Disable or Modify Tools × CrowdStrike Falcon

A publicly-reported instance of Disable or Modify Tools bypassing CrowdStrike Falcon, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

CrowdStrike Falcon

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Critical

Status

unknown

Disclosed

2026-06-25

Config / version noted

Not stated

Provenance

www.rescana.com
disclosed 2026-06-25 · original source · via brave

Reported as

allows a standard user to disable or permanently deactivate enterprise security agents like CrowdStrike EDR

Mechanism

The vulnerability exploits insufficient authorization checks in macOS Endpoint Security framework, allowing a standard user to send a termination signal to security agent processes, disabling them without root privileges.

Detection & mitigation

Monitor for unexpected termination of security agent processes (e.g., falcond, Kandji agent) by non-root users. Enable macOS Endpoint Security framework logging and alert on unauthorized process termination attempts. Apply vendor patches promptly.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point EasyAntiCheat Forcepoint Kandji Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Palo Alto Networks

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.