// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 17, 2024
Signal Brief · Archived

Week of June 17, 2024

2024-06-17 — 2024-06-23 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 17, 2024, ColdRecon logged 3 public endpoint-security events from open-source reporting — 3 research pocs. Vendors in the record this week: Microsoft, Pearson, LoGiC.NET.

The Week's Public Record

Events

2024-06-22
research poc
GrimResource: Novel MSC File Technique for Initial Access and EvasionGrimResource
Elastic Security Labs discovered a new in-the-wild technique, GrimResource, that uses specially crafted MSC files to execute arbitrary code in Microsoft Management Console (mmc.exe) with minimal warnings. The technique exploits an old XSS vulnerability in apds.dll and combines it with DotNetToJScript to achieve code execution, evading static detection. It was used to deliver Cobalt Strike via a stealthy .NET loader called PASTALOADER.
2024-06-18
research poc
Proof-of-Concept Tool Bypasses Pearson LockDown Browser VM DetectionPearson-VM-Bypass
A proof-of-concept tool named tearson demonstrates DLL injection and API hooking to bypass virtual machine detection and reporting in Pearson LockDown Browser. The tool intercepts GetProcAddress, report_post, and HidCheckVM functions to prevent the security software from detecting VM environments and sending reports. This highlights a weakness in the endpoint security agent's integrity checks.
2024-06-17
research poc
Tool Released to Remove Anti-Tamper Protection from LoGiC.NET 1.5Anti-Tamper-Killer-LoGiC.NET-1.5
A proof-of-concept tool named Anti-Tamper-Killer-LoGiC.NET-1.5 was published on GitHub, designed to strip the anti-tamper protection from LoGiC.NET version 1.5. The tool allows users to drag and drop protected files to remove the anti-tamper mechanism, potentially enabling reverse engineering or modification of .NET applications obfuscated with LoGiC.NET.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →