// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 26, 2023
Signal Brief · Archived

Week of June 26, 2023

2023-06-26 — 2023-07-02 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 26, 2023, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 research pocs, 2 vuln disclosures. Vendors in the record this week: Ivanti, Stormshield.

The Week's Public Record

Events

2023-07-01
research poc
ShellGhost: Memory-Based Evasion Technique Hides Shellcode from AV/EDRShellGhost
Security researcher lem0nSec published a proof-of-concept technique called ShellGhost that keeps shellcode encrypted in memory except for the currently executing instruction, evading memory scanners. The method uses vectored exception handling and software breakpoints to decrypt and execute one instruction at a time, then re-encrypt it, preventing the full shellcode from ever being exposed in plaintext. This allows malicious code to run undetected by tools like PE-Sieve and Moneta.
2023-07-01
vuln disclosure
Critical Unauthenticated API Access Vulnerability in Ivanti Endpoint Manager Mobile (CVE-2023-35078)CVE-2023-35078
CVE-2023-35078 is a critical remote unauthenticated API access vulnerability in Ivanti Endpoint Manager Mobile (EPMM, formerly MobileIron Core). It allows attackers to access personally identifiable information and create administrator accounts, leading to further system compromise. The vulnerability has been exploited in the wild, including in a zero-day attack against the Norwegian government, and patches are available.
2023-06-30
research poc
Cobalt Strike Uses Hardware Breakpoint to Bypass AMSICobalt Strike AMSI bypass via hardware breakpoint
A recent Cobalt Strike campaign uses a hardware breakpoint on the AMSI scan buffer to bypass antimalware scanning. The attack begins with a malicious LNK file that invokes PowerShell to download and execute a script, which sets a hardware breakpoint and registers an exception handler to manipulate AMSI results. This technique allows the final Cobalt Strike payload to execute without detection.
2023-06-28
research poc
Mockingjay Process Injection Technique Evades EDR by Abusing DLLs with Default RWX SectionsMockingjay
Researchers disclosed a new process injection technique named Mockingjay that bypasses EDR detection by leveraging legitimate DLLs that have pre-existing read-write-execute (RWX) memory sections. The method avoids suspicious Windows API calls like memory allocation or permission changes, instead injecting shellcode directly into the RWX section of a vulnerable DLL. This allows execution of malicious code in self-injection or remote process injection scenarios without triggering EDR hooks.
2023-06-27
vuln disclosure
Stormshield Endpoint Security Evolution Agent Insecure Permissions VulnerabilityCVE-2023-35799
A vulnerability in Stormshield Endpoint Security Evolution versions 2.0.0 through 2.3.2 allows an interactive user to leverage the SES Evolution agent to create arbitrary files with local system privileges due to insecure permissions. This could lead to privilege escalation or system compromise on affected endpoints.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →