// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 3, 2023
Signal Brief · Archived

Week of July 3, 2023

2023-07-03 — 2023-07-09 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 3, 2023, ColdRecon logged 4 public endpoint-security events from open-source reporting — 4 research pocs. Vendors in the record this week: Palo Alto Networks, CrowdStrike, Zemana.

The Week's Public Record

Events

2023-07-07
research poc
WFP_EDR: Proof-of-Concept Tool Abuses Windows Filtering Platform to Block EDR Cloud CommunicationsWFP_EDR
A proof-of-concept tool named WFP_EDR was published on GitHub, demonstrating how to abuse the Windows Filtering Platform (WFP) to block endpoint detection and response (EDR) agents from communicating with their cloud backends. The tool requires local administrator privileges and can target specific EDR products like Cortex XDR and Windows Event Forwarding. It highlights a technique that could allow attackers to evade detection by severing the telemetry link between the endpoint and the security vendor.
Palo Alto Networks ↗ github.com (2023-07-07)
2023-07-06
research poc
Research PoC Demonstrates EDR Unhooking Against CrowdStrike Falcon Without VirtualProtectEDR Unhooking via In-Memory Disassembly (Falcon)
A security researcher published a proof-of-concept technique to unhook CrowdStrike Falcon's syscall hooks in ntdll.dll without using VirtualProtect or loading a fresh ntdll.dll. The method follows hook jumps to locate the relocated syscall stub by searching memory for the return address, then patches the hook with a custom jump. This demonstrates a potential evasion method, though the author notes it is highly targeted and fragile.
2023-07-06
research poc
Bypassing Flutter iOS Jailbreak Detection via Frida HookingFlutter Restrictions Bypass
CyberCX published a research article and Frida scripts demonstrating how to bypass jailbreak detection in Flutter iOS apps using the IOSSecuritySuite library. The technique hooks into the runtime to disable detection checks, enabling mobile app security testing. This matters because it provides a reusable method for penetration testers to overcome anti-tampering protections in Flutter-based applications.
2023-07-05
research poc
Recreating the Spyboy Terminator EDR Bypass Using Zemana DriverSpyboy Terminator EDR Bypass
A researcher recreates the Spyboy 'Terminator' EDR bypass tool, which uses a signed vulnerable Zemana Anti-Malware driver (CVE-2021-31728) to gain kernel access and terminate EDR processes. The technique leverages a known BYOVD attack to disable security products. This demonstrates a practical, low-cost method for evading endpoint detection.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →