MetallicHack @MetallicHack
🇨🇵 Cybersecurity engineer enjoying Windows & AD security, DFIR and detection engineering @TheDFIRReport analyst Joined November 2020-
Tweets934
-
Followers839
-
Following389
-
Likes4K
1/ We are sharing additional details regarding our investigation into unauthorized access to GitHub's internal repositories. Yesterday we detected and contained a compromise of an employee device involving a poisoned VS Code extension. We removed the malicious extension version, isolated the endpoint, and began incident response immediately.
Have you ever wanted to query ETW providers, but didn't want to open a VM? What about checking the difference of ETW providers/events across OS builds? Today I am releasing EtwWatcher - a tool that brings EtwInspector to GitHub pages so that you can query ETW providers, as well as compare them across builds. This is something I wish I had for YEARS but have always opt'd to pull manually through a VM. I plan on being very active in uploading new snapshots as new OS builds come out. Check it out! Blog: jonny-johnson.medium.com/etwwatcher-f65… Repo: github.com/jonny-jhnson/E… Live site: jonny-jhnson.github.io/EtwWatcher/
Have you ever wondered why svchost can spawn from Windows Defender MsMpEng.exe withouth any flags, even though a legit svchost should always have flags? Welp that's because its not a real svchost :D Read - Why Does MsMpEng Spawn svchost.exe Without Flags? - research.nasbench.dev/research/other… TL;DR - MpEngine.dll (AKA Windows Defender Engine) has a function called CreateCraProcessHelper that is used as part of the AntiRootkit scanner. In it, it spawns a suspended process with just the CLI "svchost". This is used by the engine and KSL driver to pass specific bytes from the \Device\PhysicalMemory between "Kernel" and "User mode" :D
Do you know how Entra ID applications work? What about the security mess they can bring and what they can quietly break? New blog post on Entra ID application permissions, the audit nightmare they create, and QAZPT, our OSS tool built to make sense of it: blog.quarkslab.com/auditing-appli…
So here is new local privilege escalation zero-day I discovered, not patched yet too :). In simple terms, if you have a service like RDP that exposes an RPC server, there many system services running as SYSTEM connect to it as RPC clients. If that service is turned off (RDP is off by default), it seems that any other process in Windows can expose the same RPC server using the same endpoint. Now all the RPC calls from that SYSTEM processes will come to this fake server and If the process that deployed the server has SeImpersonatePrivilege, it can escalate to SYSTEM by impersonate the RPC client. In the white paper below, I describe five exploit paths you can abuse. However it's architecture problem and maybe there are more. It's Not A Potato securelist.com/phantomrpc-rpc…
Process argument spoofing has focused on modifying the PEB before a suspended process resumes. @jdu2600 traces what happens after and finds the initialization timeline has its own injection windows - ones that fire after the allow decision has already been made. originhq.com/blog/post-star…
klist2kirbi is a tool that convert klist.exe output into a valid kirbi ticket ! Available in kerlab github.com/airbus-cert/ke… 🔵 Microsoft-Windows-Security-Kerberos #ETW provider exposed the event ID 202 that will monitor attempts to export sessions keys🔵
Part 2 of @tiraniddo’s Windows Administrator Protection journey is here! projectzero.google/2026/02/window…
No security feature is perfect. @tiraniddo reviewed Windows’ new Administrator Protection and found several bypasses. projectzero.google/2026/26/window…
[New @originhq blog+POC] No PPL? No problem! SecurityTrace, an undocumented ETW feature, restricts some AutoLogger traces to PPL only — yet we found this current design still allows non-PPL processes to consume from Threat-Intelligence as admin only! originhq.com/blog/securityt…
WSL2 is a powerful attacker hideout because it runs as a separate Hyper-V VM, and defenders rarely monitor it. Daniel Mayer explains how attackers pivot into WSL2 and what it took to build tooling that works across WSL2 versions. Read more ⤵️ ghst.ly/45fPUma
This blog post provides an in-depth analysis of #Turla's #Kazuar v3 loader and how it tries to slip past modern defenses: • Sideloading via MFC satellite DLLs • Control flow redirection trick (+ POC) • Patchless ETW and AMSI bypasses (+ POC) • Extensive COM usage for registry, file and folder operations (+ partial POC) • Strings encryption (+ IDAPython decryption script) • Including IOCs and Yara rules r136a1.dev/2026/01/14/com…
As promised here is my approach to using the Windows Debugging API to inject shellcode (w/o direct process read/write) Had a lot of fun playing with this! (Currently tested agains MDE & Elastic) github.com/dis0rder0x00/D…
Let's play peekaboo with PatchGuard! Read our blog post about hiding processes on modern Windows systems with HVCI enabled: outflank.nl/blog/2026/01/0…
andrea-allievi.com/blog/new-year-… Anti-cheat evolution in Windows... New Year post while I am in vacation is ready!!! 🎉 Happy 2026!
Securelist Blog | The HoneyMyte APT evolves with a kernel-mode rootkit and a ToneShell backdoor securelist.com/honeymyte-kern…
Remember the old Control Panel applets that were used for initial access. I found that these DLLs can be loaded into memory remotely through an interesting DCOM object, allowing to achieve new command execution technique during lateral movement. Details: sud0ru.ghost.io/yet-another-dc…
Ever wonder why we call them "Cmdlets" in PowerShell instead of just "Commands"? jsnover.com/blog/2025/12/1… #PowerShell
🔥Introducing a new Red Team tool - SessionHop: github.com/3lp4tr0n/Sessi… SessionHop utilizes the IHxHelpPaneServer COM object to hijack specified user sessions. This session hijacking technique is an alternative to remote process injection or dumping LSASS. Kudos to @tiraniddo for first discovering this years ago. Blue Team tip: Look for unusual child processes spawning from HelpPane.exe
Florian Roth ⚡️ @cyb3rops
221K Followers 3K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim
Kostas @Kostastsale
20K Followers 383 Following I like building things that solve real problems, working across cybersecurity, product, and research | 🇬🇷🇨🇦
DebugPrivilege @DebugPrivilege
41K Followers 2K Following Not active anymore on X. Problem solver with a passion for troubleshooting complex issues.
Christopher Peacock @SecurePeacock
7K Followers 2K Following #PurpleTeam | Ex @RaytheonTech MSSP, @SCYTHE_IO, & @GD_OTS | Taught at BlackHat & DEFCON | #100DaysofSigma | Keep exploring, keep learning, and stay curious
Thomas Roccia 🤘 @fr0gger_
35K Followers 2K Following AI Security x Threat Intel · Threat Researcher · Creator of #Unprotect & #NOVA · Malware Warlock · Python 🧡 · Prev @Microsoft @McAfee_Labs
Will @BushidoToken
38K Followers 3K Following Senior Threat Intel Advisor @TeamCymru | Co-founder @CuratedIntel | Co-author @SANSForensics FOR589 | Co-founder @BSidesBournemth | @darknetdiaries #126: REvil
Nasreddine Benchercha... @nas_bench
12K Followers 1K Following Detection @Splunk & @cisco | previously @nextronsystems | @sigma_hq & @magicswordio maintainer | Eternal Learner
Katie Nickels @likethecoins
55K Followers 3K Following Director of Intel at @redcanary. SANS Certified Instructor for FOR578: CTI. Senior Fellow at @CyberStatecraft. She/her. Mastodon: @[email protected]
Matthew @embee_research
14K Followers 2K Following Security Researcher, Creating and Sharing Educational Content.
Dray Agha @Purp1eW0lf
6K Followers 3K Following Hunt & Response Senior Manager @HuntressLabs || "Competition is the law of the jungle, but cooperation is the law of civilisation” - Kropotkin
Zach @svch0st
4K Followers 1K Following Everything DFIR @TheDFIRReport | @CuratedIntel | @XintraOrg https://t.co/ggakuKBS0S
Josh Stroschein | The... @jstrosch
12K Followers 1K Following Reverse engineer and content creater | 😱 1M+ views on YT | 🎙️ Host of Behind the Binary podcast 👇
kernullist @kernullist
1K Followers 3K Following Security and anti-cheat researcher focused on Windows internals. Advancing reliable detection and stronger system integrity. https://t.co/1hoZxnzccW
Johnny @Luckyrocky2028
249 Followers 7K Following Stay Hungry, Stay Foolish. Only those who are self-disciplined can attain true freedom.|No Politics.
C3L14 @0xCAFEDEADBEEF
1 Followers 36 Following
Joe-Zoo @Molt250323
8 Followers 190 Following
Agnani Sanjay @sagnani
32 Followers 3K Following
Rahman @0xRhman
26 Followers 319 Following
AJ Nags @j4ckR34ch3r599
0 Followers 15 Following
MBM @NapoLeo96448222
2 Followers 149 Following
vinsk0h @vinsk0h
134 Followers 388 Following Lambda ninja of rank B, determined to integrate the Akatsuki. 🖥️ SOC Analyst 🚩CTF Player
intelQC @intel_qc
0 Followers 186 Following
0xEBFB @0xEBFB
0 Followers 292 Following
N S @0x4E53h
1 Followers 197 Following
MR @cypherpunk472
285 Followers 882 Following aka Rothware // Threat hunter // Minimalist // Nature Lover
Abdelwahab Elkhodary @Abdelwahab5odry
95 Followers 231 Following “Life is like riding a bicycle. To keep your balance, you must keep moving”
Joao Mariano @JoaoMarian39708
3 Followers 667 Following
Abdul Majeed @abdulmajeedx96
22 Followers 1K Following
Qanon @qanonfree
0 Followers 5K Following
techn00bguy @techn00bguy
249 Followers 4K Following Forever n00b | Cloud, InfoSec, OSINT, and Privacy enthusiast | Keep Learning!
Leonardo Gil @UnctusM
189 Followers 3K Following Infosec Addict. Ibis, redibis, nunquam per bella peribis.
singh @singh1314614754
0 Followers 28 Following
Sanjay Tiwari @sanjaysunday
83 Followers 1K Following All tweets and retweet’s are my personal, tweets & retweet’s don’t mean I endorse.
A S M Shamim Reza @shamimrezasohag
204 Followers 853 Following Founder & Chief of Research at TheTeamPhoenix
.. @x41ymx41n
4 Followers 272 Following ﺃﻋﻮﺫُ ﺑﺎﻟﻠﻪِ ﻣِﻦ ﻳَﻮﻡٍ ﺃﻏﺎﺩﺭُ ﺑﻪِ ﺍﻟﺤﻴَﺎﺓَ ﻭﻋَﻠﻰ ﻋﺎﺗِﻘﻲ ﺫﻧﻮﺏٌ ﻟَﻢْ ﺗُﻐﻔﺮْ.
aridjourney @aridjourney
42 Followers 658 Following Threat research @HarfangLab. Opinions are my own.
Stefano @St78865642
0 Followers 30 Following
Forest @glycerine112
3 Followers 57 Following
G@b7 @theschue3
3 Followers 61 Following
Norbert @NB1r0
47 Followers 3K Following
Hussein Sherafat @Hussein_Sherafa
146 Followers 6K Following
Darren Webb ☠🕷 @spyd3r
1K Followers 7K Following Computational demonologist. The following tweets are classified SECRET GOLD JULY BOOJUM. 101 824 5150
Nope @_N0pe00
16 Followers 976 Following
Malsec Ericsson @MalsecEricsson
0 Followers 126 Following Cybersecurity journalist. Covering exploits, vulnerabilities, and the underground scene. Opinions are my own.
1337ice_cream @1337ice_cream
68 Followers 321 Following Your Favorite Researcher's Favorite Researcher
Ahmed Mkadem @cyberamkah
9 Followers 282 Following
Ama @Ama7479742
1 Followers 71 Following
Ali M.Salem @AliMohaamed1907
6 Followers 39 Following
Abolfazl Hayati @HayatiAbolfazl
6 Followers 524 Following و تو چه میدانی، شاید تقدیرت بهتر از آرزویت باشد…
Sylvain Peyrefitte @citronneur
1K Followers 2K Following
Olivia Thompson @OliviaT61356929
4 Followers 166 Following Recruiting webshell engineers to penetrate websites, with a monthly salary of up to $100,000. If interested, please contact https://t.co/iL61N3umaw
vx-underground @vxunderground
438K Followers 358 Following The largest collection of malware source code, samples, and papers on the internet. Password: infected
Florian Roth ⚡️ @cyb3rops
221K Followers 3K Following Head of Research @nextronsystems #DFIR #YARA #Sigma | detection engineer | creator of @thor_scanner, Aurora, Sigma, LOKI, YARA-Forge | always busy ⌚️🐇 | vi/vim
Kostas @Kostastsale
20K Followers 383 Following I like building things that solve real problems, working across cybersecurity, product, and research | 🇬🇷🇨🇦
The DFIR Report @TheDFIRReport
67K Followers 0 Following Real Intrusions by Real Attackers, the Truth Behind the Intrusion
DebugPrivilege @DebugPrivilege
41K Followers 2K Following Not active anymore on X. Problem solver with a passion for troubleshooting complex issues.
Stephan Berger @malmoeb
29K Followers 1K Following Head of Investigations @InfoGuardAG https://t.co/A5lnFAu7eX
Max_Malyutin @Max_Mal_
13K Followers 306 Following Threat Researcher, Blue Team, DFIR, Malware Analysis, and Reverse Engineering. “⚔️What do we say to God of malware, Not today⚔️”
Christopher Peacock @SecurePeacock
7K Followers 2K Following #PurpleTeam | Ex @RaytheonTech MSSP, @SCYTHE_IO, & @GD_OTS | Taught at BlackHat & DEFCON | #100DaysofSigma | Keep exploring, keep learning, and stay curious
Thomas Roccia 🤘 @fr0gger_
35K Followers 2K Following AI Security x Threat Intel · Threat Researcher · Creator of #Unprotect & #NOVA · Malware Warlock · Python 🧡 · Prev @Microsoft @McAfee_Labs
John Hammond @_JohnHammond
320K Followers 3K Following Cybersecurity Researcher @HuntressLabs Just Hacking Training @JustHackingHQ w/ @ethicalhacker https://t.co/UtsNJiyiEk && https://t.co/narO3syzIy
Nasreddine Benchercha... @nas_bench
12K Followers 1K Following Detection @Splunk & @cisco | previously @nextronsystems | @sigma_hq & @magicswordio maintainer | Eternal Learner
Jake Williams @MalwareJake
149K Followers 2K Following Breaker of software | VP R&D @hunterstrategy | CTI/DFIR | @ians_security faculty | Bookings: jake at malwarejake dot com | GSE #150 | He/him
Will Dormann is on Ma... @wdormann
27K Followers 1K Following I play with vulnerabilities and exploits. I used to be here on Twitter but now I'm here: @[email protected] https://t.co/hXggdAVkSQ
Unit 42 @Unit42_Intel
69K Followers 81 Following The latest research and news from Unit 42, the Palo Alto Networks (@paloaltontwks) Threat Intelligence and Security Consulting Team covering incident response.
James @James_inthe_box
22K Followers 465 Following
Katie Nickels @likethecoins
55K Followers 3K Following Director of Intel at @redcanary. SANS Certified Instructor for FOR578: CTI. Senior Fellow at @CyberStatecraft. She/her. Mastodon: @[email protected]
Matthew @embee_research
14K Followers 2K Following Security Researcher, Creating and Sharing Educational Content.
ς๏гєɭคภς0�... @corelanc0d3r
26K Followers 605 Following Corelan | Infosec Researcher&Trainer, Hacker | Outgoing Introvert (INFJ-A) | Book lover | Fountain pen affictionado | Chess amateur | Foodie | 🖤
Daax @daaximus
12K Followers 407 Following reverse engineering • secure processor design • system emulation • µarch bugs @the_secret_club
Back Engineering Labs @BackEngineerLab
2K Followers 4 Following Developing https://t.co/FGFRjFl0ql Discord: https://t.co/EeXwaigjlI
kernullist @kernullist
1K Followers 3K Following Security and anti-cheat researcher focused on Windows internals. Advancing reliable detection and stronger system integrity. https://t.co/1hoZxnzccW
cr3ghost @cr3ghost
1K Followers 296 Following A student passionate about reverse engineering, windows internals, anti-cheat research, malware research, and exploit research. Aspiring red teamer.
Adrián Díaz @s4dbrd
731 Followers 295 Following Red Team | Reversing & Exploiting | I publish failed research in my blog Co-Founder @valhguard
Кириакос Эк... @kyREcon
3K Followers 759 Following @ShellterProject. R&D. Exploit Dev. Malware RE. AV/EDR Evasion. The greatest trick the devil ever pulled was convincing the world stupid questions didn't exist.
Anthropic @AnthropicAI
1.3M Followers 2 Following We're an AI safety and research company that builds reliable, interpretable, and steerable AI systems. Talk to our AI assistant @claudeai on https://t.co/FhDI3KQh0n.
CloudBreach @Cloud_Breach
4K Followers 66 Following Train like a hacker. Stop tomorrow's cloud breach.
R136a1 @TheEnergyStory
5K Followers 224 Following Malware reverse engineer, threat hunter, tool developer
Terrance DeJesus @_xDeJesus
880 Followers 1K Following $ Security Researcher // Cloud & Identity {HUmar Skyly // Professional Hogger Hunter} {Opinions are my Own}
Marc Smeets @MarcOverIP
5K Followers 499 Following Does a thing or two with red teaming @OutflankNL | part time race and drift car instructor
Elliot @ElliotKillick
3K Followers 40 Following Security engineer and researcher | Elliot on Security
Devon Kerr @_devonkerr_
8K Followers 767 Following Director of DE&TH @HuntressLabs and custodian of secret histories. Posts are my own.
LAB52 @LAB52io
2K Followers 439 Following (Cyber) Intelligence @ S2 Grupo #intelligence #cybint @s2grupo @securityartwork
Zscaler ThreatLabz @Threatlabz
9K Followers 46 Following Threat intelligence and security research from @zscaler
French Response @FrenchResponse
208K Followers 8 Following Official response account of the French MFA 🇫🇷🇪🇺 (🏏) @francediplo_EN
sapir federovsky @sapirxfed
5K Followers 196 Following Doing things @wiz_io And then doing more things at home | Failed research blog: https://t.co/j2HT1Tpscs | Trying to be more chill🧘♀️
Tim Blazytko @mr_phrazer
6K Followers 261 Following Binary Security Researcher & Trainer | PT Chief Scientist @ Emproof Also at https://t.co/YBfgAt3kc7
Graham Helton (too mu... @GrahamHelton3
12K Followers 653 Following senior red team engineer @snowflake | former grocery store bagger He/him :wq!
Ariel Jungheit @ArielJT
1K Followers 202 Following Life under the sea was so much easier | Threat Research @harfanglab | Maker | Tweets are my own
Miixxedup @Miixxedup
402 Followers 540 Following CTI at @Mandiant | Analyst at @TheDFIRReport | Security Intelligence, Automation and Innovation | Sourdough baker noob but a connoisseur anyway.
Nathan Blondel @slowerzs
802 Followers 123 Following
Secure Chicken 🐣 @securechicken
470 Followers 85 Following Rural cybersecurity practitioner and seasoned brewer. Opinions are my own, I work @HarfangLab (former GREAT, CISO and FR Gov).
Antoine Faucher @afaucher79
15 Followers 737 Following
sixtyvividtails @sixtyvividtails
4K Followers 400 Following Currently working as an independent GUID merchant. Fully licensed. I acquire, produce, and sell high-quality GUIDs.
Stephen Sims @Steph3nSims
26K Followers 861 Following Perpetual Student | SANS Fellow | Musician | Braggart Hater | Gray Hat Hacking | VR | 🏂 | deadcode | https://t.co/4neOSsnCQ8
Rad @rad9800
10K Followers 708 Following ex-founder. building solutions to secure organizations. prev @deceptiq_ (acq.), now at @thinkstcanary All thoughts / opinions (if at all) are my own.
L0Psec @L0Psec
4K Followers 2K Following reverse engineer | arm64 :) | macOS/iOS | YouTube: https://t.co/VdHNCl0Qfl
j00ru//vx @j00ru
37K Followers 821 Following (Mostly) Windows hacker & vulnerability researcher. Google Project Zero. @DragonSectorCTF
Ori Damari @0xrepnz
7K Followers 270 Following Low level developer, Reverse engineer, Windows kernel. Read my blog! 😋
William Burgess @joehowwolf
2K Followers 4K Following Ex-theoretical physicist, currently terrible hacker and wannabe security researcher. Views are, regrettably, my own. Likes = bookmarks
Check Point Research @_CPResearch_
25K Followers 120 Following Fighting cyber threats one research at a time. News from Check Point’s (@checkpointSW) Research team.
Kurosh Dabbagh @_Kudaes_
1K Followers 197 Following nt authority\kurosh https://t.co/MCEI38ndVE https://t.co/w6aiUt7YlZ
Is Now on VT! @Now_on_VT
4K Followers 829 Following Stay ahead of cyber threats. Get real-time alerts on notable APT/FIN/ORB indicators from VirusTotal. A threat intel project by @craiu.
Cobalt Strike @_CobaltStrike
6K Followers 33 Following Official account for Cobalt Strike. Benchmark red teaming tool known for its flexibility and powerful user community. Follow for new releases and other updates.
ANY.RUN @anyrun_app
33K Followers 191 Following Empowering businesses with proactive security solutions: Interactive Sandbox, TI Lookup and Feeds. Sign up: https://t.co/8hIX0Qh5ME
nop @thenopcode
981 Followers 338 Following professional binary breaker | Red Teamer @ MTD | BSODs are my daily routine
CICADA8Research @CICADA8Research
1K Followers 128 Following Welcome to the official Twitter for CICADA8! Your premier destination for cutting-edge research and development in the cybersecurity field
SSTIC @sstic
6K Followers 1 Following Le SSTIC est une conférence francophone sur le thème de la sécurité de l'information. Il a lieu à Rennes au mois de juin. https://t.co/N0ZJfr5V3s
cryptoplague 🇺🇦 @cr7pt0pl4gu3
300 Followers 367 Following Offensive Security Specialist | OSCP | OSCE3 | OSMR | 🇺🇦You might like
