Two Seven One Three

Verified account

@TwoSevenOneT

Chief Security Officer (CSO) || Security Researcher at || Penetration Tester || Red Teamer || Social Engineering Awareness Trainer

Joined September 2024

2.1K Following

4.7K Followers

244 Posts

Two Seven One Three

about 1 month ago

Some powerful built-in Windows 11 programs are allowed to write files to Defender’s working directory: \System32\msiexec.exe \Register-CimProvider.exe \svchost.exe \lsass.exe Tools and methods to find these whitelisted programs for other #antimalware Github: /TwoSevenOneT/DefenderWrite

$TwoSevenOneT's tweet photo. Some powerful built-in Windows 11 programs are allowed to write files to Defender’s working directory: \System32\msiexec.exe \Register-CimProvider.exe \svchost.exe \lsass.exe Tools and methods to find these whitelisted programs for other #antimalware Github: /TwoSevenOneT/DefenderWrite$

0

145

30

116

10K

Two Seven One Three

about 1 month ago

Challenge: Drop #mimikatz onto a drive with the latest Windows 11. 1. Found a way to write a file into Windows Defender’s working directory: Success ✅ 2. Dropped "mimikatz.exe" into that folder: Failed 🛑 Conclusion: Windows Defender does not exclude its own executable folder

TwoSevenOneT's tweet photo. Challenge: Drop #mimikatz onto a drive with the latest Windows 11.
1. Found a way to write a file into Windows Defender’s working directory: Success ✅
2. Dropped "mimikatz.exe" into that folder: Failed 🛑
Conclusion: Windows Defender does not exclude its own executable folder https://t.co/ndYGHQOdSZ

0

49

11

29

9K

Two Seven One Three

about 1 month ago

@DXevj7ck The purpose is to prevent EDRs from connecting to their servers, with low user privs

1

0

0

0

213

Two Seven One Three

about 2 months ago

While I was trying to evade cloud-based EDRs, I accidentally found a way to temporarily block a client's machine network with a POC running as a Normal user. Not using the Windows Filtering Platform (WFP) which requires Admin priv I haven't thought of exploitation scenarios for this tool yet, it might be a dead-end #antimalware research direction 🤔 #redteam

TwoSevenOneT's tweet photo. While I was trying to evade cloud-based EDRs, I accidentally found a way to temporarily block a client's machine network with a POC running as a Normal user.

Not using the Windows Filtering Platform (WFP) which requires Admin priv
I haven't thought of exploitation scenarios for this tool yet, it might be a dead-end #antimalware research direction 🤔
#redteam

3

163

31

99

16K

Two Seven One Three

about 1 month ago

@_hackscale_ @FaithWa76789087 As soon as possible 😁

0

1

0

0

25

Two Seven One Three

about 2 months ago

@FaithWa76789087 Sure 🤗

1

1

0

1

774

Two Seven One Three

about 2 months ago

@Abdulmalik_TTG Why not 🤭 All information has value.

0

1

0

0

569

Two Seven One Three

about 2 months ago

Need to survey which Antivirus product to prioritize bypassing

about 2 months ago

Had a Threat Actor ask for an anti-virus recommendation DAWG, YOU ARE THE THREAT. WHY DO YOU NEED AN AV?

57

2K

52

95

79K

1

17

0

0

6K

Two Seven One Three

about 2 months ago

@huntnp007 Yep, Mimi when you want to check whether an exec malicious behavior triggers an alert or not. It's just a quick check.

0

0

0

0

78

Two Seven One Three

about 2 months ago

To be honest, in many cases I test evasion or antivirus bypass by dropping #mimikatz onto the Desktop and running it to see if it works. I don't use the EICAR test file 😂 Drop Mimikatz and the AV doesn't complain ==> something's worked

🥝🏳️‍🌈 Benjamin Delpy

about 2 months ago

Want to feel #hacker but fear to put #mimikatz binary on your desktop?

0

68

8

19

25K

5

81

5

24

16K

Two Seven One Three

about 2 months ago

@HolyMoly84103 Safer than "real" hackers, the ones who test payloads with VirusTotal ;)

0

0

0

0

131

Two Seven One Three

about 2 months ago

@gentilkiwi Yep😆

0

0

0

0

596

Two Seven One Three

about 2 months ago

@HonkyTonkHer0 Yep, this is just a quick way to check

0

0

0

0

228

Two Seven One Three

about 2 months ago

@r3dactt Be on the same page 😁

0

1

0

0

192

Two Seven One Three

3 months ago

They work harder than the sysadmin team to confige users' machines 🤣

3 months ago

BlackSanta EDR-Killer Operations https://t.co/irJSN1BjbZ

blackorbird's tweet photo. BlackSanta EDR-Killer Operations
https://t.co/irJSN1BjbZ https://t.co/r2kLgGWgvV

blackorbird's tweet photo. BlackSanta EDR-Killer Operations
https://t.co/irJSN1BjbZ https://t.co/r2kLgGWgvV

blackorbird's tweet photo. BlackSanta EDR-Killer Operations
https://t.co/irJSN1BjbZ https://t.co/r2kLgGWgvV

0

143

25

101

18K

1

19

3

8

7K

TwoSevenOneT retweeted

3 months ago

I am releasing a new toolkit I built for IIS-based lateral movement and code execution within IIS worker pool process's memory. Phantom ASPX Loader & PhantomLink -- a two-part toolkit for reflectively loading native DLLs into IIS w3wp.exe worker processes via ASPX. https://t.co/EevQysfANT

4

249

78

146

17K

TwoSevenOneT retweeted

3 months ago

Recently my RE workflow moved into sandboxed VMs where agents have full control over the environment. I needed an MCP server that runs headless in the same sandbox and exposes way more of the #BinaryNinja API than others. Here's the release: https://t.co/HU2Vf8Uj6T

3

272

50

206

37K

TwoSevenOneT retweeted

@akaclandestine

4 months ago

GitHub - 0xsh3llf1r3/ColdWer: Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass https://t.co/5YLoC9VuNF

0

128

34

77

10K

Two Seven One Three

4 months ago

@7uckzero Yes, what's important is how we make a valid service "crash". If we use a custom payload to trigger it, then the failure recovery function isn't very useful anymore.

0

0

0

0

66

Two Seven One Three

4 months ago

You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath. #antimalware #redteam #Pentesting

TwoSevenOneT's tweet photo. You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath.
#antimalware #redteam #Pentesting https://t.co/h2gGWv6RUI

TwoSevenOneT's tweet photo. You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath.
#antimalware #redteam #Pentesting https://t.co/h2gGWv6RUI

TwoSevenOneT's tweet photo. You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath.
#antimalware #redteam #Pentesting https://t.co/h2gGWv6RUI

4

205

33

140

14K

Last Seen Users on Sotwe

Trends for you

Most Popular Users