Disable or Modify Tools × Palo Alto Networks Cortex XDR agent

A publicly-reported instance of Disable or Modify Tools bypassing Palo Alto Networks Cortex XDR agent, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR agent

Technique

Disable or Modify Tools

MITRE ATT&CK

T1562.001

Confidence

High

Severity

Medium

Status

unknown

Disclosed

2024-10-15

Config / version noted

Not stated

Provenance

feedly.com
disclosed 2024-10-15 · original source · via exa

Reported as

permits a local, low-privileged user to disable the Cortex XDR agent, defeating endpoint detection and response capabilities

Mechanism

Improper check for unusual or exceptional conditions (CWE-754) in the agent's detection mechanism permits a local, low-privileged user to disable the Cortex XDR agent, defeating endpoint detection and response capabilities.

Detection & mitigation

Monitor for unexpected termination or disabling of the Cortex XDR agent service (e.g., via Windows Event ID 7034/7036 for service stops, or process exit events for the agent process). Mitigation: Apply the vendor patch immediately and enforce least privilege to prevent non-admin users from interacting with security services.

Disable or Modify Tools has also been recorded against

Avast Software Carbon Black Check Point CrowdStrike EasyAntiCheat Forcepoint Kaspersky Malwarebytes Microsoft multiple commercial EDR/AV vendors Palo Alto Riot Games

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.