// UNCLASSIFIED // CLEARED FOR PUBLIC RELEASE //
FILE BRF-01DTG 0600Z
ColdRecon / Brief Archive / Week of November 17, 2025
Signal Brief · Archived

Week of November 17, 2025

2025-11-17 — 2025-11-23 · 5 PUBLIC EVENTS · GENERAL / NON-PERSONALIZED

In the week of November 17, 2025, ColdRecon logged 5 public endpoint-security events from open-source reporting — 3 research pocs, 2 vuln disclosures. Vendors in the record this week: Elastic, Wazuh, SentinelOne.

The Week's Public Record

Events

2025-11-23
research poc
Fairy-Law: Abusing MicrosoftSignedOnly to Disable EDRFairy-Law
A technique named Fairy-Law enables the MicrosoftSignedOnly mitigation policy globally via registry modification, causing Windows to block loading of non-Microsoft-signed DLLs. This prevents many EDR agents from initializing after reboot, as their vendor-signed components are rejected. The method requires administrator privileges and a system restart.
2025-11-21
vuln disclosure
Elastic Endpoint Kernel Driver NULL Pointer Dereference VulnerabilityASHES-2025-001
A vulnerability in the Microsoft-signed elastic-endpoint-driver.sys allows a local attacker to trigger a NULL or invalid pointer dereference in a kernel free routine, causing a Blue Screen of Death (BSOD) and persistent denial of service. The flaw was used as part of a broader attack chain including EDR bypass, low-privilege RCE, and persistence. Elastic has disputed the vulnerability, and no CVE has been assigned.
2025-11-21
vuln disclosure
Wazuh Agent UNC Path Injection Vulnerability Allows NTLM Relay AttacksCVE-2025-30201
A vulnerability in Wazuh Agent versions before 4.13.0 allows authenticated attackers to inject malicious UNC paths into agent configuration settings, forcing NTLM authentication. This can lead to NTLM relay attacks, privilege escalation, and remote code execution. A proof-of-concept exploit is publicly available, and a patch has been released in version 4.13.0.
2025-11-18
research poc
User-Mode QEMU Virtualization Creates EDR Blind SpotQEMU User-Mode EDR Bypass
A researcher demonstrates how running QEMU in user-mode emulation on Windows creates a blind spot for EDRs, as the security tools cannot inspect activity inside the emulated Linux environment. The technique allows undetected execution of tools and techniques within the VM, with only the QEMU process visible to the EDR. This bypass works without admin privileges when using NAT networking and software emulation.
2025-11-17
research poc
SilentButDeadly: WFP-Based Network Blocker Evades EDR and AVSilentButDeadly
A new proof-of-concept tool, SilentButDeadly, uses Windows Filtering Platform (WFP) dynamic sessions to block network communication of EDR and AV processes, neutralizing their cloud-dependent security functions. It requires administrator privileges and targets processes like SentinelOne and Windows Defender, preventing telemetry, updates, and remote management. The technique minimizes forensic artifacts by cleaning up filters on exit.
Every event in this brief is a record in ColdRecon's canonical set, drawn from public open-source reporting and linked to its source. This is the general, non-personalized signal — published 7 days after the fact. The live daily brief, written for your deals, is for cleared officers.

This is last week, public. Get this morning's, written for you.

The live ColdRecon brief lands at 0600 daily — the same signal, filtered to your competitors and framed for your deals. Request clearance and tomorrow's is yours.

Request Clearance →