// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 4, 2023
Signal Brief · Archived

Week of September 4, 2023

2023-09-04 — 2023-09-10 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 4, 2023, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 research pocs, 2 vuln disclosures. Vendors in the record this week: Proofpoint, BMC.

The Week's Public Record

Events

2023-09-08
vuln disclosure
Proofpoint ITM macOS Agent Improper Certificate Validation VulnerabilityCVE-2023-4801
Proofpoint disclosed CVE-2023-4801, an improper certificate validation vulnerability in the Insider Threat Management (ITM) Agent for macOS. An adjacent network attacker could perform a man-in-the-middle attack between the agent and the ITM server after registration. The vulnerability affects versions prior to 7.14.3.69 and has a CVSS score of 7.5 (High).
2023-09-08
research poc
Single-byte kernel memory modification bypasses EDR/AV via PspNotifyEnableMaskPspNotifyEnableMask byte modification
A proof-of-concept demonstrates that modifying a single byte in the kernel's PspNotifyEnableMask can disable core functions of AV/EDR solutions. The technique bypasses PatchGuard and affects endpoint protection by preventing security callbacks. The repository includes C code and references a commercial anti-malware product claiming to defend against this attack.
2023-09-07
research poc
Researcher Bypasses EDR Using Custom Remote Shells, AMSI Obfuscation, and Traffic BlockingEDR Bypass via Custom Tools and Traffic Blocking
During a penetration test, a researcher bypassed a well-known EDR by using custom remote shells to evade pattern-based detection, obfuscating PowerShell to disable AMSI, and blocking EDR cloud communication via firewall/DNS changes. The EDR failed to detect credential gathering, lateral movement, and use of tools like Mimikatz after traffic was blocked.
2023-09-05
vuln disclosure
BMC PATROL Agent Local Privilege Escalation via pconfig CommandCVE-2020-35593
CVE-2020-35593 is a local privilege escalation vulnerability in BMC PATROL Agent through version 20.08.00. A local attacker with low privileges can exploit the pconfig +RESTART -host command to gain elevated privileges, potentially domain admin. The vulnerability has a CVSS score of 7.8 and affects enterprise monitoring deployments.
2023-09-04
research poc
SCMUACBypass: BOF for UAC Bypass via Service Control Manager with KerberosSCMUACBypass
Security researcher rasta-mouse released a Beacon Object File (BOF) that bypasses User Account Control (UAC) by authenticating to the Service Control Manager using Kerberos tickets. The tool is designed for use with Kerberos relay attacks and requires appropriate tickets to be present in the cache. It enables local privilege escalation on Windows endpoints.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →