// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of September 16, 2024
Signal Brief · Archived

Week of September 16, 2024

2024-09-16 — 2024-09-22 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of September 16, 2024, ColdRecon logged 3 public endpoint-security events from open-source reporting — 3 research pocs. Vendors in the record this week: Avast, Microsoft Defender for Endpoint, other EDR vendors.

The Week's Public Record

Events

2024-09-21
research poc
Kill-Floor: BYOVD Proof-of-Concept Using Avast Anti-Rootkit Driver to Terminate AV/EDR ProcessesKill-Floor
Kill-Floor is a publicly released proof-of-concept tool that leverages a vulnerable Avast Anti-Rootkit driver (aswarpot.bin) via the Bring Your Own Vulnerable Driver (BYOVD) technique to terminate security product processes. It loads the driver, then continuously scans for and kills processes associated with known AV/EDR vendors. The driver is now heavily signatured, but the code is adaptable to other vulnerable drivers.
2024-09-18
research poc
Windows MiniFilter Altitude Hijacking Can Block EDR Driver LoadingMiniFilter Altitude Hijacking
A researcher demonstrated that a Windows MiniFilter driver can be abused to prevent EDR drivers from loading by hijacking their unique Altitude value. This technique exploits the load order of MiniFilters and the requirement that each Altitude be unique, effectively blinding EDR telemetry by blocking kernel callbacks. The issue affects multiple EDR vendors, though some mitigations have been implemented.
2024-09-17
research poc
Xposed Module Bypasses Protectt.ai Security in Kotak Neo AppProtecttai-Bypass
A proof-of-concept Xposed module demonstrates bypassing the Protectt.ai security solution in the Kotak Neo Android app. The module uses a single hook to evade Protectt.ai's detection mechanisms, which are criticized for high false positives and easy bypassability. The project aims to highlight weaknesses in Protectt.ai to encourage improved security.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →