// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of January 15, 2024
Signal Brief · Archived

Week of January 15, 2024

2024-01-15 — 2024-01-21 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of January 15, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 research pocs, 2 incidents. Vendors in the record this week: Microsoft, Sophos, CrowdStrike.

The Week's Public Record

Events

2024-01-21
research poc
AMSI Bypass via Memory Patching of AmsiScanBuffer in 2024AMSI Memory Patch Bypass
A proof-of-concept demonstrates bypassing Microsoft's Anti-Malware Scan Interface (AMSI) by patching the AmsiScanBuffer function in memory to always return AMSI_RESULT_CLEAN. The technique modifies assembly instructions to evade signature-based detection, enabling execution of malicious PowerShell scripts like Mimikatz. This highlights ongoing evasion tactics against endpoint security controls.
2024-01-20
research poc
HEVD Exploit Bypasses KVA Shadow and SMEP via PML4 Entry Manipulation on Windows 10 22H2HEVD ArbitraryWrite PML4 Entry Manipulation
A proof-of-concept exploit for the HackSys Extreme Vulnerable Driver (HEVD) demonstrates bypassing Kernel Virtual Address (KVA) Shadow and Supervisor Mode Execution Prevention (SMEP) on Windows 10 22H2. The exploit uses an arbitrary overwrite vulnerability in HEVD to modify a PML4 entry, enabling kernel-mode code execution from a medium integrity process. This highlights a technique for defeating kernel exploit mitigations when a vulnerable driver is present.
2024-01-20
incident
Midnight Blizzard Compromises Microsoft Corporate Systems via Password Spray and OAuth AbuseMidnight Blizzard Microsoft Corporate Breach 2024
Microsoft detected a nation-state attack on its corporate systems on January 12, 2024, attributed to Russian state-sponsored actor Midnight Blizzard (NOBELIUM). The actor gained initial access via password spray on a legacy non-production test tenant without MFA, then abused OAuth applications to move laterally and access email accounts. This incident highlights risks from legacy accounts and OAuth application misuse in cloud environments.
2024-01-20
incident
Terminator EDR Killer Tool Uses BYOVD to Terminate Security ProcessesTerminator EDR Killer (Spyboy)
A threat actor named Spyboy is selling a tool called Terminator that uses the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate processes of endpoint security products. The tool loads a vulnerable Zemana anti-malware driver to execute code in kernel mode, bypassing user-mode protections. SentinelOne detects known samples, and organizations are advised to review provided indicators of compromise.
Sophos · CrowdStrike ↗ www.sentinelone.com (2024-01-20)
2024-01-19
research poc
Research into Programmatically Disabling Windows Defender Tamper Protection via URI SchemeWindowsDefender-TamperProtection-Bypass-Research
A user on Stack Exchange investigated whether Windows Defender's Tamper Protection can be disabled programmatically using the 'start windowsdefender:' URI scheme, similar to enabling real-time protection. The attempt was unsuccessful, and the discussion highlights that no built-in, documented method exists to disable Tamper Protection from a script without high privileges or third-party tools. This matters because Tamper Protection is a key defense against unauthorized changes to Defender settings by malware or attackers.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →