// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of October 28, 2024
Signal Brief · Archived

Week of October 28, 2024

2024-10-28 — 2024-11-03 · 4 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of October 28, 2024, ColdRecon logged 4 public endpoint-security events from open-source reporting — 3 research pocs, 1 incident. Vendors in the record this week: Palo Alto Networks, Microsoft, Skyhigh Security.

The Week's Public Record

Events

2024-11-03
research poc
Proof-of-Concept Call Stack Spoofing Technique Evades EDR DetectionCall Stack Spoofing via Kernel Callback Exploitation
A proof-of-concept technique demonstrates active call stack spoofing to deceive EDR products by fabricating legitimate call stacks during API calls like NtOpenProcess. The method exploits kernel callbacks that execute in the context of the calling thread, allowing an attacker to mask malicious activity such as credential theft from LSASS. This differs from prior dormant thread spoofing by actively manipulating call stacks for specific TTPs.
2024-11-01
incident
Extortion Actor Tests EDR Bypass Tool Using BYOVD Against Cortex XDREDRSandBlast-based BYOVD bypass tool (disabler.exe)
During an extortion incident investigation, Unit 42 discovered a threat actor testing an AV/EDR bypass tool against Cortex XDR on a rogue virtual system. The tool, based on EDRSandBlast, uses a vulnerable driver to unhook user-mode and kernel-mode callbacks. The actor's testing inadvertently exposed their toolkit and led to identification of the seller on cybercrime forums.
2024-10-30
research poc
Proof-of-Concept Tool Combines Reflective PE Injection with InstallUtil LOLBAS to Bypass AppLocker and EDRApplockerBypassExternalBinary
A publicly released proof-of-concept tool, ApplockerBypassExternalBinary, demonstrates how to bypass AppLocker and EDR hooks by reflectively loading arbitrary binaries using the InstallUtil LOLBAS. The tool is a fork of SharpReflectivePEInjection, modified to integrate InstallUtil for execution, and includes basic antivirus evasion techniques. It was demonstrated with Ligolo-ng but can be adapted to run any binary.
2024-10-29
research poc
PoC Exploit for CVE-2024-0311 Skyhigh Client Proxy BypassCVE-2024-0311
A proof-of-concept exploit demonstrates bypassing Skyhigh Client Proxy policy enforcement via named pipe injection. The PoC injects shellcode into a user-run SCPBypass.exe process to write to the SCPService.exe pipe, circumventing WGUARDNT checks. This allows a malicious insider to disable web filtering without a valid release code.
Skyhigh Security · Trellix ↗ github.com (2024-10-29)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →