// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of February 12, 2024
Signal Brief · Archived

Week of February 12, 2024

2024-02-12 — 2024-02-18 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of February 12, 2024, ColdRecon logged 3 public endpoint-security events from open-source reporting — 2 research pocs, 1 vuln disclosure. Vendors in the record this week: IBM, SentinelOne.

The Week's Public Record

Events

2024-02-17
vuln disclosure
IBM QRadar Suite and Cloud Pak for Security Information Disclosure VulnerabilityCVE-2024-22335
IBM disclosed CVE-2024-22335, a vulnerability in QRadar Suite and Cloud Pak for Security that allows a local user to read sensitive information from log files. The flaw stems from improper handling of log content, potentially exposing sensitive data. Affected versions include QRadar Suite 1.10.12.0 through 1.10.17.0 and Cloud Pak for Security 1.10.0.0 through 1.10.11.0.
2024-02-13
research poc
EDR-Preloading Technique Bypasses User-Mode Hooks by Executing Before EDR DLL LoadsEDR-Preloading
A new technique called EDR-Preloading leverages AppVerifier and ShimEngine callbacks in ntdll.dll to execute malicious code before the EDR's user-mode DLL is loaded, effectively preventing the EDR from hooking functions. This bypasses user-mode detection without relying on direct or indirect syscalls. The method exploits the process initialization order in Windows to preempt EDR injection.
2024-02-12
research poc
SentinelOne EDR Bypass Using .NET Loader with AMSI and ETW HookingSentinelOne .NET Loader Bypass
A researcher demonstrated a proof-of-concept bypass of SentinelOne EDR by using a custom .NET loader to execute Rubeus. The loader employed evasion techniques including AMSI and ETW hooking via hardware breakpoints and AES encryption. This allowed subsequent Kerberos constrained delegation abuse to impersonate a Domain Administrator.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →