// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of December 9, 2024
Signal Brief · Archived

Week of December 9, 2024

2024-12-09 — 2024-12-15 · 1 PUBLIC EVENT · GENERAL / NON-PERSONALIZED

In the week of December 9, 2024, ColdRecon logged 1 public endpoint-security event from open-source reporting — 1 research poc.

The Week's Public Record

Events

2024-12-13
research poc
PoC Uses PendingFileRenameOperations and Directory Junctions to Disable EDRFileRenameJunctionsEDRDisable
A proof-of-concept demonstrates using Windows PendingFileRenameOperations registry key combined with directory junctions to bypass anti-tampering and delete EDR binaries on reboot. The technique requires administrator privileges and targets endpoint security products that rely on kernel callbacks to protect their registry keys. This method evades detection by referencing the EDR binary through a junction path not monitored by the security product.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →