// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 13, 2023
Signal Brief · Archived

Week of November 13, 2023

2023-11-13 — 2023-11-19 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 13, 2023, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 research pocs, 1 incident. Vendors in the record this week: Microsoft.

The Week's Public Record

Events

2023-11-18
research poc
Process Stomping: Injecting Shellcode into RWX Sections of ExecutablesProcess Stomping
A new code injection technique called Process Stomping is demonstrated, which writes shellcode directly into an existing RWX section of a suspended process to evade detection. The method avoids dynamic memory allocation and VirtualProtect calls, leveraging the RWX permissions of sections like .themida in GlassWire. A proof-of-concept loads a Cobalt Strike Beacon using sRDI without a reflective loader.
2023-11-16
incident
Apache ActiveMQ Exploit Enables Stealthy EDR BypassApache ActiveMQ EDR Bypass
Attackers are exploiting a dangerous vulnerability in Apache ActiveMQ to bypass endpoint detection and response (EDR) systems. The exploit allows malicious activity to go undetected, posing a significant risk to organizations relying on EDR for endpoint security. This incident highlights a novel attack vector that undermines a key security control.
2023-11-16
research poc
Evading Windows Defender with MiniDumpWriteDump, Donut, and Process InjectionMiniDumpWriteDump-Donut-Injection
A researcher demonstrates a technique to evade Windows Defender detection when dumping LSASS credentials. The method combines MiniDumpWriteDump with XOR encryption, Donut shellcode generation with AMSI bypass, and process injection into notepad.exe. Windows Defender failed to detect the final payload or its activity.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →