// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of July 29, 2024
Signal Brief · Archived

Week of July 29, 2024

2024-07-29 — 2024-08-04 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of July 29, 2024, ColdRecon logged 5 public endpoint-security events from open-source reporting — 4 vuln disclosures, 1 research poc. Vendors in the record this week: Microsoft, Palo Alto Networks, Sophos.

The Week's Public Record

Events

2024-08-02
research poc
RustPatchlessCLRLoader: Patchless AMSI and ETW Bypass for .NET Assembly LoadingRustPatchlessCLRLoader
RustPatchlessCLRLoader is a proof-of-concept tool that loads .NET assemblies while bypassing AMSI and ETW using hardware breakpoints instead of memory patching. It was tested against several EDR products and successfully executed without detection, though behavioral detection may still trigger on malicious actions.
Microsoft · Palo Alto Networks · Sophos · McAfee ↗ github.com (2024-08-02)
2024-08-01
vuln disclosure
CVE-2024-36073: Netwrix CoSoSys Endpoint Protector and Unify Agent Remote Code ExecutionCVE-2024-36073
A remote code execution vulnerability exists in the shadowing component of Netwrix CoSoSys Endpoint Protector (through 5.9.3) and Unify (through 7.0.6) agents. An attacker with administrative access to the management server can overwrite sensitive configuration and execute system commands with SYSTEM/root privileges on a client endpoint. This allows complete compromise of endpoints managed by the affected products.
2024-08-01
vuln disclosure
Bypass of Rockwell Automation ControlLogix Trusted Slot Security FeatureCVE-2024-6242
Team82 discovered a vulnerability (CVE-2024-6242) in Rockwell Automation ControlLogix 1756 devices that allows bypassing the trusted slot security feature. An attacker with network access can use CIP routing to traverse the backplane and send elevated commands to the PLC CPU from an untrusted network card. Rockwell has issued a fix, and CISA published an advisory.
Rockwell Automation ↗ claroty.com (2024-08-01)
2024-07-31
vuln disclosure
ESET Smart Security Premium Privilege Escalation via NTFS Alternate Data Stream JunctionCVE-2024-0353
A local privilege escalation vulnerability (CVE-2024-0353) in ESET Smart Security Premium allows a standard user to delete arbitrary files as SYSTEM by exploiting a time-of-check-to-time-of-use (TOCTOU) race condition in the real-time protection feature. The attack leverages NTFS alternate data streams to keep a directory empty during file scanning, then creates a junction to redirect a delete operation to a protected directory like C:\Config.msi. This technique, introduced by researcher Abdelhamid Naceri, bypasses assumptions about directory emptiness and can potentially affect other security products.
2024-07-30
vuln disclosure
VMware ESXi Authentication Bypass Vulnerability CVE-2024-37085 Actively Exploited by Ransomware GangsCVE-2024-37085
Microsoft disclosed that multiple ransomware gangs are actively exploiting CVE-2024-37085, an authentication bypass vulnerability in VMware ESXi hypervisors. The flaw allows attackers with Active Directory permissions to gain full administrative access to ESXi hosts, leading to ransomware deployment. VMware has released patches and mitigations.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →