// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 17, 2023
Signal Brief · Archived

Week of July 17, 2023

2023-07-17 — 2023-07-23 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 17, 2023, ColdRecon logged 4 public endpoint-security events from open-source reporting — 3 research pocs, 1 vuln disclosure. Vendors in the record this week: Promon, Apache Software Foundation, Microsoft.

The Week's Public Record

Events

2023-07-22
research poc
Proof-of-Concept Bypass of Promon SHIELD Android Application ProtectionPromon-SHIELD-bypass
A security researcher published a proof-of-concept bypass for Promon SHIELD's Android application protection, specifically demonstrating APK signature authentication bypass. The repository analyzes the protector's obfuscation techniques and provides code to circumvent its integrity checks, building on prior 2018 research.
2023-07-20
research poc
EDR Call Stack Evasion via Windows Callback FunctionsCallback Stack Spoofing
A researcher demonstrates a technique to evade EDR call stack analysis by using Windows callback functions to spoof the origin of sensitive API calls. The method makes malicious calls appear to originate from trusted modules like ntdll.dll, reducing detection rates in a proof-of-concept from 45/71 to 6/71 on VirusTotal.
2023-07-19
vuln disclosure
CVE-2023-28754: Apache ShardingSphere-Agent Deserialization RCECVE-2023-28754
A deserialization vulnerability in Apache ShardingSphere-Agent allows remote code execution by crafting a malicious YAML configuration file. The attacker needs permission to modify the agent's YAML config and the target must be able to access a URL hosting a malicious JAR. The vulnerability affects versions through 5.3.2 and is fixed in 5.4.0.
Apache Software Foundation ↗ cve.imfht.com (2023-07-19)
2023-07-19
research poc
AMSI Bypass via AmsiOpenSession and AmsiScanBuffer Patching on Windows 11Amsi_Bypass_In_2023
A proof-of-concept repository demonstrates two methods to bypass the Antimalware Scan Interface (AMSI) on Windows 11 by patching AmsiOpenSession and AmsiScanBuffer functions in memory. The AmsiScanBuffer patch successfully evades detection for Assembly.Load() calls, while the AmsiOpenSession patch does not. This highlights a persistent evasion technique against Microsoft's AMSI.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →