1. X
  2. Adam Chester πŸ΄β€β˜ οΈ
Log inSign up
Adam Chester πŸ΄β€β˜ οΈ
22.6K posts
Image
user avatar
Adam Chester πŸ΄β€β˜ οΈ
@_xpn_
TRACE at @SpecterOps | Blog at blog.xpnsec.com
Warrington, United Kingdom
blog.xpnsec.com
Joined January 2009
533
Following
38.8K
Followers
RepliesRepliesMediaMedia

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

TermsΒ·PrivacyΒ·CookiesΒ·AccessibilityΒ·Ads InfoΒ·Β© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • Pinned
    user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Jun 24
    First blog post in a mini series where I look at "disposable tooling". This post shares what I have found to be useful when 1-shot'ing LLM generated Stage-0 agents for Mythic.
    Image
    Disposable Tooling: Building LLM-Generated Mythic Agents from Prompt to Deployment
    From specterops.io
    33K
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Sep 18, 2023
    My Okta for Red Teamers post is up! We look at how Kerberos SSO works, how to intercept credentials via a fake AD Agent, decrypting AD Agent tokens, adding skeleton key's, and even how to deploy a janky SAML IdP server to auth as any user for good measure.
    Learn how to bypass Okta's security measures using post-exploitation techniques, including Delegated Authentication, AD Agent Hijacking, and Fake SAML Provider deployment.
    Okta for Red Teamers
    From trustedsec.com
    99K
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Jun 5, 2020
    Want to stop ETW from giving up your loaded .NET assemblies to that pesky EDR, but can't be bothered patching memory? Just pass COMPlus_ETWEnabled=0 as an environment variable during your CreateProcess call πŸ˜‚
    Image
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Jun 15, 2019
    A quick blog post looking at how Sysmon DNS monitoring works, and how this can potentially be evaded during an engagement.
    Image
    @_xpn_ - Evading Sysmon DNS Monitoring
    From blog.xpnsec.com
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    May 1, 2022
    Woah this is amazing!! I will not use this for malware… I will not use this for malware… I will not
    user avatar
    Mariatta 🀦
    @mariatta
    Apr 30, 2022
    #PyConUS2022 @pwang Keynote: Announcing Py-script!!! It's Python! inside HTML!!! 🀯
    Image
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Nov 27, 2017
    Just pushed a new blog post documenting the process of creating an exploit for a Windows 10 kernel vulnerability. Hopefully useful for anyone looking at kernel exploitation blog.xpnsec.com/windows-warbir…
    Image
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Nov 22, 2024
    This hack is brilliant, APT28 hopping into a target environment over wifi by compromising neighbouring companies and finding a dual-homed host within range. volexity.com/blog/2024/11/2… And yet... they got caught doing this!
    Image
    89K
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Nov 4, 2019
    New blog post looking at how Cobalt Strike’s β€œblockdlls” command works, how to recreate it in our own payloads, and a quick look at Arbitrary Code Guard.
    Image
    @_xpn_ - Protecting Your Malware with blockdlls and ACG
    From blog.xpnsec.com
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    May 10, 2019
    New blog post is up starting a series of looking at just how Mimikatz achieves its magic, beginning with WDigest (and ending with a bit of lsass DLL loading fun).
    Image
    @_xpn_ - Exploring Mimikatz - Part 1 - WDigest
    From blog.xpnsec.com
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Apr 23, 2018
    New blog post added showing how to exploit CVE-2018-1038 aka #TotalMeltdown for privilege escalation
    blog.xpnsec.com
    @_xpn_ - Exploiting CVE-2018-1038 - Total Meltdown
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    May 5, 2021
    Had a bit of fun looking at weird ways to run unmanaged code in .NET. One for anyone who likes .NET internals.
    Image
    @_xpn_ - Weird Ways to Run Unmanaged Code in .NET
    From blog.xpnsec.com
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Mar 25, 2024
    Replying to @nyxgeek
    Work/life balance mate, it’s Apples way of telling you to take a break.
    38K
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Aug 1, 2019
    New blog post exploring Windows RPC internals, reversing with Ghidra, and how we can use Neo4j to find interesting call paths.
    Image
    @_xpn_ - Analysing RPC With Ghidra and Neo4j
    From blog.xpnsec.com
  • user avatar
    Adam Chester πŸ΄β€β˜ οΈ
    @_xpn_
    Feb 18, 2019
    Spent a bit of time this weekend looking at Azure AD Connect and how this can be leveraged by RedTeam during an engagement
    Image
    @_xpn_ - Azure AD Connect for Red Teamers
    From blog.xpnsec.com
Advertisement
Advertisement