Masquerading × Palo Alto Networks Cortex XDR

A publicly-reported instance of Masquerading bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

Masquerading

MITRE ATT&CK

T1036

Confidence

High

Severity

High

Status

poc

Disclosed

2026-02-25

Config / version noted

Not stated

Provenance

healsecurity.com
disclosed 2026-02-25 · original source · via raw
gbhackers.com
disclosed 2026-02-25 · original source · via raw

Reported as

Cortex XDR Live Terminal feature can be abused as a command-and-control channel

Mechanism

The Live Terminal feature uses WebSocket connections without command signing. Attackers can intercept the initial WebSocket message and redirect the endpoint to an attacker-controlled server. A logic flaw in the server address validation (checking the full URL string instead of just the hostname) allows a crafted URL like 'attacker.com/test.paloaltonetworks.com' to pass the check. The trusted cortex-xdr-payload.exe then executes commands, enabling stealthy C2.

Detection & mitigation

Monitor process creation events for cortex-xdr-payload.exe with a parent process other than cyserver.exe. Implement network detection rules to identify anomalous WebSocket connections to non-Palo Alto domains, and enforce TLS inspection on Cortex XDR traffic.

Masquerading has also been recorded against

Anti Cheat Expert Apple Carbon Black Cortex XDR Easy Anti-Cheat Enigma Protector Gepard Shield Mhyprot Microsoft nProtect Riot Vanguard Safegine Shielden

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.