// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 29, 2024
Signal Brief · Archived

Week of April 29, 2024

2024-04-29 — 2024-05-05 · 7 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 29, 2024, ColdRecon logged 7 public endpoint-security events from open-source reporting — 4 vuln disclosures, 3 research pocs. Vendors in the record this week: Microsoft, Webroot, Zscaler.

The Week's Public Record

Events

2024-05-04
research poc
Python Proof-of-Concept Patches EtwEventWrite to Bypass ETWETW-Bypass-LtcFlip
A public proof-of-concept repository demonstrates bypassing Event Tracing for Windows (ETW) by patching the EtwEventWrite function in memory. The technique checks for hooks on NtProtectVirtualMemory and NtAllocateVirtualMemory, then overwrites EtwEventWrite with patch bytes to suppress telemetry. This matters because ETW is heavily relied upon by EDRs and security tools for visibility.
2024-05-04
research poc
Design Issues in Modern EDRs: Bypassing ETW-Based DetectionETW Bypass
Researchers detail multiple techniques to bypass Event Tracing for Windows (ETW)-based EDR detection, including disabling ETW providers, patching EtwEventWrite in memory, and using direct syscalls to evade hooks. These methods undermine the visibility that many EDR solutions rely on for threat detection.
2024-05-04
research poc
Python-based AMSI bypass using opcode scanning and patchingAMSI Opcode Scan Bypass
A proof-of-concept tool demonstrates a lifetime AMSI bypass by locating and patching specific opcode patterns in the AMSI DLL. The technique searches for a sequence of instructions in memory and modifies them to disable AMSI scanning, potentially evading endpoint detection.
2024-05-03
vuln disclosure
AMSI Write Raid Bypass Vulnerability in PowerShellAMSI Write Raid
A vulnerability in PowerShell's System.Management.Automation.dll allows overwriting a writable entry containing the address of AmsiScanBuffer, enabling AMSI bypass without VirtualProtect. Discovered by OffSec trainer Victor Khoury, it affects PowerShell 5.1 and 7.4 on Windows 10/11. Reported to Microsoft on April 8, 2024.
2024-05-01
vuln disclosure
CVE-2023-7241: Privilege Escalation in Webroot Antivirus WRSA.EXECVE-2023-7241
A privilege escalation vulnerability exists in WRSA.EXE, a component of Webroot Antivirus versions 8.0.1X through 9.0.35.12 on 32-bit and 64-bit Windows. The flaw allows malicious software to leverage WRSA.EXE to delete arbitrary and protected files, potentially leading to system compromise.
2024-04-30
vuln disclosure
CVE-2024-23463: Zscaler Client Connector Anti-Tampering Bypass via TOCTOU Race ConditionCVE-2024-23463
CVE-2024-23463 is a TOCTOU race condition in Zscaler Client Connector for Windows that allows low-privileged attackers to bypass anti-tampering protections during the Repair App operation. Successful exploitation could let attackers disable or manipulate the security agent, compromising endpoint integrity. The vulnerability was published in April 2024 and patched in version 4.2.1.
2024-04-30
vuln disclosure
Quest KACE Agent for Windows Unquoted Search Path Vulnerability Allows Local Privilege EscalationCVE-2024-23774
CVE-2024-23774 is an unquoted Windows search path vulnerability in Quest KACE Agent for Windows versions 12.0.38 and 13.1.23.0. It affects the KSchedulerSvc.exe and AMPTools.exe components, allowing local attackers to execute arbitrary code with SYSTEM privileges. This is a local privilege escalation issue in an endpoint management agent.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →