Index / Disable or Modify Tools / CrowdStrike
Bypass Record

Disable or Modify Tools × CrowdStrike Falcon XDR

A publicly-reported instance of Disable or Modify Tools bypassing CrowdStrike Falcon XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product
CrowdStrike Falcon XDR
Technique
Disable or Modify Tools
MITRE ATT&CK
T1562.001
Confidence
Medium
Severity
High
Status
poc
Disclosed
2023-09-13
Config / version noted
Not stated

Provenance

Reported as

Kernel components remain running but lose detection/blocking capabilities in most cases. (except partially in CrowdStrike)

Mechanism

An attacker with low privileges registers a specific ALPC port name (e.g., via a scheduled task at user logon) before the EDR agent starts. When the EDR attempts to register the same port, the initialization fails because the port already exists, causing the user-mode service to crash or enter a non-functional state. This bypasses detection because kernel components lack detection logic (except partially in CrowdStrike).

Detection & mitigation

Monitor for unexpected ALPC port registrations by non-EDR processes, especially those matching known EDR port names, using tools like Sysmon Event ID 7 (Image Loaded) or custom ETW providers. Mitigate by ensuring EDR agents verify port availability before initialization and implement fallback mechanisms, and restrict low-privileged users from creating ALPC ports via security policy.

Disable or Modify Tools has also been recorded against

Avast SoftwareCarbon BlackCheck PointEasyAntiCheatForcepointKasperskyMalwarebytesMicrosoftmultiple commercial EDR/AV vendorsPalo AltoPalo Alto NetworksRiot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.