Signal Brief · Archived
Week of October 14, 2024
The Week's Public Record
Events
2024-10-20
research poc
AMSI Bypass via LdrLoadDll Hooking or Hardware BreakpointsAmsiBypass-LdrLoadDll
A proof-of-concept technique bypasses the Antimalware Scan Interface (AMSI) by intercepting the loading of amsi.dll through LdrLoadDll. It uses either hooking or hardware breakpoints to return an 'Access Denied' error, preventing AMSI initialization and thus disabling script content scanning. This matters because AMSI is a key defense against malicious scripts and in-memory threats.
2024-10-15
vuln disclosure
CVE-2024-9469: Palo Alto Cortex XDR Agent Disablement by Unprivileged Windows UserCVE-2024-9469
A vulnerability in the Palo Alto Networks Cortex XDR agent on Windows allows a non-administrative user to disable the agent. This could enable malware to operate undetected by removing endpoint monitoring. A patch is available.
2024-10-15
research poc
Outflank Introduces Early Cascade Injection Process Injection TechniqueEarly Cascade Injection
Outflank researchers published a novel process injection technique called Early Cascade Injection that targets the user-mode part of Windows process creation. It combines elements of Early Bird APC Injection and EDR-Preloading to achieve stealthy code injection while evading top-tier EDRs. The technique intervenes during LdrInitializeThunk execution, avoiding cross-process APCs and minimizing remote process interaction.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.