Two Seven One Three

230 posts

Two Seven One Three

@TwoSevenOneT

Chief Security Officer (CSO) || Security Researcher at https://t.co/YsorB5YEAu || Penetration Tester || Red Teamer || Social Engineering Awareness Trainer

参加日 Eylül 2024

2.1K フォロー中4.6K フォロワー

Two Seven One Three@TwoSevenOneT·12 Mar

They work harder than the sysadmin team to confige users' machines 🤣

blackorbird@blackorbird

BlackSanta EDR-Killer Operations github.com/blackorbird/AP…

English

4.6K

Two Seven One Three がリツイート

Mr.Z@zux0x3a·10 Mar

I am releasing a new toolkit I built for IIS-based lateral movement and code execution within IIS worker pool process's memory. Phantom ASPX Loader & PhantomLink -- a two-part toolkit for reflectively loading native DLLs into IIS w3wp.exe worker processes via ASPX. github.com/zux0x3a/Phanto…

GIF

English

248

13.8K

Two Seven One Three@TwoSevenOneT·8 Mar

Maybe 😟

Marmaduke@Marmaduke_IT

#Anthropic #ClaudeAI Discovers 22 Firefox Vulnerabilities in Two Weeks Bug bounty hunter🤯

English

Two Seven One Three がリツイート

Tim Blazytko@mr_phrazer·3 Mar

Recently my RE workflow moved into sandboxed VMs where agents have full control over the environment. I needed an MCP server that runs headless in the same sandbox and exposes way more of the #BinaryNinja API than others. Here's the release: github.com/mrphrazer/bina…

English

272

34.7K

Two Seven One Three がリツイート

Clandestine@akaclandestine·8 Şub

GitHub - 0xsh3llf1r3/ColdWer: Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass github.com/0xsh3llf1r3/Co…

English

124

7.9K

Two Seven One Three@TwoSevenOneT·10 Şub

@7uckzero Yes, what's important is how we make a valid service "crash". If we use a custom payload to trigger it, then the failure recovery function isn't very useful anymore.

English

Dinosaur@7uckzero·9 Şub

@TwoSevenOneT My friend told me that this technique already appeared around 2014. Regardless, it is still worth researching, as EDR solutions tend to closely monitor the SERVICE_CONFIG_FAILURE_ACTIONS flag. trustedsignal.blogspot.com/2014/05/kansa-…

English

271

Two Seven One Three@TwoSevenOneT·8 Şub

You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. #antimalware #redteam #Pentesting

English

207

14.2K

Two Seven One Three@TwoSevenOneT·8 Şub

@jamieantisocial Wild but no Life 😆

English

722

J⩜⃝mie Williams@jamieantisocial·8 Şub

@TwoSevenOneT wild.

English

1.2K

Two Seven One Three@TwoSevenOneT·8 Şub

The biggest issue when exploiting Service Failure Recovery to execute a payload is figuring out how to trigger a "crash" #securityblog #itsecurity #CyberSecurity zerosalarium.com/2026/02/Defens…

English

4.4K

Two Seven One Three@TwoSevenOneT·21 Oca

Throughout my soulless pentesting career, I have always preferred the Nday or "features" of the system over what is marketed as 0day

Janggggg@testanull

Oracle E-Business Suite Authentication Bypass & RCE (CVE-2025-61882) vred.mbbank.com.vn/p/oracle-e-bus…

English

4.9K

Two Seven One Three@TwoSevenOneT·19 Oca

@0x534c Evil demonic DNA 🙂‍↕️

Čeština

Steven Lim@0x534c·18 Oca

@TwoSevenOneT 😂 It's in your DNA.

English

403

Two Seven One Three@TwoSevenOneT·18 Oca

Every time I read a detection rule, I instinctively have devilish thoughts racing through my mind to bypass them😂

Steven Lim@0x534c

Detecting EDRStartupHinder in Microsoft Defender for Endpoint 🛑 EDRStartupHinder, developed by X @TwoSevenOneT, is a proof‑of‑concept tool that abuses Windows Bindlink to prevent Antivirus/EDR services from starting at boot. It achieves this by redirecting critical System32 DLLs, ultimately forcing protected processes to terminate themselves. zerosalarium.com/2026/01/edrsta… To support fellow defenders, I’ve crafted a Defender XDR Advanced Hunting KQL query that can be deployed in your environment to help monitor and detect potential use of EDRStartupHinder. 🫡 🔍 Stay vigilant, share knowledge, and strengthen our collective defenses. #CyberSecurity #ThreatDetection #MDE #EDRStartupHinder

English

7.1K

Two Seven One Three@TwoSevenOneT·17 Oca

@harold9850 Find another way to get around it

English

tom square@harold9850·15 Oca

@TwoSevenOneT What do you do once crowdstrike and other major vendors make a rule for this?

English

312

Two Seven One Three@TwoSevenOneT·11 Oca

You can prevent #antimalware / EDR services from running at startup by using Bindlink Github: TwoSevenOneT/EDRStartupHinder #securityvulnerability #itsecurity

English

197

13.2K

Two Seven One Three@TwoSevenOneT·12 Oca

@isDineshHere Software is becoming increasingly complex with many functions. As a result, many issues arise.

English

471

Dinesh@isDineshHere·11 Oca

@TwoSevenOneT Isn't it amazing that even today, such simple dll redirection, hijacking and simple overrides in specific registries is enough to own all security infrastructure? We tend to blame the human as the weakest link in any model. Meanwhile, literally all core software has bugs/holes.

English

666

Two Seven One Three@TwoSevenOneT·10 Ara

@Jetwitte9 You can go to CMD in Advanced Boot and delete created symlink

English

Utilisateur anonyme@Jetwitte9·9 Ara

@TwoSevenOneT How do you revert back the redirection after delete the symlink? Windef doesn't work anymore

English

Two Seven One Three@TwoSevenOneT·8 Eyl

#redteam You can exploit the update functionality vulnerability of #Windows Defender to move its executable folder to a location of your choosing. After that, you can use DLL Sideloading for persistence, inject code, or simply disable it... #blueteam

English

415

32.6K

Two Seven One Three@TwoSevenOneT·27 Kas

@vinopaljiri And OpenProcess with ALL_ACCESS 🙂‍↕️

English

418

Jiří Vinopal@vinopaljiri·26 Kas

From one "unnamed" RAT: Malware dev task: "Be innovative and make sure the file is deleted." Malware dev: "Got it, boss. Let’s delete it 10× just to be sure!" 🤡🗑️💥