// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 18, 2024
Signal Brief · Archived

Week of November 18, 2024

2024-11-18 — 2024-11-24 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 18, 2024, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 research pocs, 3 vuln disclosures. Vendors in the record this week: Ivanti, Microsoft, Opsview.

The Week's Public Record

Events

2024-11-24
research poc
Detection Opportunities for EDR Silencer and EDRSandblast Tools Used by Ransomware GroupsEDR Silencer and EDRSandblast
This article details detection strategies for two tools, EDR Silencer and EDRSandblast, which are actively used by ransomware groups to disable or modify endpoint security solutions. EDR Silencer uses Windows Filtering Platform (WFP) to block EDR communications, while EDRSandblast exploits vulnerable drivers to remove kernel callbacks from security products. The research highlights that T1562.001 (Disable or Modify Tools) is the most prevalent technique among top ransomware groups.
2024-11-24
vuln disclosure
Unauthenticated XXE Vulnerability in Ivanti Endpoint ManagerCVE-2024-37397
An unauthenticated XML External Entity (XXE) vulnerability exists in Ivanti Endpoint Manager's ProvisioningWebService. The flaw resides in the ImportXml function, which fails to disable external entity resolution, allowing attackers to read local files, perform SSRF, or cause denial of service. This vulnerability was disclosed via ZDI and analyzed by PwnFuzz.
2024-11-22
research poc
EDR MiniFilter Driver Disabled via Registry Altitude ModificationEDR MiniFilter Altitude Tampering
A technique to disable EDR MiniFilter drivers by modifying their altitude in the registry, preventing kernel call interception after a reboot. Observed in the wild used by Qilin ransomware to evade detection. The method was tested against six EDR products, none of which flagged the registry change.
2024-11-21
research poc
New AMSI Bypass Technique Modifies CLR.DLL String in Memory to Evade Detection of Reflective .NET LoadingCLR.DLL AMSI Bypass via String Modification
A new technique bypasses AMSI by modifying the 'AmsiScanBuffer' string in the .rdata section of CLR.DLL in memory, preventing the runtime from passing reflectively loaded .NET modules to the installed AV. This avoids detection of malicious .NET assemblies loaded via Assembly.Load(byte[]). The method exploits the 'fail open' behavior of the CLR loader when AMSI lookup fails.
2024-11-20
vuln disclosure
Opsview Monitor Agent 6.8 Unauthenticated Remote Command ExecutionCVE-2023-28354
A vulnerability in Opsview Monitor Agent 6.8 allows unauthenticated remote attackers to execute arbitrary commands on Windows systems. The agent runs as Local System and its NRPE handlers are insecurely configured to pass user-supplied arguments into PowerShell without sanitization. This enables command injection via command-line escape sequences.
2024-11-18
vuln disclosure
Trend Micro Deep Security Agent 20 Command Injection VulnerabilityCVE-2024-51503
A command injection vulnerability in Trend Micro Deep Security Agent version 20 allows authenticated attackers with low privileges to escalate privileges and execute arbitrary code. In domain environments, attackers with domain user privileges may remotely inject commands to other machines. The flaw resides in the manual scan command handling.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →