// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of March 3, 2025
Signal Brief · Archived

Week of March 3, 2025

2025-03-03 — 2025-03-09 · 6 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of March 3, 2025, ColdRecon logged 6 public endpoint-security events from open-source reporting — 3 research pocs, 2 incidents, 1 vuln disclosure. Vendors in the record this week: CrowdStrike, Rubrik, Microsoft.

The Week's Public Record

Events

2025-03-06
vuln disclosure
CrowdStrike Falcon Sensor Process Suspension Bypass (Sleeping Beauty)Sleeping Beauty
SEC Consult discovered that CrowdStrike Falcon Sensor processes could be suspended by an attacker with SYSTEM privileges, allowing malicious applications to execute undetected. The vulnerability, named 'Sleeping Beauty', was initially dismissed by CrowdStrike as a detection gap but was silently patched by 2025. The bypass enabled tools like winPEAS, Rubeus, and Certipy to run unimpeded until the sensor was resumed.
2025-03-06
incident
Akira ransomware encrypts network shares from compromised webcam to bypass EDRAkira webcam EDR bypass
The Akira ransomware gang used a vulnerable Linux-based webcam to encrypt network shares via SMB after their Windows encryptor was blocked by EDR. The webcam lacked an EDR agent and was not monitored, allowing the attack to succeed. This incident highlights the risk of unmanaged IoT devices on corporate networks.
2025-03-06
research poc
Attackers Use Windows Defender Application Control Policies to Disable EDR AgentsWDAC EDR Disable
Researchers demonstrate a technique where attackers with administrative privileges can leverage Windows Defender Application Control (WDAC) policies to block EDR agents from loading, effectively disabling endpoint detection. This method exploits the fact that WDAC policies can be configured to deny execution of specific binaries, including security software components. The technique highlights a potential blind spot in relying solely on built-in Windows security features for application control.
2025-03-05
research poc
Two EDR Evasion Techniques Tested Against CrowdStrike: Python Shellcode Execution and Go Reverse SSH TunnelPyramid Python EDR Evasion
A red teamer demonstrated two techniques to evade CrowdStrike EDR: using the Pyramid framework to execute Sliver shellcode in Python's memory, and a custom Go binary to establish a reverse SSH tunnel for proxying post-exploitation tools. Both methods leverage trusted, legitimate tools to blend in and avoid detection.
2025-03-04
incident
Rubrik Discloses Unauthorized Access to Logging Server, Rotates Authentication KeysRubrik Logging Server Breach 2025
Rubrik detected unauthorized access to a single logging server on February 22, 2025. The incident was contained to that server with no evidence of customer data or source code compromise. In response, Rubrik rotated authentication keys as a precaution.
2025-03-03
research poc
C++ Tool Patches AMSI in Remote PowerShell Processes to Bypass Malware ScanningAMSIPatching
A publicly released C++ utility named AMSIPatching patches AMSI functions in remote PowerShell processes, causing them to return E_INVALIDARG and effectively disabling AMSI-based malware scanning. The tool requires administrator privileges and works on both 32-bit and 64-bit processes. This demonstrates a specific technique to bypass endpoint security protections that rely on AMSI.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →