// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 25, 2023
Signal Brief · Archived

Week of September 25, 2023

2023-09-25 — 2023-10-01 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 25, 2023, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 research pocs, 2 vuln disclosures. Vendors in the record this week: Hangzhou Shunwang, Microsoft.

The Week's Public Record

Events

2023-10-01
vuln disclosure
CVE-2023-44976: Hangzhou Shunwang Rentdrv2 IOCTL Insufficient Access Control Allows EDR TerminationCVE-2023-44976
CVE-2023-44976 is a vulnerability in Hangzhou Shunwang Rentdrv2 driver before version 2024-12-24. It allows local users to terminate EDR processes via a DeviceIoControl call with control code 0x22E010 due to an exposed IOCTL with insufficient access control. The vulnerability has been exploited in the wild since at least October 2023.
2023-09-29
research poc
EDRSnowblast: Fork of EDRSandblast Adds New EDR Bypass FeaturesEDRSnowblast
EDRSnowblast is a fork of the EDRSandblast tool that adds new features for bypassing EDR detection, including loading unsigned kernel and minifilter drivers, and a 'filter-mute' technique to disrupt communication between EDR user-mode and kernel-mode components. It builds on existing kernel callback removal and userland unhooking methods to evade endpoint security products.
2023-09-28
research poc
Proof-of-Concept Exploits Echo Anti-Cheat Driver to Disable EDR and AntivirusEchoAC-EDR-PoC
A proof-of-concept demonstrates how the Echo Anti-Cheat driver (EchoDrv) can be abused to disable endpoint security products. It patches kernel notify routines and disables ETW for the Windows Threat Provider, effectively blinding EDR and AV. The technique highlights risks from third-party kernel drivers with elevated privileges.
2023-09-27
vuln disclosure
CVE-2022-21894: Secure Boot Security Feature Bypass via truncatememory BCD ElementCVE-2022-21894
A vulnerability in Windows Boot Applications allows an attacker with physical access or administrative privileges to bypass Secure Boot by using the 'truncatememory' BCD element to remove the serialized Secure Boot policy from memory. This enables loading of unsigned or test-signed code, undermining the integrity guarantees of Secure Boot. The issue was patched by Microsoft in January 2022.
2023-09-25
research poc
Universal EDR Bypass via ETW-Ti Logging Disable in Windows 10ETW-Ti Logging Disable
Researchers discovered a method to disable ETW-Ti security event generation for specific processes on Windows 10, allowing malware to evade EDR detection during operations like memory dumping and code injection. The technique leverages undocumented NtSetInformationProcess flags to turn off logging for inter-process memory reads/writes and thread/process suspension. This bypass affects all EDRs relying on ETW-Ti for telemetry.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →