// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of August 5, 2024
Signal Brief · Archived

Week of August 5, 2024

2024-08-05 — 2024-08-11 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of August 5, 2024, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 vuln disclosures, 2 research pocs, 1 incident. Vendors in the record this week: Microsoft, various AV/EDR vendors, Palo Alto Networks.

The Week's Public Record

Events

2024-08-11
research poc
Research: Abusing AV/EDR Exclusions to Evade DetectionAbusing Exclusions To Evade Detection
A security researcher demonstrates how attackers can enumerate and abuse antivirus/EDR exclusion paths, processes, and extensions to bypass detection. The technique leverages built-in exclusion features present in most endpoint security products, creating blind spots that allow malicious activity to go undetected. The research includes a proof-of-concept PowerShell script to enumerate exclusions from Windows Defender operational logs without administrative privileges.
Microsoft · various AV/EDR vendors ↗ dazzyddos.github.io (2024-08-11)
2024-08-07
vuln disclosure
CVE-2024-5909: Palo Alto Cortex XDR Agent Local Privilege Management Vulnerability Allows Agent DisableCVE-2024-5909
A vulnerability in Palo Alto Networks Cortex XDR agent on Windows allows a low-privileged local user to disable the agent. This could be exploited by malware to evade detection and perform malicious activity. Patches are available in versions 7.9.102+, 8.1.2+, and 8.2.1+.
Palo Alto Networks ↗ feedly.com (2024-08-07)
2024-08-07
vuln disclosure
CVE-2024-36131: Ivanti Endpoint Manager Mobile Insecure Deserialization RCECVE-2024-36131
CVE-2024-36131 is an insecure deserialization vulnerability in Ivanti Endpoint Manager Mobile (EPMM) prior to version 12.1.0.1. An authenticated attacker can achieve remote code execution on the underlying OS, leading to full system compromise. The flaw allows crafted serialized objects to execute arbitrary commands.
2024-08-06
vuln disclosure
CVE-2024-23456: Zscaler Client Connector Authentication BypassCVE-2024-23456
CVE-2024-23456 is an authentication bypass vulnerability in Zscaler Client Connector for Windows that allows anti-tampering protection to be disabled without proper signature validation. The flaw, classified under CWE-347, enables remote attackers to circumvent endpoint security controls without authentication or user interaction. Affected versions prior to 4.2.0.190 should be updated to mitigate the risk.
2024-08-06
research poc
Elastic Security Labs Details Bypass Techniques for Windows Smart App Control and SmartScreenSmart App Control Bypass via Reputation Hijacking and Seeding
Elastic Security Labs published research detailing multiple methods to bypass Windows Smart App Control and SmartScreen reputation-based protections. The techniques include signing malware with fraudulently obtained EV certificates, hijacking the reputation of trusted script hosts like Lua and AutoHotkey, and seeding new binaries to gain a benign reputation. These bypasses allow attackers to achieve initial access without triggering security warnings.
2024-08-05
incident
Rhysida Ransomware Deploys New Oyster Backdoor Variant via SEO PoisoningOyster Backdoor (Broomstick) variant via SEO poisoning
In July 2024, Rhysida ransomware group attacked a private school using a new Oyster Backdoor variant distributed through SEO poisoning and malvertising. The backdoor captured administrative credentials, allowing attackers to bypass ThreatDown Endpoint Protection and encrypt VMDK files on VMware hypervisors. The incident highlights the risk of relying solely on endpoint protection without EDR/MDR capabilities.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →