Disable or Modify Tools × Palo Alto Networks Cortex XDR agent

A publicly-reported instance of Disable or Modify Tools bypassing Palo Alto Networks Cortex XDR agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR agent

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Medium

Status

poc

Disclosed

2024-08-07

Config / version noted

Not stated

Provenance

feedly.com
disclosed 2024-08-07 · original source · via exa

Reported as

allows a low-privileged local user to disable the agent

Mechanism

Improper privilege management (CWE-269) in the Cortex XDR agent on Windows allows a low-privileged local user to disable the agent, defeating endpoint detection and response capabilities.

Detection & mitigation

Monitor for unexpected termination or disabling of the Cortex XDR agent service (e.g., via Windows Event ID 7034/7036 for service stops) and enforce application control to prevent unauthorized execution of tools that exploit CVE-2024-5909. Apply vendor patches immediately to remediate the vulnerability.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.