// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 2, 2025
Signal Brief · Archived

Week of June 2, 2025

2025-06-02 — 2025-06-08 · 3 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 2, 2025, ColdRecon logged 3 public endpoint-security events from open-source reporting — 3 research pocs. Vendors in the record this week: Microsoft, Any security vendor relying on AMSI.

The Week's Public Record

Events

2025-06-06
research poc
Research PoC Demonstrates AMSI Bypass Using Hardware BreakpointsAMSI bypass via hardware breakpoints
A security researcher published a proof-of-concept technique to bypass the Windows Antimalware Scan Interface (AMSI) by setting hardware breakpoints on the AmsiScanBuffer function. The method manipulates memory to prevent AMSI from scanning malicious content, though it is limited by the number of available hardware breakpoints and may be unstable across platforms. This technique highlights a potential evasion method that could be used to circumvent endpoint detection mechanisms.
2025-06-03
research poc
Researchers Demonstrate AMSI Bypass by Preventing amsi.dll LoadAMSI Pre-Loading Prevention
Security researchers Itay Yashar and Omer Golan published a proof-of-concept technique that prevents the Windows Antimalware Scan Interface (AMSI) DLL from loading into a process, effectively bypassing AMSI-based detection without traditional patching or unhooking. The method leverages Windows process mitigation policies to block amsi.dll loading, achieving stealthy evasion of endpoint security products that rely on AMSI for script and in-memory threat detection.
Microsoft · Any security vendor relying on AMSI ↗ medium.com (2025-06-03) ↗ globetech.biz (2025-06-16)
2025-06-02
research poc
Stealth Syscall Technique Evades ETW and EDR DetectionStealth Syscall Technique
Security researchers document a technique combining encrypted syscall execution, call stack spoofing, hardware breakpoint clearing, and ETW patching to evade EDR and Sysmon. The method dynamically resolves syscall numbers, encrypts stubs with XOR, and patches NtTraceEvent to disable logging. This represents an evolution in adversary evasion capabilities.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →