// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 6, 2023
Signal Brief · Archived

Week of November 6, 2023

2023-11-06 — 2023-11-12 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 6, 2023, ColdRecon logged 4 public endpoint-security events from open-source reporting — 3 research pocs, 1 vuln disclosure. Vendors in the record this week: Microsoft, STRANGETRINITY, Elastic.

The Week's Public Record

Events

2023-11-11
research poc
Bring Your Own Reputation (BYOR) Technique Bypasses SmartScreen via Reputable ScriptsBYOR
P.I.V.O.T Security researchers demonstrated a technique called Bring Your Own Reputation (BYOR) that abuses Microsoft SmartScreen's reputation-based trust by sideloading unsigned executables through legitimately-reputed script files (.bat, .cmd, .vbs) containing insecure code paths. This bypasses Mark-of-the-Web (MOTW) and SmartScreen warnings without requiring an EV certificate, and Windows Defender remained silent during the proof-of-concept. The technique highlights that file reputation alone is insufficient for detection, and behavioral monitoring of child processes spawned from script files is necessary.
2023-11-10
research poc
Darkside: C# AV/EDR Killer Using BYOVD with Less-Known DriverDarkside
A proof-of-concept tool named Darkside was published on GitHub, demonstrating a Bring Your Own Vulnerable Driver (BYOVD) attack to terminate antivirus and EDR processes. It uses a less-known vulnerable driver (truesight.sys) to achieve kernel-level access and disable security software. This highlights the ongoing risk of BYOVD techniques against endpoint protection.
2023-11-06
research poc
Research Reveals EDR Disarmament via Update Process Logic Flaw and New LOLBinEDR Unshield via LOLBin
Researchers analyzed an EDR's update mechanism and discovered a logic flaw allowing complete disarmament. They found a command 'unshield_from_authorized_process' that disables protections if invoked by a process signed by the vendor. A new LOLBin was also discovered within the EDR's own signed binaries, enabling bypass of self-protection.
2023-11-06
vuln disclosure
Elastic Endpoint Debug Logging Exposes API Keys in ElasticsearchCVE-2023-46668
A vulnerability in Elastic Endpoint versions 7.9.0 through 8.10.3, when debug logging is enabled and logs are collected by Elastic Agent, causes Elastic Agent API keys to be written in plaintext to Elasticsearch. This could allow an attacker with access to those logs to read sensitive endpoint artifacts and write arbitrary data.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →