Log inSign up
Aurélien Chalot
1,691 posts
user avatar
Aurélien Chalot
@Defte_
Hacker, sysadmin and security researcher @OrangeCyberdef 💻 Calisthenic enthousiast 💪 and wannabe philosopher t.ly/9NPk0 📖 🔥 Hide&Sec 🔥
The grid
blog.whiteflag.io
Joined November 2017
488
Following
4,341
Followers

New to X?

Sign up now to get your own personalized timeline!

Create account

By signing up, you agree to the Terms of Service and Privacy Policy, including Cookie Use.

Terms·Privacy·Cookies·Accessibility·Ads Info·© 2026 X Corp.
Don't miss what's happening
People on X are the first to know.
Log inSign up
  • Pinned
    user avatar
    Aurélien Chalot
    @Defte_
    Sep 23, 2025
    Dumping LSASS is old school. If an admin is connected on a server you are local admin on, just create a scheduled task asking for a certificate on his behalf, get the cert, get its privs. All automatized in the schtask_as module for NetExec 🥳🥳🥳
    72K
  • user avatar
    Aurélien Chalot
    @Defte_
    Apr 14, 2025
    You have got a valid NTLM relay but SMB and LDAP are signed, LDAPS has got Channel Binding and ESC8 is not available... What about WinRMS ? :D Blogpost: sensepost.com/blog/2025/is-t… Tool: github.com/fortra/impacke… And also, big thanks to jmk (Joe Mondloch) for the collab' :D!
    31K
  • user avatar
    Aurélien Chalot
    @Defte_
    Jul 1, 2024
    So I just learnt Windows DOES A LSA HIVES BACKUPS PERIODICALY!!!!! How is it possible I learn this after 5 years of internal assessments (french ressource malekal.com/windows-10-act…)
    88K
  • user avatar
    Aurélien Chalot
    @Defte_
    Jul 22, 2024
    I have seen lot of stupid things lately concerning CS, EDR's and Windows drivers. I wrote a, not so bad I guess, long blog post explaining how to build a windows driver, why EDR's need them, and how EDR's work, might be helpful 🤪
    blog.whiteflag.io
    From Windows drivers to a almost fully working EDR
    In this article we will see how Windows drivers work, how to create one and, in the end, we will develope a custom EDR that will rely on kernel callback functions, static analysis and API hooking.
    36K
  • user avatar
    Aurélien Chalot
    @Defte_
    Oct 4, 2024
    TIL that if you change a AD user's password, there will be a 3 to 5 minutes time window during which both passwords are valid in order to let password synchronization occurs. Meaning that if a user you compromised an account for changes its password, you can still roll it back :D
    34K
  • user avatar
    Aurélien Chalot
    @Defte_
    Feb 11, 2025
    While doing internal assessments, I was often able to bypass EDR's because of them trusting legitimate binaries. In this blogpost I'll show why trust is wrong creating a python wrapper for PsExeSVC.exe (M$) and explain why zero trust is mandatory! tinyurl.com/4vr94skf
    28K
  • user avatar
    Aurélien Chalot
    @Defte_
    Oct 12, 2024
    Working on some NetExec modules I realized that on Windows you can get a list of recently modified files looking at the %appdata%\Roaming\Microsoft\Windows\Recent folder. New NXC module coming soon 👀
    32K
  • user avatar
    Aurélien Chalot
    @Defte_
    Sep 27, 2024
    During internal assessments I realized that the most difficult part is to detect all subnets. Running nmap is good but long . So what if we let computers and servers talk to us instead and monitor incoming packets ? (1/2)
    45K
  • user avatar
    Aurélien Chalot
    @Defte_
    Jan 31, 2024
    It's finally out: from a Windows driver to a fully functionnal driver. In this blogpost we'll go through the history of EDR's, how they used to work, how they work now and how we can build a fully functionnal one. Last step is a chall, bypass MyDumbEDR sensepost.com/blog/2024/sens…
    28K
  • user avatar
    Aurélien Chalot
    @Defte_
    Jun 10, 2024
    This repo is a masterpiece if you wanna try vulnerabilities on easy to mount labs github.com/vulhub/vulhub
    18K
  • user avatar
    Aurélien Chalot
    @Defte_
    Jul 23, 2024
    Super interesting way of blinding EDR's consoles!!
    tierzerosecurity.co.nz
    Tier Zero Security
    Information Security Services. Offensive Security, Penetration Testing, Mobile and Application, Purple Team, Red Team
    14K
  • user avatar
    Aurélien Chalot
    @Defte_
    Mar 28, 2024
    TIL that if the guest account of an Active Directory is enabled you can use it to coerce servers on whatever you want (hello there esc8): 🤯🤯🤯🤯
    24K
  • user avatar
    Aurélien Chalot
    @Defte_
    Oct 5, 2023
    As you may already know the SMB protocol of CME was able to execute commands via a scheduled task (thanks to atexec.py):
    49K
  • user avatar
    Aurélien Chalot
    @Defte_
    May 29, 2024
    Wanna blindly check if the ADCS web enroll is installed on a domain ? Bruteforce the /certenroll endpoint without the trailing/ on all webservers. If you hit the ADCS web enroll you will get a location: /certenroll/ header in the response. Now enjoy blind ntlmrelayx ESC8👀👀👀
    40K