MetallicHack

klist2kirbi is a tool that convert klist.exe output into a valid kirbi ticket ! Available in kerlab github.com/airbus-cert/ke… 🔵 Microsoft-Windows-Security-Kerberos #ETW provider exposed the event ID 202 that will monitor attempts to export sessions keys🔵

Part 2 of @tiraniddo’s Windows Administrator Protection journey is here! projectzero.google/2026/02/window…

No security feature is perfect. @tiraniddo reviewed Windows’ new Administrator Protection and found several bypasses. projectzero.google/2026/26/window…

[New @originhq blog+POC] No PPL? No problem! SecurityTrace, an undocumented ETW feature, restricts some AutoLogger traces to PPL only — yet we found this current design still allows non-PPL processes to consume from Threat-Intelligence as admin only! originhq.com/blog/securityt…

WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma

This blog post provides an in-depth analysis of #Turla's #Kazuar v3 loader and how it tries to slip past modern defenses: • Sideloading via MFC satellite DLLs • Control flow redirection trick (+ POC) • Patchless ETW and AMSI bypasses (+ POC) • Extensive COM usage for registry, file and folder operations (+ partial POC) • Strings encryption (+ IDAPython decryption script) • Including IOCs and Yara rules r136a1.dev/2026/01/14/com…

As promised here is my approach to using the Windows Debugging API to inject shellcode (w/o direct process read/write) Had a lot of fun playing with this! (Currently tested agains MDE & Elastic) github.com/dis0rder0x00/D…

Let's play peekaboo with PatchGuard! Read our blog post about hiding processes on modern Windows systems with HVCI enabled: outflank.nl/blog/2026/01/0…

andrea-allievi.com/blog/new-year-… Anti-cheat evolution in Windows... New Year post while I am in vacation is ready!!! 🎉 Happy 2026!

Securelist Blog | The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor securelist.com/honeymyte-kern…

Remember the old Control Panel applets that were used for initial access. I found that these DLLs can be loaded into memory remotely through an interesting DCOM object, allowing to achieve new command execution technique during lateral movement. Details: sud0ru.ghost.io/yet-another-dc…

Ever wonder why we call them "Cmdlets" in PowerShell instead of just "Commands"? jsnover.com/blog/2025/12/1… #PowerShell

🔥Introducing a new Red Team tool - SessionHop: github.com/3lp4tr0n/Sessi… SessionHop utilizes the IHxHelpPaneServer COM object to hijack specified user sessions. This session hijacking technique is an alternative to remote process injection or dumping LSASS. Kudos to @tiraniddo for first discovering this years ago. Blue Team tip: Look for unusual child processes spawning from HelpPane.exe

New blog by Outflank’s @KyleAvery: Linux process injection leveraging seccomp to inject shared libraries into Linux processes without LD_PRELOAD, ptrace nor elevated privileges. Parent-to-child injection at any ptrace_scope level 💪😎 Tech details here: ow.ly/KwBh50XGvrC

Its not a secret that I'm #1 fan of @WEareTROOPERS I had to miss it last year, so to feel a part, i spend my weekend watching some talks and wrote my thoughts on the first 3 🙃 sapirxfed.com/2025/12/01/tro…

My gift for Thanksgiving 💜 I wrote for you the blog post I always wanted to read! Happy holiday!🦃 PLEASE READ IT!!! wiz.io/blog/recent-oa…

Cobalt Strike 4.12 is LIVE, complete with a new look for the GUI! Additionally, we're introducing: - A REST API - User Defined Command and Control (UDC2) - New process injection options - New UAC bypasses - and more! Check out the release blog for details. ow.ly/RSmE50Xx1OS

This is huge news, #sysmon going native in Windows 11 next year. techcommunity.microsoft.com/blog/windows-i… More cool stuff on custom logging coming this week. Watch this space 😎

#ElasticSecurityLabs uncovers #RONINGLOADER, a multi-stage loader utilizing signed drivers, PPL abuse, CI Policies, and other evasion techniques to deliver #DragonBreath's gh0st RAT variant. Check it out at ela.st/roningloader

Callstacks are largely used by the Elastic EDR to detect malicious activity. @SAERXCIT details a technique to evade a callstack-based detection and allow shellcode to load a network module without getting detected. Post: offsec.almond.consulting/evading-elasti… PoC: github.com/AlmondOffSec/L…