// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of April 14, 2025
Signal Brief · Archived

Week of April 14, 2025

2025-04-14 — 2025-04-20 · 2 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of April 14, 2025, ColdRecon logged 2 public endpoint-security events from open-source reporting — 2 research pocs. Vendors in the record this week: Microsoft, Palo Alto Networks, Sophos.

The Week's Public Record

Events

2025-04-16
research poc
MSIExec Abuse Technique Disables EDR Agents via Forced Repair InterruptionMSIExec Abuse to Disable EDR Agents
A researcher published a proof-of-concept technique that abuses the Microsoft Installer (msiexec) forced repair process to temporarily disable EDR agents. By triggering a repair of the EDR's cached MSI installer and killing msiexec mid-process, the EDR agent is left in a non-functional state, allowing undetected malicious activity. The method targets EDR deployments via Microsoft Endpoint Configuration Manager (MECM) and does not require modifying protected components.
2025-04-15
research poc
PatchedCLRLoader: .NET Assembly Loader with AMSI and ETW Patching BypassPatchedCLRLoader
A proof-of-concept tool named PatchedCLRLoader demonstrates loading .NET assemblies while bypassing AMSI and ETW by patching functions in clr.dll and ntdll.dll. It uses direct syscalls and RC4 encryption to evade detection, and was tested successfully against Cortex XDR, Sophos, MDE, and CrowdStrike. The technique specifically patches AmsiScanBuffer in clr.dll and NtTraceEvent to avoid newer Windows Defender protections.
Microsoft · Palo Alto Networks · Sophos · CrowdStrike ↗ github.com (2025-04-15)
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →