Signal Brief · Archived
Week of November 25, 2024
The Week's Public Record
Events
2024-12-01
research poc
Using Windows Name Resolution Policy Table to Block EDR Agent CommunicationNRPT-based EDR Communication Blocking
A research blog post demonstrates a novel method to block EDR agent communication by manipulating the Windows Name Resolution Policy Table (NRPT). By adding NRPT rules that redirect DNS queries for EDR cloud endpoints to localhost, the agent is unable to resolve its required domains, effectively silencing it. The technique requires administrative privileges and is not limited to Microsoft Defender for Endpoint.
2024-12-01
research poc
EDR Command-Line Logging Bypass via WSL2 APIWSL2-EDR-Bypass
A technique was demonstrated to bypass EDR command-line logging by using the WSL2 API to launch Linux commands with redirected stdin, preventing EDR sensors from capturing the actual commands executed. This allows attackers to run arbitrary commands within WSL2 without detection, as only the initial 'sh' process is logged. The method leverages the lack of visibility into virtualized WSL2 environments by Windows EDR sensors.
2024-11-29
vuln disclosure
CVE-2024-11482: Trellix ESM Unauthenticated RCE via Snowservice API Command InjectionCVE-2024-11482
A critical command injection vulnerability (CVE-2024-11482) in Trellix Enterprise Security Manager 11.6.10 allows unauthenticated remote attackers to execute arbitrary commands as root via the internal Snowservice API. The flaw stems from missing authentication and insufficient input sanitization. Exploitation could lead to full compromise of the security management appliance.
2024-11-28
research poc
Cloakk: Stealth AMSI Bypass and Encrypted PowerShell Executor ReleasedCloakk
A new open-source tool named Cloakk demonstrates a stealthy AMSI bypass and fileless PowerShell execution technique. It patches AmsiScanBuffer and AmsiInitialize at runtime using indirect syscalls and executes XOR-encrypted PowerShell payloads in memory. The tool is intended for red team operations and security research.
2024-11-26
research poc
SEGRUN: Userland Unhooking via Exception Handlers to Bypass EDRSEGRUN
A new technique called SEGRUN uses exception handlers to bypass userland EDR hooks by corrupting the EDR DLL's memory permissions, triggering exceptions on trampoline access, and redirecting execution via ROP to skip monitoring code. This allows evasion of endpoint detection without disrupting the target process.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.