// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 1, 2024
Signal Brief · Archived

Week of April 1, 2024

2024-04-01 — 2024-04-07 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 1, 2024, ColdRecon logged 2 public endpoint-security events from open-source reporting — 1 research poc, 1 vuln disclosure. Vendors in the record this week: Microsoft.

The Week's Public Record

Events

2024-04-05
research poc
FuckDse: BYOVD Proof-of-Concept to Bypass PatchGuard and Driver Signature EnforcementFuckDse
A proof-of-concept repository demonstrates using a Bring Your Own Vulnerable Driver (BYOVD) attack to disable Windows Driver Signature Enforcement (DSE) and PatchGuard. The code targets callbacks in SeValidateImageHeader/Data and includes analysis of PatchGuard's debugger detection logic. This technique could allow loading unsigned or malicious kernel drivers.
2024-04-04
vuln disclosure
Intune Management Extension Command Injection Allows WDAC BypassIntune Management Extension WDAC Bypass
A vulnerability in the Microsoft Intune Management Extension allowed a regular user to bypass Windows Defender Application Control (WDAC) by exploiting a command injection in the -PowerShell parameter. This enabled writing files with Managed Installer trust attributes, effectively bypassing WDAC enforcement. The issue was fixed by removing the vulnerable parameter.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →