// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of December 25, 2023
Signal Brief · Archived

Week of December 25, 2023

2023-12-25 — 2023-12-31 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of December 25, 2023, ColdRecon logged 4 public endpoint-security events from open-source reporting — 3 research pocs, 1 vuln disclosure. Vendors in the record this week: Forescout, Sophos, Carbon Black.

The Week's Public Record

Events

2023-12-29
vuln disclosure
Forescout SecureConnector Privilege Escalation via Arbitrary File DeleteCVE-2024-22795
A vulnerability in Forescout SecureConnector before version 11.3.06.0063 allows a local unprivileged user to delete arbitrary files as SYSTEM. This can be leveraged for local privilege escalation by exploiting a race condition and symbolic link attacks. The issue was reported and patched in version 11.3.7.
2023-12-27
research poc
Novel EDR Bypass Techniques Using Hardware Breakpoints and Intentional ExceptionsHardware Breakpoint EDR Bypass
Researcher Marcus Hutchins published two novel techniques to bypass EDR user-mode hooks without triggering callstack-based detections. The methods use hardware breakpoints and intentional exceptions to manipulate parameters after EDR inspection, demonstrated against Sophos Intercept X process hollowing detection. A proof-of-concept is available on GitHub.
2023-12-26
research poc
Behinder Webshell EDR Bypass via Nashorn Engine and MITM ProxyBehinder-EDR-Bypass
A proof-of-concept tool demonstrates bypassing endpoint detection and response (EDR) to deploy a Behinder webshell on a Java web server. It uses the Nashorn JavaScript engine to execute malicious code passed via HTTP parameters, minimizing static signatures in the JSP file, and employs a mitmproxy script to seamlessly integrate with the Behinder client.
2023-12-26
research poc
EDRSilencer Red Team Tool Abused to Block EDR Communications via WFPEDRSilencer
Trend Micro observed threat actors attempting to use EDRSilencer, a red team tool that leverages Windows Filtering Platform to block outbound network traffic from EDR processes. The tool dynamically identifies running EDR executables and creates persistent WFP filters, preventing telemetry and alert transmission to management consoles. This technique can allow malware to evade detection by silencing endpoint security solutions.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →