// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 27, 2023
Signal Brief · Archived

Week of November 27, 2023

2023-11-27 — 2023-12-03 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 27, 2023, ColdRecon logged 2 public endpoint-security events from open-source reporting — 2 research pocs. Vendors in the record this week: Microsoft.

The Week's Public Record

Events

2023-11-30
research poc
AMSI Bypass via Heap-Based VTable Hook Using ROP Gadget on Windows 11AMSI-Context-VTable-Hook
A proof-of-concept demonstrates bypassing the Antimalware Scan Interface (AMSI) on Windows 11 by hooking the AMSI context's virtual method table (VTable) on the heap using a return-oriented programming (ROP) gadget, avoiding code patches. This technique allows execution of malicious scripts or code without triggering AMSI detection.
2023-11-27
research poc
Vectored Exception Handling Technique Bypasses EDR/XDR DetectionVectored Exception Handling Bypass
A research document details how attackers can use vectored exception handlers and hardware breakpoints to intercept and manipulate execution flow, bypassing endpoint detection and response (EDR/XDR) tools. The technique avoids direct memory patching, making it stealthier. Real malware samples employing this method are analyzed, and detection via ETW logging of NtSetContextThread is discussed.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →