Adam Chester 🏴☠️
@_xpn_
Followers
32,026
Following
428
Media
2,625
Statuses
20,081
Research at
Warrington, United Kingdom
Joined January 2009
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 183143 Tweets
Madonna
• 133989 Tweets
Tottenham
• 81023 Tweets
Spurs
• 73960 Tweets
Leverkusen
• 64676 Tweets
Palmer
• 56817 Tweets
Dame
• 52458 Tweets
#虎に翼
• 46040 Tweets
Ole Miss
• 35079 Tweets
#ラヴィット
• 32525 Tweets
Ange
• 28780 Tweets
bruno mars
• 27226 Tweets
憲法記念日
• 27062 Tweets
Pacers
• 20275 Tweets
FDNY
• 18840 Tweets
OUÇA FOI INTENSO
• 18302 Tweets
EP INTENSO ZNEC
• 18252 Tweets
Anne Hathaway
• 12710 Tweets
DANNY OCEAN
• 11556 Tweets
Lillard
• 11399 Tweets
#SnowMan結成12周年
• 10840 Tweets
Pinned Tweet
New blog post is up which looks at an unpatched vulnerability in macOS which allows us to hijack entitlements from signed binaries.. aka.. DirtyNIB.
11
127
309
My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
24
394
959
Want to stop ETW from giving up your loaded .NET assemblies to that pesky EDR, but can't be bothered patching memory? Just pass COMPlus_ETWEnabled=0 as an environment variable during your CreateProcess call 😂
35
376
900
A quick blog post looking at how Sysmon DNS monitoring works, and how this can potentially be evaded during an engagement.
11
380
791
Woah this is amazing!! I will not use this for malware… I will not use this for malware… I will not
24
120
713
Just pushed a new blog post documenting the process of creating an exploit for a Windows 10 kernel vulnerability. Hopefully useful for anyone looking at kernel exploitation
9
444
680
New blog post looking at how Cobalt Strike’s “blockdlls” command works, how to recreate it in our own payloads, and a quick look at Arbitrary Code Guard.
14
316
555
New blog post is up starting a series of looking at just how Mimikatz achieves its magic, beginning with WDigest (and ending with a bit of lsass DLL loading fun).
11
297
558
New blog post added showing how to exploit CVE-2018-1038 aka
#TotalMeltdown
for privilege escalation
5
382
547
Had a bit of fun looking at weird ways to run unmanaged code in .NET. One for anyone who likes .NET internals.
14
263
548
New blog post exploring Windows RPC internals, reversing with Ghidra, and how we can use Neo4j to find interesting call paths.
8
268
530
Spent a bit of time this weekend looking at Azure AD Connect and how this can be leveraged by RedTeam during an engagement
21
289
520
Quick POC this evening looking at how LAPS (v2) passwords are stored and decrypted on Active Directory (tl;dr, msLAPS-EncryptedPassword attr and NCryptStreamUpdate for crypto)
10
191
516
New blog post up which shows just how we build our ActiveBreach Adversary Simulation Lab using Terraform, DSC, InSpec, AWS Systems Manager, and Gitlab CI/CD pipelines.
22
185
489
New blog post is up showing how Mimilib and memssp work to harvest credentials.
3
212
437
New blog post looking at how we can use AWS Lambda as a redirector for Cobalt Strike.
14
188
401
Quick blog post after spending the weekend looking at how Azure auth tokens are loaded into Office, how we can recover them from the Token Broker cache, and some MSA authentication RPC internals thrown in for good measure.
12
180
393
New blog post is up... Identity Providers for RedTeamers. This follows my
#SOCON2024
talk, and provides the technicals behind the presentation, looking at other IdP's and what techniques are effective beyond Okta.
13
153
390
New blog post looking at an alternative way to execute .NET code within managed processes, focusing on the debugger API. Been wanting to look at this for a while, hopefully useful for anyone who has wondered how the .NET debugging framework works.
19
183
389
Added a new blog post showing a few alternative methods of grabbing SYSTEM access, hopefully useful if "getsystem" isn't an option
3
244
373
I'm pretty sure that I spend a large percentage of Red Team engagements just reading internal documentation... One day I will tell tales to my grandchildren of the many Wiki's that I've seen... small Wiki's, big Wiki's, multiple Wiki's, Wiki's trying not to be Wiki's.
27
41
380
Man I’m calling it, bye bye Cobalt Strike, hello Sliver! Not had to use CS on an engagement for a while but when you don’t wanna burn your internal stuff and need to use public tools, the pain involved around evasion for simple tasks in CS is horrible… time for something new.
22
53
381
New blog post showing how to escape the sandbox used by Microsoft Office for MacOS. Hopefully useful for redteams targeting MacOS endpoints
12
213
374
First con talk done. Was scarier than I thought, but in a good way! Looking forward to doing it again! Also excited that I’ll be joining
@SpecterOps
in April. This is a team that I’ve wanted to work with ever since the company started. I’ve used so many of their revolutionary…
50
17
378
Taking a look at SCCM on this lazy Sunday evening? Of course you are, what else is there to do?! One of the things that's likely to draw your interest are just how all those user accounts are stored. Check out the SC_UserAccount table in the SQL DB.
4
99
372
If you're on an engagement, keep an eye out for the SPN HTTP/<company>.kerberos.okta.com. It provides delegated auth to Okta for a compromised AD user (and usually doesn't require MFA when proxied). -spn HTTP/company.kerberos.okta.com.
4
120
363
It's the weekend, so you know what that means... SCCM lab time! New blog post is up looking at some SCCM internals, how Network Access Accounts are retrieved by new clients and how we can "unobfuscate" them.
12
123
357
New blog post is up looking at how .NET DLL exports work behind the scenes, and how we can use the portal created to invoke managed code.
8
139
330
Had a bit of PTO this week so we know what that means.. Research Time! Let's briefly explore the new Enhanced Phishing Protection feature released in 22H2. 🧵
7
73
318
Excited to announce that today I'm joining the talented people at
#TrustedSec
as part of the Targeted Operations Team... this is gonna be fun!!
35
20
313
Started playing around with
@tiraniddo
awesome Kerberos Relay research. This is just a quick Responder LLMNR patch and a very simple Python script to relay in a lab, works like a charm. Now to continue with some of the other goodies in this post🤘
2
111
306
New blog post is up looking at how we can craft a memory loader for Mach-O bundles on macOS.
15
96
303
New post is up on the
@trustedsec
blog, this time looking at how to use ProcessDeviceMap to load arbitrary DLL's into a process on start.
7
157
302
Oh man this is why I've always loved the hacking scene, really isn't a "typical hacker" type outside of the movies... 55 year old cardiologist spinning out ransomware in his downtime 🤣🤣🤣
The United States Department of Justice has charged a 55-year-old Cardiologist from Venezuela as the developer of Jigsaw Ransomware and Thanos Ransomware.
Thanos Ransomware Builder is available for download on vx-underground.
More info:
18
161
411
19
58
289
Happy Guy Fawkes day. New blog post is up showing how we can export .NET methods from a DLL, aka, rundll32 your .NET.
5
168
294
Just found another Microsoft Office sandbox escape for MacOS🍏 This one is instant as well, fire and escape 😈
10
68
288
New post up on the
@trustedsec
blog looking at how we can patch Cobalt Strike beacon on target, blend in a little better with generated user-agents, and set C2 destinations dynamically.
11
141
289
I've dumped a quick script to show how IIS decrypts AppPool credentials. Uses iisCngWasKey stored in C:\ProgramData\Microsoft\Crypto\Keys, derives a key and decrypts with BCryptDecrypt. Crypto logic is in inetsrv\nativerd.dll.
3
116
287
Published a new blog post looking at the awesome Get-InjectedThread powershell tool, and reviewing potential ways we can evade detection during an assessment:
3
133
281
On top of moving house, this week I handed in my notice with
@TrustedSec
after 3 and a half years of Red Teaming. It’s been a wild ride with an amazing group of people (
@curi0usJack
,
@HackingLZ
and
@cantcomputer
are pioneers and always have your back! TargetedOps team, I’ve…
41
4
277
New blog post is up looking at how SMB over QUIC works in Windows 11/2022 and looking at how easy it is to repurpose existing tooling.
5
115
267
One for you folks who like a bit of .NET but want to reduce your chances of tripping ETW monitoring
15
118
268
New blog post looking at Azure Application Proxy, how it works, how we can create our own connector and of course how we can use it for C2... one for you Service Bus fans ;)
4
136
265
Finally made it to the team member page on
@SpecterOps
"About Us" page. Yes my picture looks like I work at Asda and am about to offer to carry your bags to your car... but still classing this as my win for the month 🤣
17
9
260
Second blog post to finish out the week. Expanding on a previous tweet to look at how LAPS 2.0 crypto works, how the PowerShell Get-LAPSADPassword cmdlet works, and provided a quick BOF to do pull and decrypt msLAPS-EncryptedPassword
2
125
259
For those who were asking how this was found and how it works, I've posted a quick rundown here:
Want to stop ETW from giving up your loaded .NET assemblies to that pesky EDR, but can't be bothered patching memory? Just pass COMPlus_ETWEnabled=0 as an environment variable during your CreateProcess call 😂
35
376
900
1
115
255
ASR rule to harden LSASS is being turned on by default, but remember that this isn't a silver bullet, plenty of ways around this... this has to be one of my favourites 😂
6
87
256
New blog post is up which looks at how we can build a CI pipeline with Gitlab, Molecule and InSpec to test our RedTeam infrastructure during development.
12
103
251
When you work in infosec and realise… we’re no longer the cool kids 🥲
Salesforce will match any OpenAI researcher who has tendered their resignation full cash & equity OTE to immediately join our Salesforce Einstein Trusted AI research team under Silvio Savarese. Send me your cv directly to ceo
@salesforce
.com. Einstein is the most successful…
589
2K
11K
19
20
244
Created a quick POC to spoof environment variables by swapping them out on launch 😈 (similar practice to argument spoofing). Might be useful for anyone looking to test detection of COMPlus_ETWEnabled.
2
80
237
Just published a blog post looking at privacy alerts in MacOS, and a potential way to subvert this using Apple signed binaries
3
99
237
Quick POC to spawn a process with PROCESS_CREATION_MITIGATION_POLICY_BLOCK_NON_MICROSOFT_BINARIES_ALWAYS_ON using VBA.
2
84
234
A quick post to finish out the year, looking at using the Virtualization framework on ARM64 macOS to spin up a small Linux VM for pivoting. Happy New Year!
4
85
227
Continuing with the macOS security series, just published a new blog post showing how to disable macOS SIP via a code exec vulnerability in VirtualBox's vboxdrv.kext driver
1
112
224
New blog post added looking at how to spoof arguments like Cobalt Strike’s “argue” command, and a weird bug which can stop ProcessExplorer from giving the game away.
2
122
223
New blog post looking at MacOS MACL (User-Intent) internals and how this led to CVE-2020-9968.
4
95
218
When someone drops you a message to let you know your blog post helped them in one way or another... that shit right there is why you publish your research 👊
10
19
219
Published a quick blog post on using Cobalt Strike’s ExternalC2 interface to create a custom C2 channel
3
120
213
Love these principals from
@SEKTOR7net
so much, I’ve pinned them to the top of my notebook :D
3
53
215
Awesome talk from
@Lee_Holmes
on trolling the Redteam, with some very nice Powershell tips and a few "wait, where is this going, hash table internals... ooooh that's awesome" moments... Blueteam need to turn this into a sport 😝
1
83
214
Wooo! Looks like I'm giving speaking a shot, time to push outside the comfort zone 🤘
19
22
213
Revisiting Azure AD Connect as the previous method of dumping the MSOL account password has changed. A few ways around this, but a fun one is to piggyback off the fact that the local sqlserver instance is running as "ADSync"... ;)
2
101
210
Quick blog post drafted while satisfying my curiosity of how PNG steganography works at the byte level to wrap payloads. Sharing in case anyone else finds this interesting too!
6
69
206
Today marks 3 years of working for
@TrustedSec
Targeted Operations team. Time flies when you’re having fun! Here’s to many more h4xx 🤘
14
5
200
Second blog post up for the week, this time a look into Cylance Protect (and a very quick look at CyOptics) to see what tricks can be used to evade detection.
10
104
199
The new Azure AD LAPS functionality now up in public preview. A call to the Graph API with the scope DeviceLocalCredential[.]Read[.]All is used. No additional crypto like the AD counterpart. HTTP samples are at
2
73
201
First wave of phishing pretext generator… this is gonna be fun!!
1
68
198
Using EDR's built in IR response console to execute commands and meet your redteam objectives never gets old!
13
13
189
So today marks the end of my 2 and 1/2 years with
@MDSecLabs
. It’s been a wild ride, had the chance to work with some very talented people and learned a lot! Now to enjoy a weekend of R&R before starting the next stage of my journey, this is gonna be fun :)
31
1
183
RedTeamers, what are you favourite methods of "staying sharp" what your techniques.. how do you practice?
31
8
181
Oooh this is cool, MiniDumpWriteDump via rundll32
3
62
180
Few random bits I came across while looking at macOS phishing, hopefully useful for someones redteam gig
3
80
172
If you are using MiniDumpWriteDump to extract memory from lsass, remember that under the hood, it still uses ReadProcessMemory. Worth knowing if the target AV/EDR is alerting based on this.
4
67
172
New blog post up, AppLocker CLM Bypass via COM. Nice mix of high-level, low-level, and .NET loading via unmanaged DLL... have fun :)
10
111
171
Sat watching some Defcon vids while getting my son to sleep and seeing some of my posts being referenced as part of further research is an amazing feeling. I lack public speaking skills so honestly appreciate anyone sharing my work during their talk, made my day 🙌
12
1
168
When your AWS bill grows just enough for your wife to ask "Amazon Web Services... what's this?"
9
19
167
I found and reported a local privesc vuln in
@KeybaseIO
for MacOS. Seriously impressed with the response and how much effort they went to protect users. Details are here . HackerOne report here
3
49
160
TIL navigating to file://.//pipe/ in Google Chrome gives you a list of named pipes :D
7
57
159
Me To My Kids: Don't download random things from the Internet, even if it comes from someone who pretends to be your friend... No, that goes for Roblox as well...
.
InfoSec Twitter:
2
27
159
OK, finishing up the week with a second sandbox escape for Microsoft Office on MacOS... so happy to finally get this one working😈🍎
4
18
156
Quick blog post kicking off a mini series looking at how we can reimplement memory loading on macOS after Dyld started to persist memory to disk.
7
54
157
New blog post up looking at ways to inject into MacOS processes by leveraging third party frameworks, focusing on .NET Core and a cheeky Electron feature to load Apfell
3
66
154
Continuing our review of Windows 10 driver exploitation techniques, this post shows how to exploit a kernel NULL pointer dereference vulnerability on Windows 7 x64 and Windows 10 x32.
1
89
153
Oooh this is cool research by
@danyaldrew
, NTLM reflection is back by waiting for the NTLM challenge cache entry to timeout... awesome post
1
79
153
Updated the CVE-2018-1038 (
#TotalMeltdown
) POC with some memory checking to try and reduce chance of a BSOD. Works by querying Hardware\ResourceMap\System Resources\Physical Memory. Hack'y, but seems ok :)
5
77
151
Something I love about late night research… Music on, lights down, seeing it’s 12am and repeating the mantra “Just another hour and I’ll stop”… knowing full well that it’s gonna be light outside before you actually switch off.
8
16
153
Playing around with AWS Lambda as a HTTPS redirector for Cobalt Strike, seems to work very well
4
60
150
If your looking for a good source of redteam news, but can't be bothered with the BS on Twitter.. check out
1
45
150
Quickly playing around with the .NET AMSI port (Early Release) and it looks like it is possible to bypass the added protections in similar ways to its Powershell counterpart
8
72
145
Few nights working on this but finally found another sandbox escape for Microsoft Word on MacOS 10.15.6. Chains a few techniques, MS locked it down well since last time. Useful for a few future gigs I think ;)
6
34
137
If you're used to spraying to find Pre2K computer account creds, I've added a new script to pull the TGS for a computer account and check it offline.. might help to work around password spraying detection.
2
47
138
Well this is awkward 😂 Nice logo tho.
⚠ Our research team discovered a way to exploit Pass-Through Authentication in an
#O365
/
#Azure
environment, login as *any user* and dump credentials. READ:
#Office365
#remoteworkforce
#infosec
#Azure
#threatresearch
3
75
139
3
24
135
Man this group got skillz!!!
11
25
132
Redteamers, what is your routine for keeping on top of your other general pentesting knowledge, such as WebSec/AppSec/Wifi Testing etc...?
22
26
131