EDR Unhooking × Palo Alto Networks Cortex XDR

A publicly-reported instance of EDR Unhooking bypassing Palo Alto Networks Cortex XDR, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Palo Alto Networks Cortex XDR

Technique

EDR Unhooking

MITRE ATT&CK

T1562.001

Confidence

Medium

Severity

High

Status

poc

Disclosed

2025-05-24

Config / version noted

Not stated

Provenance

github.com
disclosed 2025-05-24 · original source · via raw

Reported as

LoaderGate, a C# shellcode loader designed to bypass Palo Alto Cortex XDR

Mechanism

A C# implementation that loads shellcode using a method that evades detection by Cortex XDR and Sophos EDR. The exact technique is not detailed in the article, but it likely involves process injection or API unhooking to bypass user-mode hooks.

Detection & mitigation

Monitor for suspicious process behavior such as unexpected process injections, memory allocation with RWX permissions, or API unhooking attempts. Ensure EDR signatures and behavioral models are updated to detect the specific loader patterns.

EDR Unhooking has also been recorded against

all major EDR solutions Bitdefender CrowdStrike Elastic major EDR vendor (unnamed)Microsoft SentinelOne Sophos

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.