Disable or Modify Tools × Trend Micro Apex One

A publicly-reported instance of Disable or Modify Tools bypassing Trend Micro Apex One, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Trend Micro Apex One

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2024-07-14

Config / version noted

Not stated

Provenance

www.satyamrastogi.com
disclosed 2024-07-14 · original source · via exa

Reported as

Two critical vulnerabilities in Trend Micro Apex One allow remote code execution, leading to complete endpoint security bypass.

Mechanism

Remote code execution vulnerabilities in Trend Micro Apex One can be exploited to execute arbitrary code on the endpoint, potentially disabling or bypassing the EDR agent's detection capabilities.

Detection & mitigation

Monitor for unexpected termination or modification of Trend Micro Apex One processes and services using endpoint telemetry (e.g., Sysmon Event ID 1 for process creation, Event ID 5 for process termination). Mitigate by promptly applying vendor patches and enforcing application control to prevent unauthorized execution.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.