otter
42 posts


A single bit flip in kernel memory can completely disable an ETW provider. No crash. No alert. The EDR just stops seeing events.
This post walks through every telemetry source EDRs rely on and how each one works at the kernel level. ETW providers, driver callbacks, object callbacks, registry callbacks. The kernel structures behind them, how to find them in memory with WinDbg, and what an attacker can manipulate.
Hidden ETW providers invisible to user-land enumeration. Zeroing callback arrays to blind Sysmon. Loading DLLs without triggering image load notifications. Executing payloads through fibers without generating thread creation events. Flipping single bits to disable monitoring entirely.
If you are building detections, you need to understand what telemetry you are trusting and how easily it can be taken away from you.
blog.otterpwn.com/research/In-de…
Author: @OtterHacker
#DetectionEngineering #WindowsInternals #InfoSec




English
otter retweetledi

A deep dive into ETW providers and how EDRs consume telemetry under the hood.
Blog:- blog.otterpwn.com/research/In-de…
Blog by @0xtter
#windows #telemetry #etw #basics


English

@OtterHacker @whokilleddb @IntCyberDigest will do. all we need now is a sponsorship from @osec_io to complete the otter ritual
English

@whokilleddb @IntCyberDigest Yup, not me, but thank you for the free attribution, @0xtter can you add me as a principal contributor on this project to come full circle ? 🤣
English

Someone released what is basically an offline VirusTotal without burning your payload: a security researcher reverse-engineered four major EDRs (SentinelOne, Cortex XDR, CrowdStrike, and Sophos) and extracted their detection logic from on-disk agent binaries, ML models, YARA rules, and behavioral scripts.
The project rebuilds the kernel telemetry stack those products run on, including Windows process, thread, registry, and handle callbacks plus a file-system minifilter. It even reconstructs access to the ETW Threat Intelligence provider that Windows normally reserves for protected anti-malware processes. Thus, both the detection rules and the sensor layer can be replicated outside the vendor’s agent.

English
otter retweetledi

New full episode of 'whoami' podcast. I had the opportunity to talk with @C5pider , author of Havoc & Havoc Pro. I had a great time learning from one of the best c2/malware devs out there. Check it out for some awesome insights.
English

X censorship is insane and full of false positives.
@nikitabier. Is posting hoodie pics are illegal on X ?
In the security community we are getting far too many false positives with posts are locked and even suspensions because of the post. We’re not interested in politics or yapping about other people. We use X to learn skills and share quality research & blogs to learn.
There’s clearly something broken at X right now. Please investigate and resolve this issue. otherwise, quality researchers will inevitably shift to other platforms.
Thank you ! Please share this as much as possible so it can reach the @X Head of Product @nikitabier and he can resolve the issues.

English

see? im not that crazy :D
really nice post
Adam Chester 🏴☠️@_xpn_
New blog post is up looking at how LLMs are making local EDR rulesets, YARA rules, and behavioral detections trivial to extract. This post focuses on how simple the harness can be. Buckle up h4xx0rs, the next few months are gonna get interesting! specterops.io/blog/2026/06/2…
English

@lainshawty @IntCyberDigest the fact i have no interest in learning frontend development and have used claude to make the dashboard doesnt mean the whole idea is invalid. wake up
English

@IntCyberDigest vibecoded bullshit which probably has nothing to do with any of the listed EDRs
English

@Cybersikkerhed you're right, not everything built on chromium exposes the full CDP interface. in the post i strictly refer to "Chromium-based browsers" and kinda leave electron applications or similar ones out of the picture
English

@0xtter "every Chromium-based browser ships with a built-in debugging protocol that has complete access to everything the browser can see and do" not entirely correct- many applications ship with a limited debugging interface with very restricted access. I believe discord does this
English

@0xDemonCall EDR vendors probably won't be too happy with me publicly sharing their components and rules so i dont think this project will ever go public. sry :\
English

Hack The Box Competitive Season 10: Underground is wrapped.
ADMinions finished #1 this season and remains #2 in the overall team ranking.
Proud of xtk (x746b) for finishing #1 on the player leaderboard with 8 bloods, and @bryanpwned for landing one!
#HTB #HackTheBox #CTF

English
otter retweetledi

We are pleased to announce that our latest obfuscation feature, QUIC, aimed at helping users bypass firewalls and censorship, is now available on Android and iOS.
Read more here: mullvad.net/blog/quic-obfu…
English
otter retweetledi

Please look at the vulnerable drivers. Even if you don't plan on reversing them or exploiting them, just behold the beauty of the potential which will not be used by lots of people (myself included, probably)
vx-underground.org
English
otter retweetledi
otter retweetledi






