Indicator Removal × Palo Alto Networks Cortex XDR Agent

A publicly-reported instance of Indicator Removal bypassing Palo Alto Networks Cortex XDR Agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR Agent

Technique

Indicator Removal

MITRE ATT&CK

T1070

Confidence

High

Severity

Critical

Status

patched

Disclosed

2026-03-17

Config / version noted

Yes

Provenance

gbhackers.com
disclosed 2026-03-17 · original source · via raw

Reported as

global whitelist rule that ignores processes with ':\Windows\ccmcache' in command-line arguments, allowing evasion of roughly half of behavioral detections

Mechanism

The Cortex XDR agent stores BIOC rules encrypted with AES-256-CBC using a static key. Researchers decrypted the rules by locating content updates, tracing file reads in cysvc.dll, bypassing self-protection with kernel debugging, and dumping plaintext rules from memory. Analysis uncovered a global whitelist rule that ignores processes with ':\Windows\ccmcache' in command-line arguments, allowing evasion of roughly half of behavioral detections.

Detection & mitigation

Monitor for processes with suspicious command-line arguments containing ':\Windows\ccmcache' that are not legitimate SCCM cache operations. Ensure Cortex XDR agent and content updates are patched to remove the vulnerable whitelist rules.

Indicator Removal has also been recorded against

Avast AVG Kaspersky Microsoft Trend Micro

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.