn_ - macOS Research Outtakes - File Extensions

blog.xpnsec.com

3

79

173

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

New blog post up, AppLocker CLM Bypass via COM. Nice mix of high-level, low-level, and .NET loading via unmanaged DLL... have fun :)

AppLocker CLM Bypass via COM - MDSec

Constrained Language Mode is a method of restricting PowerShell’s access to functionality such as Add-Type, or many of the reflective methods which can be used to leverage the PowerShell runtime...

www.mdsec.co.uk

10

111

171

Adam Chester 🏴‍☠️🎃

@_xpn_

3 months

TAs wondering why their callbacks failed this morning!

1

24

169

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

If you are using MiniDumpWriteDump to extract memory from lsass, remember that under the hood, it still uses ReadProcessMemory. Worth knowing if the target AV/EDR is alerting based on this.

4

67

169

Adam Chester 🏴‍☠️🎃

@_xpn_

3 months

@vxunderground For the last few days we've been wondering if they would show.. now we have our answer. The poor dudes and dudettes working on the booth though 😖

6

0

166

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Sat watching some Defcon vids while getting my son to sleep and seeing some of my posts being referenced as part of further research is an amazing feeling. I lack public speaking skills so honestly appreciate anyone sharing my work during their talk, made my day 🙌

12

1

168

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

I found and reported a local privesc vuln in @KeybaseIO for MacOS. Seriously impressed with the response and how much effort they went to protect users. Details are here . HackerOne report here

3

49

159

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

When your AWS bill grows just enough for your wife to ask "Amazon Web Services... what's this?"

9

17

163

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

TIL navigating to file://.//pipe/ in Google Chrome gives you a list of named pipes :D

7

56

156

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

Me To My Kids: Don't download random things from the Internet, even if it comes from someone who pretends to be your friend... No, that goes for Roblox as well... . InfoSec Twitter:

2

25

157

Adam Chester 🏴‍☠️🎃

@_xpn_

3 years

OK, finishing up the week with a second sandbox escape for Microsoft Office on MacOS... so happy to finally get this one working😈🍎

4

18

156

Adam Chester 🏴‍☠️🎃

@_xpn_

2 years

Quick blog post kicking off a mini series looking at how we can reimplement memory loading on macOS after Dyld started to persist memory to disk.

@_xpn_ - Restoring Dyld Memory Loading

blog.xpnsec.com

7

53

155

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

Continuing our review of Windows 10 driver exploitation techniques, this post shows how to exploit a kernel NULL pointer dereference vulnerability on Windows 7 x64 and Windows 10 x32.

1

89

153

Adam Chester 🏴‍☠️🎃

@_xpn_

4 years

New blog post up looking at ways to inject into MacOS processes by leveraging third party frameworks, focusing on .NET Core and a cheeky Electron feature to load Apfell

MacOS Injection via Third-Party Frameworks

www.trustedsec.com

3

67

153

Adam Chester 🏴‍☠️🎃

@_xpn_

5 years

Oooh this is cool research by @danyaldrew , NTLM reflection is back by waiting for the NTLM challenge cache entry to timeout... awesome post

1

79

153

Adam Chester 🏴‍☠️🎃

@_xpn_

7 years

Updated the CVE-2018-1038 ( #TotalMeltdown ) POC with some memory checking to try and reduce chance of a BSOD. Works by querying Hardware\ResourceMap\System Resources\Physical Memory. Hack'y, but seems ok :)

5

78

151

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

Playing around with AWS Lambda as a HTTPS redirector for Cobalt Strike, seems to work very well

CobaltStrike beaconing via AWS Lambda

null

www.youtube.com

4

60

150

Adam Chester 🏴‍☠️🎃

@_xpn_

6 years

If your looking for a good source of redteam news, but can't be bothered with the BS on Twitter.. check out

r/redteamsec

A subreddit dedicated to red and blue teaming content. Discussions @ https://discord.gg/mTvPzuT - Twitter: @r_redteamsec & @domchell

www.reddit.com

1

45

149

Adam Chester 🏴‍☠️🎃

@_xpn_

1 year

Something I love about late night research… Music on, lights down, seeing it’s 12am and repeating the mantra “Just another hour and I’ll stop”… knowing full well that it’s gonna be light outside before you actually switch off.

8

15

150