otter

42 posts

otter banner
otter

otter

@0xtter

ʕ •ᴥ• ʔ i mess with security products

Katılım Nisan 2020
257 Takip Edilen543 Takipçiler
cr3ghost
cr3ghost@cr3ghost·
A single bit flip in kernel memory can completely disable an ETW provider. No crash. No alert. The EDR just stops seeing events. This post walks through every telemetry source EDRs rely on and how each one works at the kernel level. ETW providers, driver callbacks, object callbacks, registry callbacks. The kernel structures behind them, how to find them in memory with WinDbg, and what an attacker can manipulate. Hidden ETW providers invisible to user-land enumeration. Zeroing callback arrays to blind Sysmon. Loading DLLs without triggering image load notifications. Executing payloads through fibers without generating thread creation events. Flipping single bits to disable monitoring entirely. If you are building detections, you need to understand what telemetry you are trusting and how easily it can be taken away from you. blog.otterpwn.com/research/In-de… Author: @OtterHacker #DetectionEngineering #WindowsInternals #InfoSec
cr3ghost tweet mediacr3ghost tweet mediacr3ghost tweet mediacr3ghost tweet media
English
3
39
186
8.5K
International Cyber Digest
International Cyber Digest@IntCyberDigest·
Someone released what is basically an offline VirusTotal without burning your payload: a security researcher reverse-engineered four major EDRs (SentinelOne, Cortex XDR, CrowdStrike, and Sophos) and extracted their detection logic from on-disk agent binaries, ML models, YARA rules, and behavioral scripts. The project rebuilds the kernel telemetry stack those products run on, including Windows process, thread, registry, and handle callbacks plus a file-system minifilter. It even reconstructs access to the ETW Threat Intelligence provider that Windows normally reserves for protected anti-malware processes. Thus, both the detection rules and the sensor layer can be replicated outside the vendor’s agent.
International Cyber Digest tweet media
English
35
153
1.3K
87.5K
otter retweetledi
K̵i̵r̵k̵ ̵T̵r̵y̵c̵h̵e̵l̵
New full episode of 'whoami' podcast. I had the opportunity to talk with @C5pider , author of Havoc & Havoc Pro. I had a great time learning from one of the best c2/malware devs out there. Check it out for some awesome insights.
English
5
18
112
23.3K
Smukx.E
Smukx.E@5mukx·
X censorship is insane and full of false positives. @nikitabier. Is posting hoodie pics are illegal on X ? In the security community we are getting far too many false positives with posts are locked and even suspensions because of the post. We’re not interested in politics or yapping about other people. We use X to learn skills and share quality research & blogs to learn. There’s clearly something broken at X right now. Please investigate and resolve this issue. otherwise, quality researchers will inevitably shift to other platforms. Thank you ! Please share this as much as possible so it can reach the @X Head of Product @nikitabier and he can resolve the issues.
Smukx.E tweet media
English
7
10
77
6.6K
otter
otter@0xtter·
@lainshawty @IntCyberDigest the fact i have no interest in learning frontend development and have used claude to make the dashboard doesnt mean the whole idea is invalid. wake up
English
1
0
3
155
lain
lain@lainshawty·
@IntCyberDigest vibecoded bullshit which probably has nothing to do with any of the listed EDRs
English
1
0
10
4K
otter
otter@0xtter·
@wessorh i have intentionally left out the details regarding the actual reverse-engineering process because, based on the experience of other researchers, vendors tent to be quite unhappy if you share the details of how their proprietary products work (rightfully so :D)
English
1
0
2
322
wessorh
wessorh@wessorh·
@0xtter I'm working on a faster rules for yara, based on the ideas of exchanging and generating should be easy. Can you say more about reversing their rules? I'm interested in using them for detection then making opensource rules easier to generate and share
English
1
0
2
441
otter
otter@0xtter·
@Cybersikkerhed you're right, not everything built on chromium exposes the full CDP interface. in the post i strictly refer to "Chromium-based browsers" and kinda leave electron applications or similar ones out of the picture
English
1
0
1
175
ً
ً@Cybersikkerhed·
@0xtter "every Chromium-based browser ships with a built-in debugging protocol that has complete access to everything the browser can see and do" not entirely correct- many applications ship with a limited debugging interface with very restricted access. I believe discord does this
English
1
0
1
296
otter
otter@0xtter·
@0xDemonCall EDR vendors probably won't be too happy with me publicly sharing their components and rules so i dont think this project will ever go public. sry :\
English
1
0
7
2.4K
Demon
Demon@0xDemonCall·
@0xtter Bro, When will it be open source?
English
3
0
0
2.4K
AD Minions
AD Minions@ctfminions·
Hack The Box Competitive Season 10: Underground is wrapped. ADMinions finished #1 this season and remains #2 in the overall team ranking. Proud of xtk (x746b) for finishing #1 on the player leaderboard with 8 bloods, and @bryanpwned for landing one! #HTB #HackTheBox #CTF
AD Minions tweet media
English
1
3
16
2K
otter retweetledi
Mullvad.net
Mullvad.net@mullvadnet·
We are pleased to announce that our latest obfuscation feature, QUIC, aimed at helping users bypass firewalls and censorship, is now available on Android and iOS. Read more here: mullvad.net/blog/quic-obfu…
English
39
180
1.7K
61.6K
otter retweetledi
vx-underground
vx-underground@vxunderground·
Please look at the vulnerable drivers. Even if you don't plan on reversing them or exploiting them, just behold the beauty of the potential which will not be used by lots of people (myself included, probably) vx-underground.org
English
3
5
87
13.4K
otter retweetledi
vx-underground
vx-underground@vxunderground·
vx-underground tweet media
ZXX
32
220
2.5K
91.2K