MetallicHack

Have you ever wanted to query ETW providers, but didn't want to open a VM? What about checking the difference of ETW providers/events across OS builds? Today I am releasing EtwWatcher - a tool that brings EtwInspector to GitHub pages so that you can query ETW providers, as well as compare them across builds. This is something I wish I had for YEARS but have always opt'd to pull manually through a VM. I plan on being very active in uploading new snapshots as new OS builds come out. Check it out! Blog: jonny-johnson.medium.com/etwwatcher-f65… Repo: github.com/jonny-jhnson/E… Live site: jonny-jhnson.github.io/EtwWatcher/

Have you ever wondered why svchost can spawn from Windows Defender MsMpEng.exe withouth any flags, even though a legit svchost should always have flags? Welp that's because its not a real svchost :D Read - Why Does MsMpEng Spawn svchost.exe Without Flags? - research.nasbench.dev/research/other… TL;DR - MpEngine.dll (AKA Windows Defender Engine) has a function called CreateCraProcessHelper that is used as part of the AntiRootkit scanner. In it, it spawns a suspended process with just the CLI "svchost". This is used by the engine and KSL driver to pass specific bytes from the \Device\PhysicalMemory between "Kernel" and "User mode" :D

Do you know how Entra ID applications work? What about the security mess they can bring and what they can quietly break? New blog post on Entra ID application permissions, the audit nightmare they create, and QAZPT, our OSS tool built to make sense of it: blog.quarkslab.com/auditing-appli…

So here is new local privilege escalation zero-day I discovered, not patched yet too :). In simple terms, if you have a service like RDP that exposes an RPC server, there many system services running as SYSTEM connect to it as RPC clients. If that service is turned off (RDP is off by default), it seems that any other process in Windows can expose the same RPC server using the same endpoint. Now all the RPC calls from that SYSTEM processes will come to this fake server and If the process that deployed the server has SeImpersonatePrivilege, it can escalate to SYSTEM by impersonate the RPC client. In the white paper below, I describe five exploit paths you can abuse. However it's architecture problem and maybe there are more. It's Not A Potato securelist.com/phantomrpc-rpc…

Process argument spoofing has focused on modifying the PEB before a suspended process resumes. @jdu2600 traces what happens after and finds the initialization timeline has its own injection windows - ones that fire after the allow decision has already been made. originhq.com/blog/post-star…

klist2kirbi is a tool that convert klist.exe output into a valid kirbi ticket ! Available in kerlab github.com/airbus-cert/ke… 🔵 Microsoft-Windows-Security-Kerberos #ETW provider exposed the event ID 202 that will monitor attempts to export sessions keys🔵

Part 2 of @tiraniddo’s Windows Administrator Protection journey is here! projectzero.google/2026/02/window…

No security feature is perfect. @tiraniddo reviewed Windows’ new Administrator Protection and found several bypasses. projectzero.google/2026/26/window…

[New @originhq blog+POC] No PPL? No problem! SecurityTrace, an undocumented ETW feature, restricts some AutoLogger traces to PPL only — yet we found this current design still allows non-PPL processes to consume from Threat-Intelligence as admin only! originhq.com/blog/securityt…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

This blog post provides an in-depth analysis of #Turla's #Kazuar v3 loader and how it tries to slip past modern defenses: • Sideloading via MFC satellite DLLs • Control flow redirection trick (+ POC) • Patchless ETW and AMSI bypasses (+ POC) • Extensive COM usage for registry, file and folder operations (+ partial POC) • Strings encryption (+ IDAPython decryption script) • Including IOCs and Yara rules r136a1.dev/2026/01/14/com…

As promised here is my approach to using the Windows Debugging API to inject shellcode (w/o direct process read/write) Had a lot of fun playing with this! (Currently tested agains MDE & Elastic) github.com/dis0rder0x00/D…

Let's play peekaboo with PatchGuard! Read our blog post about hiding processes on modern Windows systems with HVCI enabled: outflank.nl/blog/2026/01/0…

andrea-allievi.com/blog/new-year-… Anti-cheat evolution in Windows... New Year post while I am in vacation is ready!!! 🎉 Happy 2026!

Securelist Blog | The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor securelist.com/honeymyte-kern…

Remember the old Control Panel applets that were used for initial access. I found that these DLLs can be loaded into memory remotely through an interesting DCOM object, allowing to achieve new command execution technique during lateral movement. Details: sud0ru.ghost.io/yet-another-dc…

Ever wonder why we call them "Cmdlets" in PowerShell instead of just "Commands"? jsnover.com/blog/2025/12/1… #PowerShell

🔥Introducing a new Red Team tool - SessionHop: github.com/3lp4tr0n/Sessi… SessionHop utilizes the IHxHelpPaneServer COM object to hijack specified user sessions. This session hijacking technique is an alternative to remote process injection or dumping LSASS. Kudos to @tiraniddo for first discovering this years ago. Blue Team tip: Look for unusual child processes spawning from HelpPane.exe

New blog by Outflank’s @KyleAvery: Linux process injection leveraging seccomp to inject shared libraries into Linux processes without LD_PRELOAD, ptrace nor elevated privileges. Parent-to-child injection at any ptrace_scope level 💪😎 Tech details here: ow.ly/KwBh50XGvrC

Its not a secret that I'm #1 fan of @WEareTROOPERS I had to miss it last year, so to feel a part, i spend my weekend watching some talks and wrote my thoughts on the first 3 🙃 sapirxfed.com/2025/12/01/tro…