// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of June 9, 2025
Signal Brief · Archived

Week of June 9, 2025

2025-06-09 — 2025-06-15 · 8 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of June 9, 2025, ColdRecon logged 8 public endpoint-security events from open-source reporting — 5 research pocs, 2 incidents, 1 vuln disclosure. Vendors in the record this week: Microsoft, Tenable, CrowdStrike.

The Week's Public Record

Events

2025-06-15
research poc
Open-source tool DefenderControlV2 permanently disables Microsoft Defender on Windows 10/11DefenderControlV2
DefenderControlV2 is an open-source C++ tool that permanently disables Microsoft Defender by gaining TrustedInstaller privileges, stopping services, disabling tamper protection, and modifying registry and WMI settings. It is a fork of defender-control with improved error handling and additional features like removing Defender files and handling WdFilter. The tool is tested on Windows 10 22H2 and Windows 11 24H2.
2025-06-14
research poc
EDRSilencer BOF Ported to Sliver C2 for EDR Telemetry BlockingEDRSilencerBOF-SliverC2
A proof-of-concept adaptation of the EDRSilencer BOF tool has been released for the Sliver C2 framework. It uses Windows Filtering Platform (WFP) to block outbound network traffic from EDR and antivirus processes, preventing telemetry without terminating security software. This enables stealthier post-exploitation and C2 operations.
2025-06-13
research poc
Kernel-Level LSA Protection Bypass Enables LSASS Credential DumpingLSA Protection Bypass via EPROCESS Manipulation
This article details a kernel-level technique to bypass Windows LSA Protection by directly manipulating the EPROCESS structure's Protection field using WinDbg or custom tools, allowing Mimikatz to dump credentials from LSASS. The method requires kernel access and demonstrates that LSA Protection is ineffective against attackers with such privileges. It serves as a proof-of-concept for red teams and highlights detection opportunities for blue teams.
2025-06-13
vuln disclosure
Tenable Agent up to 10.8.4 on Windows allows local privilege escalation via arbitrary file overwriteCVE-2025-36631
A critical vulnerability in Tenable Agent on Windows allows a non-administrative local user to overwrite arbitrary system files with log content at SYSTEM privilege. This can lead to privilege escalation and full system compromise. Upgrading to version 10.8.5 resolves the issue.
2025-06-12
research poc
MoveEDR: PowerShell script to disable EDRs by moving files at boot via PendingFileRenameOperationsMoveEDR
A PowerShell script called MoveEDR was published that leverages the Windows PendingFileRenameOperations registry key to move or delete EDR files before they start, effectively disabling endpoint detection. It requires local administrator privileges and targets multiple EDR products, including CrowdStrike, Elastic, McAfee, Trellix, Trend Micro, and Windows Defender. The technique is a proof-of-concept demonstrating a built-in Windows mechanism to bypass tamper protection.
CrowdStrike · Elastic · McAfee · Trellix · Trend Micro · Microsoft ↗ github.com (2025-06-12)
2025-06-10
research poc
WDAC Policy Used to Disable Microsoft Defender Real-Time MonitoringWDAC-Defender-Bypass
A researcher demonstrated that an attacker with local administrator privileges can use Windows Defender Application Control (WDAC) to create a deny rule for MsMpEng.exe, disabling Microsoft Defender's real-time protection even on Intune-managed endpoints with Defender for Endpoint. This bypass allows execution of tools like Mimikatz without detection.
2025-06-10
incident
Stealth Falcon APT Exploits Windows WebDAV Zero-Day CVE-2025-33053 in Targeted AttackCVE-2025-33053
The Stealth Falcon APT group exploited a zero-day remote code execution vulnerability (CVE-2025-33053) in Windows WebDAV to target a Turkish defense company. The attack used a malicious .url file to manipulate the working directory of a legitimate Windows diagnostic tool, causing it to execute malware from an attacker-controlled WebDAV server. The campaign deployed a custom implant called Horus Agent for reconnaissance and further payload delivery.
2025-06-10
incident
Chinese Cyberespionage Groups Target SentinelOne in ShadowPad and PurpleHaze CampaignsShadowPad and PurpleHaze campaigns targeting SentinelOne
SentinelLABS reported that China-nexus threat actors conducted reconnaissance against SentinelOne's internet-facing servers and compromised a third-party IT logistics firm handling employee hardware. The attackers were unsuccessful in compromising SentinelOne itself. The campaigns, involving ShadowPad and PurpleHaze clusters, targeted over 70 organizations globally using techniques like DLL hijacking, obfuscation, and custom backdoors.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →