// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of December 23, 2024
Signal Brief · Archived

Week of December 23, 2024

2024-12-23 — 2024-12-29 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of December 23, 2024, ColdRecon logged 2 public endpoint-security events from open-source reporting — 2 research pocs.

The Week's Public Record

Events

2024-12-25
research poc
Krueger Tool Uses WDAC to Disable EDR Agents on WindowsKrueger
Security researchers released Krueger, a proof-of-concept tool that leverages Windows Defender Application Control (WDAC) to prevent EDR agents from loading at boot. The technique requires administrator privileges and a reboot, deploying a custom WDAC policy that blocks EDR services and drivers. It does not exploit any vulnerability in specific EDR products.
2024-12-23
research poc
Hit-And-Run: Bypass EDRs via VEH and Call Stack TheftHit-And-Run
A proof-of-concept technique named Hit-And-Run demonstrates how to execute system calls while evading EDR detection by combining Vectored Exception Handling (VEH) with call stack theft. The method sets hardware breakpoints to intercept execution and redirects it through a dummy function to create a legitimate-looking call stack, bypassing inline hooking and call stack analysis. This allows attackers to perform syscalls with attacker-defined parameters without triggering EDR alarms.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →