Bypass Record
BYOVD (Vulnerable Driver) × Palo Alto Networks Cortex XDR
A publicly-reported instance of BYOVD (Vulnerable Driver) bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.
Reported as
used a modified version of the open-source EDRsandblast tool, named disabler.exe, to bypass Cortex XDR via a BYOVD technique
Mechanism
The attacker used a BYOVD (Bring Your Own Vulnerable Driver) technique with a tool derived from EDRsandblast source code. The tool loads a vulnerable driver to disable EDR/AV protections in kernel mode, allowing malicious tools like Mimikatz to run undetected.
Detection & mitigation
Monitor for loading of known vulnerable drivers (e.g., via Sysmon Event ID 6 or driver load events) and correlate with unexpected process behavior or EDR tampering alerts. Mitigate by enforcing driver block rules (e.g., WDAC or vulnerable driver blocklist) and restricting SeLoadDriverPrivilege to authorized users only.
This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.