// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of October 2, 2023
Signal Brief · Archived

Week of October 2, 2023

2023-10-02 — 2023-10-08 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of October 2, 2023, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, Trellix.

The Week's Public Record

Events

2023-10-08
research poc
Callstack Spoofing and Indirect Syscalls Proof-of-Concept Dropper PublishedCallstackSpoofingPOC
A proof-of-concept self-injecting dropper combining call stack spoofing via Windows thread pooling and indirect syscalls to evade EDR detection was published on GitHub. The technique hides malicious call origins by making them appear as legitimate ntdll activity. This demonstrates a practical method for bypassing userland hooking and call stack analysis used by security products.
2023-10-06
research poc
GuardBypassToolkit Demonstrates Windows Defender Bypass via Manual DLL Loading and EAT HookingGuardBypassToolkit
A proof-of-concept tool called GuardBypassToolkit bypasses Windows Defender by manually loading DLLs, parsing the Export Address Table (EAT), and updating the Import Address Table (IAT) with unhooked functions. It includes an LSASS dumper and in-memory Mimikatz execution, using EAT hooking to redirect AmsiScanBuffer to a custom function that always returns clean.
2023-10-04
vuln disclosure
CVE-2023-3665: Trellix Endpoint Security Code Injection VulnerabilityCVE-2023-3665
CVE-2023-3665 is a code injection vulnerability in Trellix Endpoint Security (ENS) 10.7.0 and earlier. It allows a local attacker to disable the AMSI component via environment variable manipulation, leading to potential denial of service and arbitrary code execution. The vulnerability was published to NVD on 2023-10-04.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →